Visit Your Local PBS Station PBS Home PBS Home Programs A-Z TV Schedules Watch Video Donate Shop PBS Search PBS
I, Cringely - The Survival of the Nerdiest with Robert X. Cringely
Search I,Cringely:

The Pulpit
Pulpit Comments
November 16, 2007 -- There is No Free Lunch
Status: [CLOSED]

ITAR is just the beginning. What about rockets exploding, going off course or not even making it into space? What about radiation, landing, communications, batteries, etc.

They're discussing this over at PromoteYourOpinion.com Check it out.

http://www.promoteyouropinion.com/wfTopic.aspx?TopicID=11

Matt | Nov 16, 2007 | 4:31PM

And to remember those new passwords, make a sheet with some little ink blots, and use what the ink blot looks like to you to make the password for a given site. (actually, you should probably use two for each site so it's a two word password...) You'll remember what it is from the blot, other people can look at it all day and probably not guess. So if your password crib sheet falls into the wrong hands, they still can't use it.

Marc Mengel | Nov 16, 2007 | 4:55PM

Half my credit card accounts

you have more than one, what are you a Vanderbuilt???

bobRuub | Nov 16, 2007 | 4:56PM

As a secondary approach to changing your passwords on a semi-regular basis, have a couple of passwords. I use three passwords at any given time: one for non-secure uses (like message boards, a cruise to Bora Bora, etc.), one for semi-secure uses (like my email accounts), and a secure one used only for financial information.

I assume most of your readership already knows this, but a "really good password" is easy to construct and remember. You just need to create your own acronym and substitue some non letter characters. For instance: I Love Bob Cringley's Weekly Column! becomes I

Tim | Nov 16, 2007 | 4:57PM

My last comment seemed to lose someething due to special characters. Oops.

To reiterate:

I assume most of your readership already knows this, but a "really good password" is easy to construct and remember. You just need to create your own acronym and substitue some non letter characters. For instance: I Love Bob Cringley's Weekly Column! becomes ILBCWC! where the L for love should be a right angle bracket and a 3. Comments doens't like the angle bracket

Tim | Nov 16, 2007 | 5:03PM

All they really need is the password for your email address. So when you sign up for the sweepstakes, be sure to use the same password that you use for your email account.



Now the bad guy can go to Amazon or eBay, type in your email address, click the box that says "I forgot my password", and then go retrieve the password that is sent to your inbox. (Then he can delete the email and you'll never know).



The bad guy can go through all of the email you have received from your bank, credit card companies, etc. and then go to those Web sites and request your password be sent to your email address.

Joe B | Nov 16, 2007 | 5:07PM

I hope you called your source on a line the DHS wasn't wire tapping.

Jeffrey Altman | Nov 16, 2007 | 5:09PM

Sheesh, just use Roboform (or similar program) to generate, remember, and encrypt a different 20-character random password for every site. Then make up and remember a really long (multi-word nonsense, with punctuation and numbers) but really memorable (to you only) master password for Roboform. Change your web site passwords periodically, but no need to remember them; Roboform's got you covered (plus it'll fill them in for you automagically). And Bob's your uncle.

JDM | Nov 16, 2007 | 5:10PM

@ Joe B.

Good point.

I always suggest a strong password of 16 characters or longer be used, if allowed. As stated above it's easy to take an easy to remember sentence, remove spaces and an substitute values without any issues.

@ bobRuub
It's Vanderbilt.

solipsism | Nov 16, 2007 | 5:13PM

The ITARs aren't supposed to do anything for national security Bob. Their real utility is to provide budget authority at the Departments of State and Commerce, and in keeping hundreds of bureaucrats gainfully employed. My company loses business from NATO countries (aren't they our allies?) because of the intrusive and time consuming nature of the U.S. government's export licensing regime.

If we all complain loudly enough, they will "improve" the system and expand it to include all interstate commerce. Can't be too careful when it comes to national security...

Jackson T | Nov 16, 2007 | 5:17PM

I've been on the Internet since 1994. I have 5 letter sized pages of passwords and userids, all different, for personal use and 4 pages for work. Should I carry it in my wallet or staple them to my forehead ?

