I'm a supporter of OpenID. It disperses the eggs into multiple baskets, forcing an attacker to attack multiple sites.
Plus, it adds some ability to pack one's own parachute. I could keep all my OpenID stuff on a co-located box that is heavily secured, and know exactly what measures are in place, as opposed to taking someone's word that something is secure.
I think the only real answer to this is decentralization, and OpenID, or an OpenID system. This way, I don't just have multiple choices of whom can authenticate accounts, I can have multiple IDs, each distinct from each other.
Banks would get one ID. The gaming websites, another, etc.
This also might allow real security-minded people to set up decently secure sites for authentication, and since people's IDs would not just be at one site, an attacker would have to target multiple sites in order for returns.
Oftentimes, SSO usually means Facebook. There, it violates the TOS to have more than one account per person or personality.
The ideal would be OpenID because anyone can be a provider, and someone might be able to offer "real" security. Even if it is a guy with a BSD box that used OPIE or S/Key, using that for one time passwords, that would provide almost as good security as most two factor schemes, assuming the initial setup using the key command was not intercepted or or tampered with.
Using a SMS message to a cellphone is better than nothing. Generally if a remote cracker gets access to passwords, they generally won't have the ability to intercept those.
Of all the two factor authentication mechanisms, Google has theirs done pretty well with not just the ability to call a backup number, but handing you a few one use codes to stash aside in case of emergency.
The only system I can think of that would not be bad for a single sign-on would be something client certificate based, where the program that used your cert would prompt for access. Even then, it better support different certificates for different sites, so not every site is linked to one key.
I wouldn't mind seeing something that functioned like SecurID, except used public/private keys. That way, I could copy the key to a keyfob so I can use it for offline challenge/responses, as well as use my smartphone. If I were on a computer I trust, the client cert daemon would prompt if the site deserves a response and to hand them one from what key I used to authenticate.
Not too difficult to code, but because it is a fairly open system, not many hardware vendors would want to do it.
Trick to that is to have a flip-flop hub. Single speed for the hills, fixie for the flats.
Fixies have one nice thing going for them -- most bike thieves assume there will be a ratchet and pawl system... and when there isn't, they tend not to go far, especially if the bike is sans brakes (which is unsafe, but fairly common.)
One thing about the current connector Apple uses is that it doesn't just provide pins, it provides a structural element, allowing devices to plug in standing up. Without this, it will be a pain at least for a docking station to be built, especially ones that are engineered to support iPhones, iPods, and iPads, all of differing widths, heights, and thicknesses, but all sporting the same connector.
I hope this isn't the case, since it means that the whole accessory market, from the docking station that is a part of a new motorhome to the one that is built into a home theater system, to the dock that is part of a construction grade battery charger are all useless.
The only thing keeping iOS apps from being pirated is the "jail" system. JB an iPhone, slap on a certain app [1] via adding a shady repo to Cydia, and start leeching.
Android is not built with just keeping people away from root as the single source of protection. Apps have the LVL functions to check if they are legit or not. In Jelly Bean, apps are encrypted per device and mounted via a loopback filesystem on the fly.
The reason why iOS apps have a less pirate rate is because in some countries where piracy is rampant, Android is available on the inexpensive devices. Where piracy goes, malware goes, so that is why we heard about malware running loose in Asian markets before it ever reared its head on US or European shores. iOS tends to be on more expensive phones [2], so generally people who can afford the phone can generally afford apps.
All and all, it isn't the OS that is the issue here. Android has a more robust security mechanism than iOS. However, Apple does a lot of work in being the gatekeeper, and ensuring their walls are high and stay high (especially with the fact that on newer iDevices that one can't save SHSH blobs on, all jailbreaks can be just one restore away from being gone and gone for good until a new one is made after Apple does an iOS update.)
[1]: The Dev Team and most people who use JB functionality abhor the pirates, because there are a lot of legit uses for a jailbroken device and pirating attacks the JB ecosystem as a whole. If they could block the pirate apps, they would, but there will be someone who would "jailbreak the jailbreak", so it would be pointless.
[2]: Expensive on a world basis. Just taking price comparisons in the US is different because in a lot of places, phones are not subsidized, so the user has to pay the entire cost. That is why the low end Huwei and ZTE phones are extremely popular.
If I were storing stuff for a long time, I would consider using an airtight sealed case, oxygen absorber and a dessicant, making sure that if any liquid came out, it could not touch the protected device. I would separate out items just to be safe.
