Okay. I think I'm done. I'm going to terminate my traffic, all of it, via VPN in some other country.

Do they want to secure customer data, or provide a documented mechanism for institutional wiretaps.

They should pick one and stick with it.

I think you know what you're asking for is impossible, John. Is that your point?

Physical penetration tests can validate the presence of password lists in wallets, in desks, and in caches on workstations. I think I can say with confidence that there are no sources of metrics for what you have specifically asked.

So where are we then? No one can prove anything and therefore we can all claim to be correct? That's awful. That's also the state of the security industry; mountaintop sages and so called best practices sold by vendors.

Your suggestion on having a little book with them is also pretty bad. It breaks the password model of being something you know to something you have.

Remember everyone, multi-factor authentication should be a combination of something you are, something you have, and/or something you know.

If everyone did as you suggest, all thieves would have to do would be to throw an admin in the back of a van. In fact, I'm surprised that we haven't been seeing more of that anyway.

If anyone gathered metrics on such practices, I would bet that for most environments, they would find that it yields the opposite effect of what is intended.

It makes strong passwords and lots and lots of password lists under keyboards, in text files, and on post-it notes.

I gave a little talk at a Toorcon event a couple years ago where I included some pictures of password lists found in the wild.

I think everyone competent knows about these things, they just choose not to say anything about it because it is a "best practice."

I could explain it, but why not watch their presentation that they gave a couple weeks ago at CCC and actually understand what they're talking about firsthand.
Presentation page, big mp4 video, torrent.

As a consultant, I was paid quite a lot for being available for an on-call basis; several thousand a month.

I also didn't have to do much when things happened. I would join a call, establish that it was not my problem, and then drop off.

If you're deeply concerned for your jobs, get better at your jobs and leave your bad gigs. Retention and performance problems should correct this problem of thinking that management assholes can get people to work for free. They would never work for without compensation. Why should people who are smarter than them?

Take a shot, you will.

RTFA, guy. It's not free.

Also It's been done before and well. The code has been open for a long time now. I'm just surprised it hasn't happened sooner.

The code used to be archived by some of the industry cool kids for quite a while, but I'm not readily finding it in the allowed attention span of this comment.

I always suspected that Cringely was completely clueless, but now I have something to point to which by his own words damn him more than anything I could ever say.

This is the kind of writing that you can point at as an example of how some people do not get it despite their pomp and bigdealness.