My first post did not make the assertion that an I enable *any* specific algorithm. My second post did not make an assertion that I was relying on a single algorithm. If you would like to engage an issue I spoke of, please do. I do not understand the tangent you are on.

My developers constantly justify macbook pro's because they say Adobe apps run better on Mac. Last I checked on benchmarks, a Windows machine for less money beats the tar out of a Mac on most of these apps. If they don't want Windows, fine, please let us have linux. Everyone needs to jump on the getsatisfaction page there and chime in to keep development alive. Competition is good.

I challenge you to cite some examples of PGP, Credant, Truecrypt, or Checkpoint disk encryption failing to patch their whole disk encryption. I'll come up with a list many times bigger with holes that are patched. I am here because my job depends on it and I need to keep an open mind. Please educate me.

1. purchase license for remote recovery service. 2. enable service on laptop bios, encrypt drive, enable intel kill switch. 3. now I can see all computer's GPS history in a nifty web portal. It has pretty maps and charts, good manager bait. Now I can set fences based on country, state etc to start a wipe and shut down if it leaves that fenced area. 4. User reports stolen laptop, we report to security service. 5. Remote wipe sensitive directories, execute any custom commands. 6. Alert cops to pick it up, start a timer for kill switch based on battery life. 7. Cops don't pick it up, battery is low, disable machine completely with intel switch (only new part here). If you own a laptop, get in the bios right now and look for computrace activation. If it is a business class machine, it is already there and has been for years. If you don't like it, don't get an aircard. All of this technology is up and running for me and a lot of other corporations. If you don't like it, and you work for me, fine. Quit. If you are a home consumer, disable it. Every other service on your computer is equally vulnerable to unknown unwritten malware.

So you don't have a machine with a built in SSH port? (or remote desktop?) What is really harder? Building a virus to modify a modern BIOS or execute RM -rf? The point of most malware is not to render the computer useless. It is to use the computer in a botnet or extract valuable information. Now where was that tinfoil hat? Maybe I am missing something obvious.

Absolute=lojack the parent company. These guys are late to the big brother party. Lenovo, Dell, HP all come with the SMS activation with no power and gps tracking support in the BIOS. The icing on this cake is that when I report a machine stolen now, sms message goes out, activates gps, cops go after it, and the processor is disabled so if the battery does run out, the machine is useless. The comment 2 up-- You didn't read my comment. We encrypt our drives. While once in a while a crack comes out for this, it gets patched pretty quick. I'm not concerned. I just read a little more, you have to enable it in the BIOS, doesn't come by default. You can also have the full functionality restored.

While I wouldn't say it isn't possible for someone to break in and kill your machine, it isn't likely. We have been using Absolute software's offering and have been able to do remote wipes on laptops for a long time now. Nobody has broken in and wiped out all the computers with this technology. That being said, do you really think IT who implements this doesn't have a backup? And that our legal departments wouldn't get fair compensation if said "gotcha" really occurs? I would rather have the ability to disable a phone or pc in any way possible when I need it to happen. For the comment above about just moving the hard drive to another machine.. Really? Who goes through the trouble of enabling this, and paying monthly for the service and just skips the whole drive encryption bit? My vote is go Intel.

In my experience, things that have undergone more testing generally tend to have better performance. NIST tests the devices, algorithms, policy, etc. They don't wave a magic wand that makes it more secure or take a payoff to say it is just compliant as you state. Saying that no security measure is 100% to prove a point is gutless. Of course it isn't, but a security plan with more thought and research is more effective at meeting it's goals than none. Have countries outlawed iphone because the encryption is too difficult for government agencies to tackle? If it is so easy, why does this happen? Maybe you can link some examples and educate us. I am often wrong and would like some help if this is the case. I find a lot of youtube videos showing any idiot how to break in to any iphone OS version, where are the videos for Blackberry? I for one feel more comfortable having grandmas's ssn on some doctors blackberry than his iphone. Judging from your other flamebait comments, I think I am wasting my keystrokes here.

I disagree with most of the comments here. In my opinion the solution is to continue to use Blackberry and ban iphone, google and MS phones from uses that require security. The nice folks at NIST regularly test Blackberry systems and they continue to pass over and over earning the magic FIPS140-2 certification. Throwing your arms up and screaming "screw it" indicates you are either joking or having a nervous breakdown and need to step down from your IT post. Layered defenses are effective because no one layer may be completely trusted. You have to make the best decision you can per layer and move on. In this situation it is easy. Continue to use only FIPS-140 approved devices. The encryption, security and central management on Blackberry is a lot better than the (none) on the other platforms.

At a large University, Windows XP licenses are trivally cheap. I believe at my last job $5. If you tell them you are running an experiment like this, it is even cheaper. People give M$ a bad rap on licensing. A lot of times it is cheaper than Red Hat when you have a number of computers.

Somehow they took my boring news of Moores's law - My seti@home and primegrid stats are moving 10x faster with my new laptop's gpu. They turned that into - IN THE FUTURE COMPUTERS MIGHT BE REALLY FAST AND MELT YOUR 1960s PASSWORD! It isn't exciting. Quantum computing will come with both encryption and decryption. Nobody cares what it does to your password from 15 years ago.

DES on gawker, here is a link showing you that it wasn't rainbow tables at all. Once again, I'll just say the article above makes no sense. http://www.guardian.co.uk/technology/blog/2010/dec/13/gawker-hacked-password-change

It was a DES hash. Which is why comparing to old windows is dumb. It is an old linux server compared to an old windows table lookup. If you look at the list of passwords that were found, they are all really easily brute forced, I don't think they used a DES rainbow table.

Windows 7 and Windows 2008 does not store passwords in the same format that Windoz 95, 98 did. You have to go in and manually specify that you want it to do LM or NTLM. Which I might add you can also do on any linux machine. So are linux passwords weak because you can specify a weak NTLM hash or MD5? Not because anyone in their right mind does? The thing that kills me on the "weak windows" argument here is that the only reason people usually enable old NTLM on a windows AD is to get some Mac or open source code to authenticate properly. The problem with trying to prepare for an offline hash attack is that you can't. Well if you issue users yubikey or RSA tokens, then you can. But that is a little impractical. I would submit the idea that a strong password is still your best defense. And that the password listed was a poor example in this situation because with a modern windows or linux salt, it would take a very long time to get. I don't think anyone has noticed that all the passwords in the hashes referenced have not been found yet. There are references to ALL accounts have been found, they have not at this point in time. Strong passwords in this situation have proven themselves. Also in most cases, when you have broken in to a machine to where you have access to that hash file, the password guessing game is over and moves on to replaced gina, keystroke logger, stolen hash etc. All the easy stuff. It comes back to the admin having a strong password and patching on time.

A little harder to block, yes I would agree, however even a botnet of 1 million computers all active on my pathetic site can only guess 5 million per hour. I would love to see your logs that are a clear show of botnet force. Doesn't happen to my company's webservers. (knock on wood) Still a long time until the example password gets cracked. So at the heart of this question- are strong passwords like "Fgpyyih804423" worthless because an old NTLM hash cracker with precalculated tables can hit it in 160 seconds? Absolutely not. The example does not belong in the article.