While I don't see MS porting full office to apple/android, I do see them building a very slick VDI client. Office on a tablet will end up as a vdi session to a private cloud server. It may sound crazy, but its the smart thing to do. It allows Microsoft to leverage all the existing tablets that everyone already has entering the corporate environment. They can support more devices quicker and extend the life of older tablets. The tablets 3 years from now will blow away today's tablets, but if its a VDI client then that wont matter.

Tablets are too personalized and a nightmare for IT security. But what if you could connect to a work desktop and get all your work apps in a way that makes IT feels good about it. Yet, allow the individual to keep personalized apps. I think this is why Windows 8 has such a tablet feel to it. Windows 7 already does a good job under VDI, and I expect Win8 to do so much better.

This would definitely be a corporate IT strategy that is in sync with the MS push of VDI and Private cloud that we see MS timing with the Win8 release. Home users are another story.

I would find that is a perfect opportunity for security to practice protocol. Do everything except report it to the authorities. Even do the data loss analysis.

In the case where the doors were locked, hunt everyone down that had a key and question them. Track each breach down.

I would love to attempt stuff like this at work.

I think its just the opposite. They didn't tell them to let the students steal the laptops, they let them know in advance that if they catch someone taking the laptop that it may be legit. Just by mentioning this would have made it harder because laptop theft would be on the security teams mind making it easier to spot.

I will gladly type the password if they provide me with the yellow sticky note that I wrote it down on. I have too many passwords to remember, why should this one be any different. Like anyone can actually remember a password.

Why, Why are laws a thing you can buy?

That's the most important rule of thumb. Don't even trust your own client code.

Make definite security boundaries. Draw a circle, label it data. Draw a circle around that circle, label it prepared statements. Keep drawing circle adding layers for each security boundary so you have something like this.

Data-> prepared statements -> firewall -> web server -> business logic -> user state management -> browser -> client side code -> user input

Each layer needs to validate everything. Let each layer assume that the protected layer in front of it is missing. It just does not exists. One common issue is having only the client side code validate the user input. I love to modify client side code to bypass validation just to see what breaks. If its HTML, there are so many ways to do that.

There is a huge difference though. It is true that you should not trust any clients. But many people make incorrect assumptions.

They think that when you are working internally, there is a very small number of clients that can possible connect to it. The odds of a hacker getting onto your network are small. So of course it's secure, it's on a server behind a firewall. Opening an application to the internet strips those security blankets away.

To be honest, I think we all do a little of that too. We do what we can to write secure code internally. But we hesitate a little every time we think it may end up open to the wile. I see it as a scary door to open. We can't be 100% confident that we thought of everything, just like we can't be 100% confident that its bug free. It never is. A good student in the art of code should always seek to find more ways to secure public facing applications.

Pick long words that are easy for you to remember.

Pick your state or town, full work phone, and favorite monopoly property(or first pet, author, or street).
Orlando5558242222NewYork

That phone number will feel a little awkward to type at first, but try using the number pad. Before you know it, you fingers will type it faster than you can say it. That number adds 10 extra characters that you can remember with out thinking about.

My method has slowly evolved over the years. I grew up on a crappy dial up connection out in the country. Our ISP gave us a generated strong password. Our connection would constantly drop and I would have to enter that password in several times a night. I kept that password and slowly morphed it over time. It kept getting stronger and stronger with every evolution. I did this with 2 passwords. One for secure stuff and one for everything else.

Then not too long ago, I discovered rainbow tables. Pre-generated LM password hashes. My passwords were not in the free tables, but they would be in one of the more detailed collections. Then I started doubling my short passwords by typing them twice. Instant 16 char passwords that were easy to remember and type. Sometimes I would mix it up and use 2 of my old 8 char passwords together. I would think password1 then password2 and type them just as fast.

More recently with smartphones and now tablets, my passwords were just a monster to enter in. One password was lnnLllnnlnnLllnn where l = lower, n = number, L = upper. A total pain when you also have to swap from numbers to letter on the key pad. My current passwords are much simpler, very fast and easy to enter, and even longer than before.

One of the passwords that I just cycled out contained 2 swype-able (dictionary) words and a full 10 digit phone number. My short one was 19 character, easy to remember, and super fast to type on my computer and moble device. Entering the password is much more natural. I can swype on my moble and bounce over to the number pad on my desktop. I work in IT constantly get comments of shock from users when they see me enter my long passwords on systems.

I do reuse passwords on sites more often then I would like to admit. I treat my email as the master password. With that, all other accounts can be reset. I have my financial password, my work password, my social password, and then everything else password. That everything else password is used on all accounts that I don't care about or don't impact me financially. The everything else password never gets changed. I will usually take 3 guesses at a password on a site. If its not my current one, previous one, or the everything password. I then request a password reset and set it to the everything password.

I never know what to put for a password hint on the sites that ask.

Identify what accounts you need to keep secure or protected. Bank accounts, services where your credit card is available for one click purchases, and your email account. use your good passwords on them and rotate them like you are.

Then use one password for all your worthless accounts that truly don't matter. You don't even need to change this one. Still make it a good password though. So if someone hacks slashdot.org, they will get access to my evernote, flicker, and twitter accounts. But I have what 12 followers on twitter and 10 pictures on flicker. Those accounts will not impact me much if someone else got into them. Yes, someone could give me bad karma on slashdot, but do i really care?

I do stress that your email password is your most important one. Most people use the same email to sign up for everything including financial accounts. So anyone that has access to your email can do a password reset request and get in anyway.

If you do a good job, it can only help you.

It will give you more visibility and more responsibility. If you are doing it for work, stop doing it on off hours. Pull it in to your job and do it during your down time. Get paid hourly on it. You will need to maintain it and fix various issues over time. When you are up for yearly review, get this project and a description of what you do mentioned. In the future you can ask for a pay raise or a tittle change because of your new job duties and responsibilities.

Should you ever leave your current position, this project will give you huge returns in hunting for your next job. Employers want to know about these types of projects and you can talk about it in detail with great confidence.

You have to coach them. They don't really understand what you need.

When I get a email from someone about a bug, I go meet with them. I ask them all the questions I think may be relevant. What were they doing, how were they doing it. Were there any extra small steps or actions that jump out. Sometimes I explain why I'm asking certain questions and relate them back to previous bugs or issues.

I think what you need is someone to be the go between. Get a tester to receive those emails, recreate the issue, then file a bug report. Don't allow the end user to file bug reports directly into your system. It will mess with your tracking data. A high number of worthless bug reports closed quickly may look good in the reports but does not help anyone.