Steve Stone | Nov 16, 2007 | 5:17PM

My frustration lies with the sites, and there are still plenty of them, that force unnecessary restrictions on passwords. There are still quite a few in this day and age that DON'T allow passwords to be longer than eight characters, or don't allow special characters or some other such nonsense.

Michael Long | Nov 16, 2007 | 5:21PM

My bank recently "upgraded" their login security. They maxed the password to EIGHT characters! I use at least 12+ mixed-characters for all my passwords but the BANK! But hey, they added a captcha-like feature that uses four-letter, common, English words in large, regular type with a grey background. No squiggles no random letters and numbers. It does have a few lines through the words. When I expressed doubts about the improvement, the bank assured me it was lots more secure than the old system.

Oh, and with each upgrade on-line banking gets more obtuse and difficult with "added features". I accused them of having bitter, disgruntled employees design the upgrades, or Microsoft. They didn't laugh. Neither did I.

Max in Houston

Maximzodal | Nov 16, 2007 | 5:37PM

Thank you for that insight. I do use an eight-character password of random letters and numbers. I do use it everywhere because I thought it would be very hard to guess. I never crossed my mind that if it every WERE discovered, then it would be discovered for every place. I have slapped my forehead, and now will move on to changing my password.

Steven White | Nov 16, 2007 | 5:51PM

Has anybody done a human factors analysis on how may different passwords, updated at what interval, the average human can be expected to remember?

Someones needs to come up with a better paradigm for identity verification.

Eric Clason | Nov 16, 2007 | 5:55PM

roger that switching to password A now (was on password B)
:-)

lamlim8 | Nov 16, 2007 | 5:58PM
  • You shouldn't use the same password for every site.
  • Eight character passwords that use common words can be broken fairly quickly using dictionary attacks.
  • If you start with a phrase and then mangle it, it's not only easier for you to remember, it's harder for a computer to crack.

There are several password tracker applications, which remember all your individual passwords for you so you don't have to. If you use a Mac with Safari you get this automatically when you store your passwords -- they are stored in an encrypted database. For Windows you can use Password Safe. The Password Safe page also has links to similar projects for other platforms.

Faisal N. Jawdat | Nov 16, 2007 | 6:03PM

And you stupidly thought you lived in a democracy. The US is quickly developing it's own KGB from the old USSR days. You ain't gonna launch no stinkin' rocket.

David | Nov 16, 2007 | 6:16PM

Just use a password vault, like JDM says. I personally have hundreds of random passwords stored on my KeePass.

With current computing power, it would take billions of years to brute force my master password.

Also, I use a different e-mail alias for each account, so if I get annoyed by anyone, I just delete the alias... And nobody in the world knows my real e-mail address. You must make this process very straightforward or it'll become very cumbersome for yourself do.

Another approach is to come up with a personal algorithm which helps you create a unique password based on the web address you're registering to. This way you only need to remember the algorithm. I wouldn't do this, but it seems to work for some people.

Ivan Vega | Nov 16, 2007 | 6:17PM

What I find extremely frustrating are web sites that DON'T ALLOW ANYTHING BUT LETTERS AND NUMBERS in passwords. These are usually the same kinds of sites that also restrict passwords to a maximum of 8 characters.

Dumb-ass, lazy #$*&%$ers!!! Because, duh, it's so much easier to write code that only needs to handle letters and numbers, instead of properly escaping special characters, and hey, only 8 characters makes the database column nice and small, right?

Similarly amazing is how the standard PIN length for ATMs/cash machines is only FOUR DIGITS! (http://news.bbc.co.uk/2/hi/business/6230194.stm) If you can't remember more than four digits you shouldn't be using the machine in the first place.

Lun Esex | Nov 16, 2007 | 6:25PM

Lun Esex: "Similarly amazing is how the standard PIN length for ATMs/cash machines is only FOUR DIGITS!"

This doesn't matter because the machine confiscates the card after three false attempts--hence, the attacker has (less than) a 1-in-3000 chance of being able to steal money from an account. If it takes a minute to try each card, it'd take on average 25 hours--and 1500 cards--to withdraw so much as a dollar from an ATM without knowing the PIN. And with the withdrawal limits...

