my impression of these 'capabilities' protections is that they are not nearly specific enough to be of much use in practice.

I download a cloud contact sync program and it asks for permission to connect to the internet, and permission to scan my contacts.

So then it sends my contacts to a 3rd party spam outfit.

It asks for the ability to send/read sms because it has a feature to send contacts to other app users via sms. Cool.

So it sends copies of all my sms messages to a 3rd party. And sends sms advertising spam from my phone.

Its fundamentally broken idea in my opinion.

Several fans of game consoles and Apple consumer electronics would claim that some individual hardware owners can't be trusted not to disable security to see dancing animals, and taking control away from them is in their own good.

I'm sure you would even agree that this is true for some individual hardware owners, perhaps even most of them.

But the solution is not to take it away from them per se, but rather to easily enable them to delegate it to a 3rd party they trust.

The problem with, say, Apple, is that it asserts it is that trusted 3rd party and gives users no reasonable way to take control back from Apple and either exercise their own security or delegate to a different 3rd party -they- do trust.

Contrast that with Antivirus software for example. We select it, install it, and put some faith in its ability to identify malware while trusting it not to exceed that mandate. If it sees an infected file come in it quarantines it. The 'unsophisticated user' typically accepts the antivirus companies assessment of the file and moves on. Few will challenge the antivirus software and seek to disable it and restore the file from quarantine.

However, if the antivirus software were to start blocking things it really has no business blocking and which doesn't represent what the customers want from it they are free to uninstall it and switch to something else.

I can't recall what my brother was using, but one day a few months ago it up and blocked him from going to the pirate bay. He uninstalled it and uses something else now. This is pretty much ideal... we have an established a norm that one should have antivirus, but it is ultimately up to us, and we can change antivirus providers at will.

The reason viruses are such a problem is that blacklisting simply can't work, and "detecting malicious activity" is HARD. A white listing approach would in some environments be a lot more effective. And I've seen deployed in practice with excellent results in corporate environments.

I hate fuckers who make software designed to prevent computer users from using their computer.

What they are developing is really not fundamentally different from something like SELinux.

DRM is only evil because someone who is not the computer owner is unilaterally dictating what you can do with it.

Secureboot, SE Linux, and this stuff from bit9 are all tools that enable the owner of the computer to dictate what software is allowed to run on it.

Why shouldn't the owner decide that flash shall not have access to the internet? Or that flash shall not run. period.

The only time any of this is evil is when the owner isn't in control.

Add some spaces in there first of all, then throw in some punctuation, preferably bad punctuation and grammar.

In other words: take a very easy to remember password and cram it full of junk that makes it just as hard to remember as a classical password.

If you want more security than is offered by 4 words, use more words. The security gained by mangling the the words with misspellings and symbols is no better than simply adding another word or two. And adding words is easier then remembering where you jammed symbles in which words were capitalized, which were mis-spelled and precisely how you mis-spelled them, etc.

That said, I agree that using a larger dictionary is good. Throw in urbandictionary.com and brand names and place names.

Then once you've had a randomized password generated from all that, sure if you know French or Portuguese or Dutch or whatever throw in a foreign word as well. If your a mathematician or doctor or whatever throw in a formulas or other domain jargon that you'll find easy to remember.

I use Parallels every workday with XP, not Windows 7

I appreciate the data point that you've got XP running without issue; but its not exactly evidence that I've done something wrong with Windows 7.

Windows 7 x64 and Windows XP are not exactly the same thing.

Yes, IF it is RANDOMLY chosen from a DICTIONARY

By dictionary I postulate an electronic edition of a dictionary with the ability to spit out random words.

In fact, most dictionary websites already have the ability to do this, but I have no idea how truly random the randomizer is.

But one can easily imagine that it would not be difficult for them to create a suitable properly randomized passphrase generator if they were so inclined.

If I ask somebody for four random words it is unlikely they'll consult a dictionary, and it is also unlikely that they'll do anything involving true randomness. That means that the set of possible words being selected from is less than the entire English vocabulary, and some words are more likely to be chosen than others.

This is true, but its also true of 'traditional' passwords. Unless they use a password generator they aren't likely to be generating particularly 'randomized' passwords either.

And if we allow for them to be using a password generator then we can allow for the passphrase users to use a suitablly randomized one as well.

Mine's an early 2010 mbp. 13". upgraded cpu and ram; its got whatever nvidia solution was available for it. Although the 13" was a bit weaker performance-wise than the larger ones to start with. But I value the portability and knew that going in.

Even so, it rarely heats up in regular OSX at all, except when running games.

But the fans kick on pretty much as soon as I start a VM.

Its not bad if I'm at a desk, with an external keyboard / mouse etc. The performance is acceptable. The fan noise isn't excessive. But I bought the 13" portable to be portable so the heat and battery life issues are a real problem -- it gets uncomfortably hot to have on my lap and enough heat is radiating upwards that even the trackpad gets just warm enough to be noticeable and mildly uncomfortable.

"steaming pile of crap" might be an overstatement; but i envisioned myself being able to fiddle around in linux while on the couch and its just not quite acceptable for that. Or to have win7 idling in the background so i can check things with various win browsers ... and I can do that, i just don't leave windows idling between doing it.

