Okay, I'm listening.

Sounds good.

Say, what? If your target is "file-sharing generation", then don't spout bullshit that is obvious to the majority of it!

In practice (aka reality) OS X has never had a virus or worm. All known in-the-wild exploits to this day have required users to install something, many requiring administrative passwords. That is, all in-the-wild exploits have been trojans.

The Windows landscape is full of viruses and worms. Conficker is just one recent and ongoing example. Botnets are not only comprised mostly of Windows machines running IE, but apparently 80% viruses run in Windows 7 just as they did in previous versions of windows.

And you're repeating the idea that Windows of any stripe is more secure than Mac OS X with a straight face?

Seriously. Is there anything they wouldn't be able to do on Linux or BSD or OS X? If not, then tell them if they don't switch their OS you won't be able to help them any more. That would solve the problem handily, at least for the foreseeable future.

There are some that would argue this isn't such a bad idea.

How exactly would Fibre Optics help in this situation?

Unlike IBM. APL stands for "A Programming Language".

I think there is a difference between one login/interface to your bank to pay all your bills, and having to login to the websites of 10+ bill payers to collect all the information I need to pay them. Some of my bills are paid only once or twice per year. I would rather not have to remember all the different logons and passwords for every company who wants to send me an electronic bill.

I use banking software, however I rely on those paper statements to tell me when exactly the bill is due, and how much. In the past I have opted into electronic statements, but there is no uniformity in how the statements are delivered. Sometimes I get a PDF emailed to me, but often just an email saying the bill is due, then I must login to find the date and amount. This is too inconsistent. I am waiting for the day when I can use my banking software to download a detailed statement from a single application, and then mark it for payment.

The general principal is to make users choose and keep a new password. Forcing a password change every n days does no good if the users immediatly change it back, or if they just alternate between two. Our system keeps our last 25 passwords. I once had a coworker that on password change day would loop though a list of 25 passwords, so they could reset it to their original password, in effect, never change it. They stopped once a minimum password age was set, but I think this highlites the rationale of such a policy.

I mangled my thoughs a bit when I said an audit is not a single point in time. It is. My thinking is that auditors should be taking a "wholelistic" approach, helping the organization look into the future, and making sure their procedures will protect them to the extent possible. For example, patch your operating system regurarly. I think this is what the author meant when he said an audit should "focus more on processes rather than implementation."

The article was light on details, but Merrick Bank hired auditors, Savvis, to certify that were compliant with the CISP standard. If Savvis was negligent, as Merrick charges, and they were not compliant, then why shouldn't they be held liable? If the breach occured via a security hole that the audit should have caught, then I say let the suit go forward.

You are correct that malware running on the network is a serious threat. The point I was trying to make is that if an auditor certifies that your network is protected from various type of malware attacks, then they could be held liable if you hacked in this manner.

I will admit that this is a very gray area, but if you offer your services as a network auditor, then expect to be held liable for failing to anticipate common threats. You should not just be auditing a static network at a single point in time, but also the policies and procedures for maintaing the system.

Comparing mechanical devices like a car, that have parts that wear down to a network which is not susceptible to the same pressures is not completely fair. If my mechanic certifies that my car passes the state safety inspection (which we do have in the US) on Monday, and I suffer a catastrophic failure of one of the inspected parts on Friday, then I might have a case. In six months, I probably don't.

I see inspecting/certifying a network as being a little different. If I certify that your network meets a certain standard, protecting you from X, Y, and Z types of attacks, then baring a change to the network's configuration (thereby voiding the certification) you should always be protected. If in the future you are attacked using one of these methods, then shame on me for not being thorough. However, this does not let you off the hook for protecting yourself against new types of attacks.

I am not sure the comment was directed at the manager's log term outlook, but rather the student's. Put differently are you going to be better off in 10 years with a Masters degree, or two extra years of experience?

I say go to work immediately, and work on a Master's part time, then you get the best of both. You also get additional time to find a MS program that fits your career path and interests, which will make the program all the more rewarding.

I find this an interesting argument. Where is the line between an essential public service, like water and electricity, and something that is less essential like an Internet connection? The electric company in my area is a non-profit electric cooperative. It was started in the 1930's to supply power to what was then a very rural area. Electricity at that time was about the same as the internet is today, can you get by with out it? Yes. It is a boost to your standard of living? Yes.

I do not think there is anything wrong with the citizens of a community getting together, through their local government, to provide a service they they want. It probably would be best if Greenlight was spun off into a separate non-profit, but I am not sure if that changes much for companies like TWC. They got beat because they (allegedly) ignored the demands of a segment of customers. I really don't blame them for ignoring these smaller communities. TWC only has so much money to spend. I probably would have made the same decision, to focus on larger markets first. The even bigger shame is that the NC legislature is seriously considering this bill.