Brent Royal-Gordon | Nov 16, 2007 | 6:39PM

Bob, I use Good & Different passwords for important or financial websites. But who wants to spoof you just to post in some stupid guitar forum? Or to log into the NY Times? Jeez.

William | Nov 16, 2007 | 7:28PM

You should have traded your illegal aliens source for an ITAR permit.

Seems like a fair trade.

Sam | Nov 16, 2007 | 8:04PM

Baker, Jarvis and Howland Islands lie w/in 1 degree of the equator and are uninhabited US territories.


http://en.wikipedia.org/wiki/Baker_Island

http://en.wikipedia.org/wiki/United_States_Minor_Outlying_Islands

Art | Nov 16, 2007 | 8:25PM

Baker, Jarvis and Howland Islands lie w/in 1 degree of the equator and are uninhabited US territories.


http://en.wikipedia.org/wiki/Baker_Island

http://en.wikipedia.org/wiki/United_States_Minor_Outlying_Islands

Art | Nov 16, 2007 | 8:25PM

It wasn't that long ago that exporting Pentium PC's was a federal felony. However, we do want to keep useful missile information out of the hands of the Syrians, Iranians, and the like. God forbid the plans show up on eBay for $1.99 Buy It Now!

Don Reese | Nov 16, 2007 | 9:08PM

The criminals that get caught don't worry me. What worries me is a criminal smart enough to set up a sweepstakes to get login and password information, may be smart enough to give out the prize.
The criminal passes the information to others who are also smart. If they get 50K names, and say 10K of those can be used to get bank or credit card access. A smart criminal would setup a monthly transfer. A really smart criminal would call the company that gets the money something that sounds real and bankish, like "Transferal Fee" or "Transfer Adjusment".
When I see something like that on the bill, with a $2-3 fee, I think nothing about it.
A couple of bucks, times 10,000 names, is 20,000 a month. Give away a $3000 trip, just to sign up more users.
Smart criminals scare me. Thank heaven most are dumb and greedy.

Doug | Nov 16, 2007 | 11:19PM

ITAR? Check out the 'dual use' technology list. Seriously.

Based on that, half of silicon valley is in breach of ITAR regulations. Particularily anyone selling EDA tools or services.

Bob the Kelpie | Nov 16, 2007 | 11:45PM

Everyone should use a password manager on their computer, e.g. RoboForm for the PC or 1Password for the Mac. (KeePass is free/open-source alternative, though I haven't tried it.)

Not only do they generate, store and automatically fill online forms with long, random passwords, they can sync the passwords to USB drives and mobile phones including Windows Mobile phones, Palm and even the iPhone. There's no need to worry about needing a password when you're not at your own computer and they can store other personal information you might not want to leave unencrypted on your computer and/or phone. These are great, easy-to-use programs so there is no excuse for having weak passwords. I'm surprised that more companies don't put one of these programs on their employees computers and provide training. It's just a smart thing to provide.

Andre | Nov 17, 2007 | 12:17AM

But the obvious problem with password managers and using long random passwords: Consider your options when your email account uses a long, random password and your hard drive dies or for any other reason, you cannot access the program.

Poof. As I found out the hard way years ago, nearly any account with a "secure password" then becomes meaningless. That's how I lost some good domain names, an email address or two, and more ...

Louis St-Amour | Nov 17, 2007 | 1:57AM

To Louis St-Amour: I sympathize with your problem -- many of us had lost at least some data to hardware failures. However, the solution is not to use weak passwords, but to safeguard the strong passwords that you already have.

In general, if you do use a password-storing software (and I use a very old, but still nice program called Whisper32), all you need to prevent the loss is to backup the password file, together with your regular backups - you do regular backups, don't you? :)

And if the data file (or the backup) is encrypted, write down the password somewhere in an inconspicuous place, and you won't have to worry about losing it. For domain names and other significant on-line transactions, I suggest to print out the purchase document and file it away.