I'll have to try Win 8 on it, thanks. I've got 8 on my HTPC so far, so that's where most of my real world hands-on with it has been, but if it runs in parallels better that would be a very nice bonus.

If you don't know what kind of a password someone uses,

That's an assumption we hadn't agreed on in advance. :)

There are many scenarios where you know what form someone's password takes. And there are many different password strategies, so even if you don't know an individuals strategy, trying common / probable ones first vs just treating it as a mindless brute force attack does work better on average.

Bottom line: most people don't use randomly generated strings. So working based on strategies is productive.

Never mind that when doing exhaustive searches, keeping track of all those special cases you might have tried, at some point will slow you down a lot. There's a point where the memory bandwidth demands for keeping track start exceeding any gains from limiting your search space. Trees quickly start suffering from cache locality issues :)

This is a fair point but there are strategies to address it. The simplest is to just allow yourself to retry passwords you already tried without worrying about it on later less specialized passes. If you can get more passwords faster it may be a fair trade off that the worst case running time is increased.

It also depends on the situation situations, hackers attacking a stolen database they won't be doing an exhaustive search anyway... rarely do they need to get into someone particulars account, rather they just want to get into anyone's accounts, or as many accounts as possible.

Throwing a botnet to work trying a million passwords at each of a million accounts will yield much more fruit than throwing that botnet towards trying a trillion passwords on one account... and possibly still not be anywhere near cracking it.

It is different in different locations - just ask the crew of the ISS

That's why we have standard gravity

http://en.wikipedia.org/wiki/Standard_gravity

and even a (non-SI) unit for it, the g

Yes, because people want what they ordered within a few days of ordering it. They do not want to make insurance claims even if they eventually get made whole.

So getting it to the customer right the first time has value.

Nope. Mangling it with symbols moves it into the symbol-by-symbol exhaustive search category

Nope. Mangling it with symbols is just mangling it with symbols.

Words + symbols does not transform the words into symbols.

Sure you assume that symbol frequencies are shaped in a certain way, so you can still do a tad better than fully exhaustive search where you start with all zeroes and go up, but it's really no worse than a similarly long bunch of random symbols with a certain distribution of individual symbols and maybe symbol pairs.

If you run the math on that claim that shaping symbol frequencies (and orderings) to put "words" ahead in the search you will find that the "tad better" is exactly the amount better that you'd get if you just considered it to be words + symbols in the first place.

When you are brute force searching spaces that big and accounting for letter arrangements, then something even like:

p!a$s%s~w*o$r#d

will fall out LONG before a truly random string.

I have that, well parallels instead of vmware, but same difference.

Honestly, it is not the best of both worlds, its steaming pile of crap. The Windows 7 VM runs ok, as does linux, not awesome just ok.

Meanwhile the laptop heats up and the fans come on the battery drains while you watch just having a VM open idling, never mind really doing anything in it.

I've switched to using RDP back to my windows desktop PC for most of of my windows needs. Runs well, and the macbook doesn't melt from trying to pretend its a workstation instead of a little power efficient laptop.

All that said, seriously, I'd just get windows 8. Spend half an hour or so configuring it properly ... e.g. map .jpg to use the desktop picture viewer instead of the metro app etc. Clean all the crap out of the start screen and really there is no big deal about 8.

An NFC enabled phone would be ideal. Store passwords on the phone.

Meanwhile police around the country are facing an epidemic of cell phone thefts.

everything is stored in one place that you always have access to.

Well, you have access to it unless it was stolen.

Or you dropped and it now its broken.
Or the battery is dead.
Or ...

Wouldn't some deliberate misspellings be sufficient for most of us? Such as "stapple" above? Try "Korrekt", and/or "batery".

Deliberate misspellings are great; in the sense that they dramatically increase the dictionary size.

But then you have to remember the specific misspellings you made. And the attacker would simply compensate by including all the common mispellings, leetspeak, lolcat spelling, etc to his attack dictionary:

so instead of just password:
he'll also try p4assw0rd, p455w0rd, ... passwerd, passwurd...

This adds' complexity and therefore adds security, but its harder to remember exactly what leetspeak or whatever you applied and exactly how you applied than it is to just add another word or two.

As always, if you want more security its generally easier to just add more words.

I don't know how password crackers work, but aren't they going to give up after hitting my bank account more than a few dozen/hundred tries, and move on to the next?

Typically they find a weakly protected password database online somewhere some random blog or forum or maybe something little higher profile like the Playstation network ... , they download it, and then attack it directly. Allowing them to try millions, even billions of attacks on all and any account in it using clusters of computers, GPUs, and whatever else they have at their disposal for parallel computing.

Then once they find a password; they'll take that and the user name / email address and shotgun it into any other site they can find to see if it works there too. Did you use the same password for Playstation as you did for your bank? Ooops. They're in.

If you were clever and did something like my psn password is psn_whatever then that's a bit of a defense, but if they happen to notice they'll just fix it up... psn_xyz is for PSN... so try bmo_xyz for Bank of Montreal, hsbc_xyz for HSBC...

The point is they rarely actually hit the bank's online web portal more than a few times. The big attacks take place offline on stolen databases.