Indeed. You are probably not a target worth the time or effort.

Incidentally, salting only protects against dictionary attacks (not brute-forcing) and SHA-256 is generally hardware accelerated (unlike md5, so the crunching will potentially be faster in your case). Also as I would have a copy of your vault application, I could potentially edit the authentication part to remove any additional, non-functional, delays the vault program might have added.

But again, it depends on whether or not you are worth the effort.

The best way to do this would be to use a two token authentication (something you know + something you have), but its going to be a while to get a non-hacky global framework in place that keeps everyone happy, does not break country specific-patents and its not subject to export regulations. And it would have to be ubiquitous, and easy to carry and cheap enough for companies to afford to give out.

I stand corrected.

Similarly you can copy paste a password for an RDP session.

Single point of failure.

Essentially, you will need to carry a copy of your password bank with you AND the application which opens it at all times to function.
This means that if it gets compromised (your memory stick gets stolen/your dropbox account gets compromised/ etc...) an attacker will only need to guess/bruteforce/dictionary attack/social engineer/look over your shoulder one password and gain access to everything in your wallet.

Its not a bad plan in principle, but only if you keep important passwords outside the wallet just in case it gets compromised. The point of the article is to raise awareness to the fact that passwords take less time to bruteforce these days as GPUs are very well suited for the job.

Also, keep in mind that websites have can limits to what passwords you can use (up to x characters, no symbols, etc...)

And, you cannot copy paste your login password to an OS :)

As you said, it depends what you use you email for.

The fact that *you* don't use your email for anything important, does not mean that *I* don't.

In my emails accounts (not only GMail) I have contracts, project proposals, contact details, collaborative discussions for projects, things I have emailed to myself as a backup, copyright notices for things I own and have released, etc.
Not to mention professional discussions, announcements and proposals. And more personal emails as well.

As organisations move to the cloud (my University is doing so now) one needs to think of What-If scenarios and plan accordingly.

For example, what happens if you are off-line and want to access an email?

And what happens if the cloud storage glitches/crashes and you lose years of emails (http://www.huffingtonpost.com/2011/02/27/gmail-reset-emails-deleted_n_828863.html)? Yes, it was fixed this time and more contingencies are now in place, but the risk is still there.

You can still use Thunderbird (or any other mail client) to store an off-line copy of your email via POP3/IMAP.

What I don't get is why no-one writes the package names of the malicious apps.

Application names are generally useless on Android since they can be duplicated freely (and there are legit apps with those names).
On the other hand, package names are unique in the Market.

Anyway, the list of the apps with the package names from the **previous** outbreak can be found here: http://globalthreatcenter.com/?p=2091

Also, a question: does the kill switch affect devices which don't have the market installed?

Sorry, that was me. I cleaned my cookies earlier and forgot to sign back in.

Sigh, that was me. I cleaned my cookies earlier and forgot to sign back in.

Regarding point 7, it would be nice if Google forced developers to justify the use of each permission with a quick blurb.
And about contacting, its the same as on eBay: If you want to know something not on the description, you do ask the seller don't you?
Also, there is a usually a link to the dev's website (along with his email) on the Market entry so the Market offers you a way to do it.

Regarding 8 and 9, you don't have to go out of the Market environment.
Simply searching the app by name will usually do the trick: If you see DocumentsToGo by random_person for $0 with 100 downloads and DocumentsToGo by Dataviz for $9.99 (or whatever it costs now) with >250.000, which one do you think is legit?

The Android Market its the same as any other market place. The seller will put up a generic, generally customer attracting advertisement for a product, but if you want more info you have to ask. Unless everyone just buys cars/boats/PCs/Phones only based on a TV ad without asking for any clarifications?

Use common sense:

1. Don't root unless you REALLY need to.
2. If you are rooted, don't give root rights to an application unless you know what it is supposed to do AND you trust it to do just that.
3. Install a firewall.
4. Don't install applications from vendors you don't trust, or know little about.
5. Read the reviews of an application. See what people complain about.
6. Don't install applications which ask for rights that make little sense in context (a calculator which asks for access to the network and contacts for example).
7. If unsure about some permissions, check the developer's website to see if there is a good explanation. If not, contact the developer directly and ask.
8. If you suddenly find an app for free which you thought it was pay-only, check to see if it is cloned. If so, don't install it as it might be tampered.
9. Check if the developer of an application matches who you know it should be. If not don't install it as it might be tampered.
10. Personally I don't install or use an application which handles credit-card or bank account information directly/indirectly. This includes Paypal/Amazon and eBay. The reason for that is that I don't know how the information is stored on the phone, how it is transferred to the servers or if the authentication system is broken and can be hijacked (like the problem Google had the other day). Unfortunately I'm stuck with Google checkout, but I a secondary cash card.

Steps 8 and 9 would have saved quite a few people from grief in the last malware outbreak.

If you are so inclined (and rooted), you can also AdFree to block ad and some malware sites. This will also cause developers to lose income though.

The permission system works well but only if there is no root exploit involved. Once an app gets root rights it can do just about anything. For example, it can download a precompiled linux executable which will send all application info from your phone to a remote server. This will include contacts/application and preferences (point 10 above).

I don't know about the WM7 implementation, but multiple times overwriting is hit and miss on flash media due to the wear levelling algorithm.
Unless the chip directly supports it, multiple overwrites simply spread the writes on different sectors.

Oh yes!

I remember using Palm Pilots to register stock deliveries in an old job of mine.
It would take a couple of minutes to inspect the goods and 5 minutes to use the app to sign for the delivery and use the clunky interface on a small screen. Most of the problems were due to digitizer drift and bad UI but the experience was horrible.

Palm Pilots were great at their time (I still think that the T|X is the best overall device I've ever used) but in hindsight you can see how limited they were...

Maybe I should have clarified myself.

You cannot enter extensive information onto a tablet by typing (well you can, but I pity anyone stuck in that situation). They are not built for that.
But yes, as you pointed out you can use them to populate lists via checkboxes, comboboxes and the odd sentence here and there.

Prices went up since I got it (11/2010) but here it is: http://cgi.ebay.com/7-Tablet-PC-MID-Android2-1-HDMI-HSG-X5A-ePad-4G-WIFI-/190504613868?pt=LH_DefaultDomain_0&hash=item2c5af5b7ec

For god's sake don't expect this to be an iPad, I was just commenting on the article. It is quite good for the price though.

The actual reason is that Apple is providing a unified user experience.

The shiny-ness? The walled garden? The fact that there is a simple (as in my grandmother can use it) interface to interact with the phone? That is what Apple is selling. Anyone can buy an iPhone, install iTunes and get going within an hour. It will also patch your phone to the latest version the moment you pug it in.

On android?
You want to put music on it? - Figure out how your music player of choice does it.
You want to update it? - Figure out how your provider AND manufacturer does it (KIES/OTA/RUU/God knows).
You figured it out? - Good! now wait until your provided AND manufacturer tweak the official google update and push it to their distribution system (see above point).
You want to use your phone? - OK! now get used to the UI skin every manufacturer seems to be creating for their phones.