Max Timchenko | Nov 17, 2007 | 2:22AM

As long as you feel you can trust the software (which is a requirement with any password manager) you should absolutely look into Password Maker http://passwordmaker.org/Introduction.
It does not store your long passwords. It recreates the password each time you need it. Check out the web page for the details but, I have secure passwords from what ever machine I use, I only remember a single strong password and do not have to worry about the password file being comprimised or lost.
I am happy with that.

jalspach | Nov 17, 2007 | 3:33AM

As long as you feel you can trust the software (which is a requirement with any password manager) you should absolutely look into Password Maker http://passwordmaker.org/Introduction.
It does not store your long passwords. It recreates the password each time you need it. Check out the web page for the details but, I have secure passwords from what ever machine I use, I only remember a single strong password and do not have to worry about the password file being comprimised or lost.
I am happy with that.

jalspach | Nov 17, 2007 | 3:34AM

Does Google X Prize limit the participants to US-based only? If not, your solution could be to base your project in another country. Perhaps Croatia. :)

Berislav Lopac | Nov 17, 2007 | 5:59AM

Anyone who uses the same password with more than one business is a HELL of a lot more trusting than me. I use one a home, a different one at work, and a different one for every online website that requires a password. I use a random password generation utility to create them. How do I remember them? I don't. I keep them in a file in my home computer, and check it when I need to use one. Also, here is an interesting discussion on regular passwords: http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/

Robert Yoder | Nov 17, 2007 | 8:52AM

I use Password Composer which is an add-on for Firefox. I don't even know what password I use on most sites (there are a few exceptions where the site sometimes require IE, like Fictionwise for downloading secure MS Reader ebooks).

Marcel Popescu | Nov 17, 2007 | 10:04AM

Good to hear that DHS reads the column! Maybe now they will do something (maybe!).

"So CHANGE YOUR DAMNED PASSWORDS and put an end to this kind of scam."

I don't think any readers of this column are dumb enough to fall for such scams. Preventing Uncle Hillbilly from using the internet might be a way of ending such scams, however.


Al Wilson | Nov 17, 2007 | 10:52AM

Don't use online banking or CC services.

Doublecheck and challenge any suspicious CC charges.

degustibus | Nov 17, 2007 | 12:00PM

ITAR: Welcome to our nightmare!


I work with German collaborators on a US science mission: GLAST. Even though they *built* our detectors, NASA won't let then see some of the resulting telemetry! No wonder the US is losing the science 'war' to the rest of the entire world...

(We'll be secure, though!)



-- GammaRay Rob

Rob Preece | Nov 17, 2007 | 12:13PM

Bob, instead of encouraging people to change their passwords, why not encourage them to do something that works: Roboform (or any of the other password storage programs). It also generates secure passwords, and since you don't have to remember them, they can be very secure! Roboform currently stores a logon name and password to 360 sites for me--and every site's password is 20 or more characters including punctuation, numbers, caps, lowercase. NO ONE will do that without a PW program but it's trivial to do with one.

So plug PW storage programs. Give people a chance!

AL

Al Lowe | Nov 17, 2007 | 1:48PM

So, I don't like ITAR either, but every time defense technology is shared with anybody, there are immediately critics of the sharing. We have sold weapons to China ( Firefinder radars), stuff to both Iran and Iraq during their war, and weapons to the Israelis and every gulf state country. The US is criticized for each and every one of these technology transfers, and the UN is trying to ban whole categories of weapons sales.

The dreamy, do-gooder types in State are your problem here. I worked with them first hand, and they have generalized disgruntlement with anything remotely "military". Sorry you had to find out the hard way how our State Dept really thinks.

Greg | Nov 17, 2007 | 2:08PM

Question put to many in cyberspace....can a criminal find out your Account #s or your Social Security #?

tgrove | Nov 18, 2007 | 12:40PM

Question put to many in cyberspace....can a criminal find out your Account #s or your Social Security #?

Terra | Nov 18, 2007 | 12:41PM

If there were more smart criminals... most (not all) have the mentality of a 12 year old. The really good criminals go into politics, run ENRON, or ...

