Encryption can be applied at various layers. You can have link-layer encryption (level 2), network-layer encryption such as IPSec (level 3), transport-layer encryption such as SSL (level 4) and application-layer encryption such as SSH (layer 7)

Also, it is not a positive endorsement when "the civilized parts of the world" have a card system forced upon them by their governments.

That statement makes no sense at all. Where I live, my government was democratically elected. So I think it makes more sense for the government (which is accountable to us) "force" a system on us rather than merchants or payment-processors (which are accountable only to their shareholders.)

Knee-jerk anti-government sentiment is tiresome.

Who would decide the point at which security had sufficiently improved, though?

A technical committee with representation from merchants and the card companies would have to come to some sort of agreement.

Unfortunately, it would cost billions to upgrade the US's entire infrastructure to support it, and I honestly don't see anyone picking up the tab for any part of such an upgrade any time soon.

We here in Canada did it pretty quickly. Granted, we only have 10% of the population of the US, but it was still a big and worthwhile infrastructure upgrade.

The point is that if there's a security breach, the merchants are the ones who take it on the chin, not the credit card companies. That's why merchants need to get the CC companies to clean up their acts.

I'm not particularly fond of Wal-Mart. However, as a merchant who suffers the whims of credit-card company policies, I'm really glad to see someone beating up on VISA. As another poster said, Wal-Mart might just be big enough to succeed.

I would love to see a group of large merchants get together and pick one credit card company (let's say MasterCard) and simply refuse to accept it unless security is improved. Yes, customers would complain, but if the merchants spun it correctly as trying to improve customer security and reduce identity theft, I think MasterCard would cave. Then move on to VISA.

But by then, the Earth's rotation will have slowed so a day is longer and a year is no longer 365 days and the Morlocks will need their own calendar reform.

... but I predict that the US will switch to SI units for everyday measurements before this new calendar is adopted. :)

Any password-generation algorithm that is not based on a cryptographically-secure random number generator reduces the search space and makes it easier to guess passwords.

I do not believe in "easy to remember" passwords. I believe in strong passwords, which of necessity are hard to remember, so they have to be written down and stored safely, or stored in a password keeper protected by strong encryption and as long a passphrase as you can get away with.

We sell software that has an accompanying account for users to download data feeds and related updates. We do not let users pick their own passwords. We give the user a randomly-generated password that he/she has to use.

There are two major benefits: If we get hacked and all the credentials are stolen, the passwords (with overwhelming probability) will not be usable on any other sites, so our users are safe. Conversely, if another web site used by our users is hacked, then (with overwhelming probability) those credentials will not work on our site.

Yes, it's a little inconvenient for our users. We tell them to write down the password on a piece of paper and keep it in their wallet.

I'm pretty sure it's my mother. Ages ago, I had supper with Linus Torvalds and although he's not that tall, he's at least 20cm taller than my mother. :)

My mother does receive quite a few PowerPoint-laden emails. So far, Libreoffice has opened them all perfectly. My mother doesn't even know what "PowerPoint" is; she just knows that she gets cute slideshows when she clicks on the attachment.

My mother (who is a grandmother to my kids) runs Debian Wheezy with the XFCE desktop environment. The machine is fairly locked down and I've made quick-launchers for the apps she uses 99% of the time: Email, web-browsing, word-processing, music player and video player.

She's happy and I can administer the machine remotely, so I'm happy.

You are correct... my company is small (10 people).

That's true. All our desktops run Linux so we are at somewhat lower risk for most malware than Windows shops. I understand that it's still not completely foolproof, but so far we haven't had a problem.

I have never fired someone for abusing our Internet policy. I've issued warnings, though.

I own my company, and no... I don't do this to my employees.

I have warned people who've abused the system (I had some casual employees who spent inordinate amounts of time on Facebook, and I've had to clamp down on music downloads that could have gotten me into trouble) but I generally use HR methods rather than technological methods to take action.