Some items, like SD media, I'd also consider using anti-static packaging just for peace of mind as well.
This in itself is pure stupidity. You can buy USB flash drives with hardware AES encryption on the cheap. Even the more expensive drives that are physically tamper resistant like the IronKey are not that pricy.
As for software locking, BitLocker comes with Windows 7, and TrueCrypt is available at no charge.
There is no excuse for unencrypted USB drives, none.
I'd rather have children that ask, "why?" as opposed to just asking "how high" when someone commands them to jump.
There are a lot of things out there pretending to be authorities, when in reality, they are at best propaganda machines, at worst scam artists. Giving kids a sophisticated bullshit detector is crucial if they are to succeed in today's world.
Businesses will switch when IPv4 addresses get so expensive that there is no other option, and the ugly hack on ugly hack to maximize the use for them gets to a point where it isn't worth doing.
Call me crazy, but NAT, ugly as it is, may still be a useful tool. It isolates the internal fabric, so that regardless of what the external routers are talking to, packets get out. Does it improve security? NAT by itself doesn't, but that is what SPF, a good IDS/IPS, and proper segmenting is for.
IPv6 has been around for a long time now. You can't buy an IPv4 only device pretty much, as almost anything that has Net capabilities has at least a dual stack.
I'd check the locksport sites. Medeco locks are pickable, but take a lot more time than the average five cylinder bump special on most doors.
So far, the lock most resistant to picking I know of (provably) is the Abloy PROTEC, which takes a top tier locksport person about 12 hours to get. If the best in the biz takes 12 hours on a cylinder, that is good enough.
As for handcuffs, there are some makers (Peerless and BOA) that use Medeco locks. With those, all bets are off when it comes to keys, as they can come keyed alike, keyed different, master keyed, etc. Where these are mainly used is dealing with high security transports, or transporting someone on a plane where someone nearby might try to toss the prisoner a generic key. There are two types of Medeco cylinders, and the ones on these handcuffs are the type that is impossible to bump (the upper and lower pins are both in the plug, and it uses a sidebar, so there is no easily accessible shear line.)
As for handcuffs, if one looks at Yossie's collection or other sites, there have been tons of keys out there, and there have been tons of handcuff models as well that have been touted to be escape proof. The reason we are still using the old swing-throughs is not security, it is because they are inexpensive to use and that keys are easily available. They are not intended for anything more than a temporary restraining.
If I were buying cuffs for an entire department with unique keys, I'd probably go for "Gotcha" cuffs as the best compromise. Those come keyed individually to each department, and the spring mechanism is stiff enough to tear up plastic keys. They are nowhere near as secure as the Medeco BOAs, but good enough to keep people from getting out if they had a key on their person.
I can see using RelayRides for a ratty subcompact car whose only purpose is to be a backup vehicle, or for something to drive downtown that it doesn't matter if it gets hit by car doors, vandalized, broken into, or set on fire. At least the vehicle can perhaps pay for itself.
It would not have much value when selling though. I'm sure Carfax or other places will note the vehicle has been used as a rental, and this will disastrously impact the thing's resale value.
The only way I see to get around this is to liquify the air and pour it in, similar to how LNG and LP gas is processed for storage. I doubt the liquid would last very long, but if this is done, there will be significantly more energy able to be stored because of both the temperature and pressure difference, as well as the phase change which happens at 330 bars/5000 psi at 68 degrees (F).
This isn't to say LastPass is bad. I just prefer to "pack my own parachute" and use clientside encryption.
In theory (and this is pure conjecture, mind you), a cloud provider with a dedicated client can push a single update to a person with modified code that would log the key when typed in and send it up. Then another code push would wipe the evidence.
Say we have a cloud provider. I can't think of a good name, so will use $PROVIDER. $PROVIDER offers a service where users can store data as backups similar to Mozy or Carbonite. $PROVIDER's client uses a key only stored on the user's machine for encrypting files before they sre sent up. Sounds well and good because no cleartext ever is stored on the cloud provider's servers.
Later on, someone who doesn't like a user pays $PROVIDER some cash in return for some files that would get "accidently" divulged. $PROVIDER pushes out a simple update quietly to that single user. The update grabs the key stored, be it a keyfile or typed in text, and uploads it. Then the code removes itself.
It is highly unlikely in the real world, but it can happen. It tends to be harder to make multiple entities collude than it is to demand one organization do a small and likely undetectable code modification.
Authentication != encryption. A place can require a lot of passwords and other things before allowing access, but that means nothing if an intruder can snarf the backend database and dump it.