I use a simple password set for stuff I don't care about, and completly different rule-driven sets for banking, bill paying and systems work.

OTOH, my clients REFUSE To use more than a single userid/password pair for the ENTIRE office... because most of the folk can't even remember a password without outside help. (not kidding, I get at least a request a week to reset a stock password because they cannot remember the case...). And they won't use personal userid password pairs because they would have to logon and logoff from each station...


aedmunde | Nov 18, 2007 | 6:29PM

One of the best solutions I have found to the whole password thing is to remember several shorter strings that can be combined to form strong passwords. For example if you remember four 3-4 character groupings, by putting 3 of the groupings together in any order you can have a total of 24 passwords. Another benefit of this method is that when you want to change a password you can just change or add a new grouping. I started out using this method with this method with a few regular passwords, and I currently remember 5 groupings from 3 characters to 10 characters (most are around 6) giving me a total number of 120 combinations. Sometimes the hardest part of the whole thing is remembering the combination that I used to access a certain website.

BR | Nov 19, 2007 | 8:22AM

In the Netherlands most of the banks have a code generator with a pin where you need to insert your bank card. I can bank from anywhere. Are these devices not used in the US?

Michel | Nov 19, 2007 | 9:07AM

I do change passwords somewhat regularly, but I also had an old one that was lingering around. This motivated me to actually change that password (my somewhat but not really secure password). I do have a much stronger password, but I decided that it would be useful to up the security in some areas....

Thanks for the great article on passwords. Here is an excellent article on password schemas: http://www.sans.org/reading_room/whitepapers/authentication/1636.php?portal=bed69f1048bb56aae8df77782ae08211

Matt | Nov 19, 2007 | 9:17AM

Junk sites get one junk password -- all those crazy registrations just to view something, etc. All important sites get unique passwords.

And how secure is Quicken and those other financial apps if you record your account numbers in them should your PC get breached? So I simply don't. And I keep paper bank info in a locked file cabinet and shred old paper.

Anne | Nov 19, 2007 | 10:02AM

This password nonsense is the weak link in a great many security schemes, corporate and private. IT departments specify some labor-intensive behavior they know users will not follow, and consider their job done. The only realistic solution I can see on the horizon is biometric.

Ryan | Nov 19, 2007 | 10:58AM

I use a free utility called Password Safe to manage my passwords, so that I have long since stopped typing them, much less knowing them. The only password I know is the one to get into my password database. Every site gets a new password auto-generated by the software, so the phishing scam you describe here doesn't apply.

More: http://passwordsafe.sourceforge.net/

Lucas | Nov 19, 2007 | 2:44PM

Here is an Idea, not mine of course i think Jules Vern thought of it first. Instead of a rocket, use a catapult.

Scott | Nov 19, 2007 | 3:47PM

As they say on the Moon, Tanstaafl!

Keith | Nov 19, 2007 | 6:26PM

CHANGE YOUR DAMNED AUTHENTICATION TECHNOLOGY!

Seriously, people are *bad* at remembering good passwords. And security in general. And so are implementers - my favorite is the password setter field that takes any length password paired with an authenticator that only understands a specific , secret length. They're just slightly better than password sign-ups that give no indication of what characters are acceptable, but reject passwords for 'illegal characters', preferably telling you about them one at a time.

So, what should we do? Give users bad technology options and then yell at them when they fail? What is this, The Lucy Van Pelt School of Technology?

SmartCards were introduced about 25 years ago to solve these kinds of problems. Apparently, it still has too much Euro-kink in it. You notice how Visa, et. al., have run to protect themselves from fraud with smartcards? Oh, wait, they foist the cost of fraud on the merchants.

There's a killer business plan here for somebody who would be content with half of Visa's revenue.

Bill McGonigle | Nov 19, 2007 | 7:10PM

I use a tiered level of security of passwords.

  1. Important - I use a few passwords with many permutations (It usually takes me a few tries if I haven't used the service for a month.)
  2. Normal - The email address and password are based on the site, the numbers and characters vary by my hash algorithm
  3. General sites (e.g., oracle download) - my password is akin to "I!love%Cringely";

Alex Birch | Nov 19, 2007 | 8:19PM

PASSWORDS


Here is a good way to come up with a more secure password. Start with two numbers. It could be a year, month, or day of a birthday, anniversary, etc. Add to those numbers two letters. It could be your initials or the first two letters of your dogs name. To that add another two numbers. Again pick something interesting. At this point you have a number - number - letter - letter - number - number. To that add the first two letters of the name of the company who website needs a password. You could add these letters to either the front or rear.


Lets use Robert Cringely as an example. His initials are RC. Lets pretend his birthday is 15-April, or 04 and 15. Put it together and you get 04RC15. This combination of characters will be the same in all your passwords. For BestBuy the password would be BE04RC15. For Amazon it would be AM04RC15. And so on. To make it more secure you can add letters and numbers. If you remember Bob's 10-April-2003 column, his dog's name is Gilmore. You could add GI to the string and turn that Amazon password AM04RC15GI. In my examples I used upper case characters. In real life I use lower case characters, except with financial sites where I use a different pattern and mixed case characters.


This is a harder password to crack, yet it is easy for you to remember.

John | Nov 19, 2007 | 8:33PM

Above are great systems, better than mine which I've developed over time. But would any hacker bother trying to hack? at the end of the day you're just trying to lower the odds your passw gets cracked while still remaining userfriendly.
Trying to change the login/passw for every site i use is simply too daunting a task.
Every site and its dog these days asks for a login and password. WHY?

Bruno | Nov 19, 2007 | 9:51PM

Why?

I though Cringely just explained that?

A third of those sites are probably harvesting userid/pwd combos for sale.

Jerry | Nov 19, 2007 | 10:50PM

A quick search shows that alot of banks are sending out chip and pin machines to home internet banking customers. For this exact reason.

I think it's enivitable that eventually a "personal credit card reader" (like this except mobile) will eventually replace cash completely and then we can all celebrate - No more waste due to loose change - plus also maybe it will get the beggars of the streets too.

John | Nov 20, 2007 | 9:47AM

Don't you DARE attempt to prohibit my creative web forms!
That's a violation of my CIVIL RIGHTS!

His Beneficent Benevolence | Nov 20, 2007 | 12:56PM

Perhaps your new-found friends at DHS can call up Treasury and State and push along your ITAR license application. On the downside, it might take them six years!

Alexander | Nov 20, 2007 | 2:46PM

I think your vote comments are not displaying properly when people submit them - lots of duplicates!

Daniel | Nov 20, 2007 | 4:49PM

Until recently I actually trusted personal information to Roboform; however, when I downloaded the free version to use it temporarily and it searched the hard drive of the PC I was borrowing and automatically filled in several fields my trust quickly evaporated. (Note to software creators: doesn't that behavior make what you're up to just a tad too obvious?)

The old bank machines I once specialized in repairing ate your ATM card if you repeatedly typed the password in incorrectly with three times being the default setting. If you have any sense and still use ATM cards you can use machines that do not do that because you manually slide your card through the card reader instead of trusting the ATM machine to give it back - if it feels like it.

Rose Sylvia | Nov 20, 2007 | 7:39PM

Simple solution:

Use a "non-secure" password for non-secure applications. Use a "semi-secure" password for semi-secure applications such as e-mail and store websites where your payment details are not stored. Finally, use one more more "high-security" passwords for a small number of "money" websites (banks, 401k etc).

And yes ,change them regularly.

Wizard Prang | Nov 21, 2007 | 10:58AM

I worry about companies spying on me more than the Government. The NewsVisual article on Google’s Open Handset Alliance http://www.newsvisual.com/newsvisual/2007/11/google-and-moto.html implies that it’s really personal connections among business leaders that determine who can gather information on us. There doesn’t seem to be anyone who constrains their activities.

Bill | Nov 21, 2007 | 11:34AM

I use a "core" password for every site and use a suffix for each individual site.
I keep the suffixes written on paper and the "core" password in my head. You could have
more than one "core" password using a tiered level of security, say, three of them. Make
periodic multiple photo copies of the written suffixes as it grows, and store them in
different locations. This resolves the hardware failure problem and if someone gets a hold
of the written suffixes it is unusable to them.

keith | Nov 21, 2007 | 11:38AM

Use keepass...

...sensibly of course.

Gordon | Nov 21, 2007 | 3:38PM

There may be no such thing as a foolproof method, but here is a simple one that is also pretty secure, certainly far better than the standard way most people do it (which Bob describes very accurately). The key is to disconnect your username from your password as much as possible, so that a potential thief needs two very different modes of access to get them both. You can still select a universal username (or maybe two if you can handle it), but use different, unique passwords for critical accounts (bank, credit cards, etc.), and keep this list on your person (wallet, purse, etc.), making sure you do NOT also write your username anywhere in the same location. Obviously you will want to keep a copy somewhere else as well. If you lose your wallet, whoever finds it will have a list of your passwords but the chances of that person 1) being a thief, and 2) being capable of accessing your username is very, very slim. And if someone hacks into your data or somehow tricks you into giving them your usename and a password for any account, the password loss will not lead to catastrophic damage. You can then weigh the benefit of frequent changes (which are a pain in the ass) vs. the minimal risk of losing data or money from a single account.

Kevin | Nov 21, 2007 | 3:57PM

http://news.yahoo.com/s/macworld/20071122/tc_macworld/lawsuit20071121

Why did Apple get off cheap? I expected this number to be mid 9 figures as opposed to low eight. After attorney fees, Burst.com barely cleared 4.9 million. Was it worth it? Burst.com is not a patent troll, they had a legit claim. Or are they settling with Apple to aim their guns at Google or Adobe?

Kevin Kunreuther | Nov 22, 2007 | 12:26AM

I agree with Kevin completely. A lot will be gained if people would use two username/password combinations: one for sensitive data (like bank accounts) and one for less important stuff (like Amazon accounts).

Sjaak Laan | Nov 22, 2007 | 10:09AM

***DISCLAIMER*** I love Brazil. I live there. NĂŁo guardo desrespeito pro meu novo paĂ­s!

That being said:

If you are looking for a place that won't allow you to do ANYTHING without years and years worth of paperwork combined with delays from incompetence and laziness and corruption unimaginable to all but the Vogons, go immediately to Brazil. I've lived here two years and trust me, the government of Brazil makes DHS look like it was staffed by Mensa.

JoĂŁo | Nov 22, 2007 | 10:50AM

Try logging into any of your social networking, email, or other corporate accounts from any location or PC that is not one you use now and I suspect you'll find that you MUST change your password and confirm it with an email address.

There is no such thing as privacy or a "secure" password. Some are more challenging to hack; however, it is likely that someone has access to every password you use. Anything encrypted can be unencrypted.

Have you noticed the search results and comments with little images that look like dominoes that contain hex codes? Some search results are clearly marked PROXY. If you want to see what I'm referring to type in a search for f3.yahoofs.com at google.

If you visit my blog you'll notice that the pages don't want to complete and show “Transferring data from track2.mybloglog.com” until you click refresh and then they show “Transferring data from f3.yahoofs.com”. This behavior is solid (not intermittent; consistently reproducible) and occurs on every individual page or post I've checked.

I do have mybloglog on the page but no links that have any reason to hit Yahoo as far as I know. The blog is currently hosted at laughingsquid. Although I do link outward abundantly, I use different links on every post so it could not be due to an outbound link in any post.

Rose Sylvia | Nov 23, 2007 | 7:44PM

An interesting development in the UK with the loss of 2 cds containing 25m residents details, compromising fraud. You may have read about it. Here's an interesting take on that:

http://www.guardian.co.uk/commentisfree/story/0,,2216390,00.html

Robbie | Nov 25, 2007 | 10:20AM

lots of spam comments on here bob. I'd guess your filter needs updating.

Daniel | Nov 27, 2007 | 4:52PM

extra message to scroll the spam off the screen

Daniel | Nov 27, 2007 | 4:56PM

third comment to scroll the spam right off the page

Daniel | Nov 27, 2007 | 5:02PM