Two factor encryption is very useful. TrueCrypt supports keyfiles which are XOR-ed with the user's passphrase. No keyfile? No way to figure out the passphrase that unlocks a container.
Another implementation can be public/private keys where the master key is encrypted to list of public keys, which the OpenPGP format is for. This way, device A's key can unlock and modify data, as well as device B which has a different public key. All of this can be done with the backend seeing nothing but encrypted data. Of course, there are some attacks that can be done via traffic analysis.
Multifactor authentication is useful. However, for storing very sensitive data like passwords, multifactor encryption is critical, especially if the backend is remote.
Maybe PC makers should start adding features home [1] users want/need:
1: Lots and lots of USB ports, on multiple USB buses. There are so many USB gadgets these days that the average 4-8 ports isn't enough.
2: Some standard for removable drives. HP sort of had this with the Pocket Media drives. Couple this with some decent backup software. That way, a user can unbox the drive, jam it in a slot, and let the backup software do the rest.
3: A beefier power supply to handle the USB stuff.
4: A read-only flash drive on the motherboard which has an OS image and recovery tools. This way, even if the HDD is replaced, the machine can boot to something and have some sort of OS available for the user. The key for this feature, is to have it be read-only, so that malware or other stuff cannot mess with it. If it has to be updated, have it be by a BIOS application. There have been so many times which the user has lost the CDs (if a Dell), or never made them (if a HP), which essentially forces them to re-purchase the OS. Having the OS permanently on the computer at least will get them up and running in some shape or form.
5: A hardware firewall NIC. Some older HPs had technology by nVidia which could allow the NIC to do the packet filtering, regardless of the OS. This was problematic, but it would be nice to see this revisited. Maybe even with full CNA functionality so a machine can be hooked up to a server, and use FCoE.
6: A built in hypervisor with automatic snapshot functionality. This way, even if the OS is compromised, the user can roll back the machine to before they got hit. This might even do for backups if snapshots can be saved off to disk.
7: Built in 3G/4G/LTE radio that the user can turn on. This way, a desktop machine could be anywhere and still have Internet access without needing tethering in any form. It also would allow for functionality like being able track or erase the machine from remote.
8: A way to lock the case other than the Kensington locks. I miss the heavy cases of yore which had a sturdy Medeco lock on them, as well as the ability to be chained down (not just cabled with a little "anti-theft" item.) Physical security isn't something to be ignored.
9: HP's low end desktops are really netbooks in a different form factor. Instead of a PSU, it has a power brick and a cable that plugs into the motherboard. Why not go all the way, and have a removable battery? This way, a user doesn't have to worry about a UPS.
10: Most importantly, have decent customer support. For consumers, the only game in town for decent CS is Apple. HP and Dell offer good CS if you go for the business line PCs and their upgraded support contracts, but the consumer level support isn't regarded very highly.
[1]: Home, as in the archetype who browses the Net, pays bills, maybe fires up a game or two. They don't care about replacing a video card, but just having everything working.
That is exactly my suggestion, although I'd not bother with Good and just use Nitrodesk's Touchdown.
This allows IT to keep all their Exchange data separated from the data of the phone. This also benefits the user because a remote wipe only will destroy that app's data, and not erase the phone.
Touchdown is not perfect -- it has some user interface quirks, and only works with one Exchange account, but it does a decent job.
Another good Exchange program is RoadSync. I use this so I can get functionality that I don't get with the Android OS, such as flagging messages, setting tasks, etc.
To boot, with all the information floating around, it is easy to do a targeted attack. I'm sure GPS info can be obtained to track where someone goes in a day. Combine that with some criminal element in a local area doing the HUMINT (or just basic thuggery), and things can get pretty scary.
What I would like to see is a service similar to LastPass except that every device, be it a computer, smartphone, tablet, or embedded PDA dedicated for authentication would have a public/private key. Then, the database would be stashed/synced in a format like OpenPGP where each key can open the database. That way, if the server storing it is compromised, the data is still encrypted until they get their hands on one of the people's devices and get access to that. Then figure out what the password is. Of course, there is always the issue of recovering access if all devices having keys to it are erased/lost/destroyed.
What might be ideal would be a way for an front end to Lastpass to be able to communicate a keyfile to other devices. So, one can have a local keyfile stashed on their workstation, a keyfile on their mobile device, and one on their tablet.
This in combination with a password would make unauthorized access to a Lastpass database pointless. Unless the attacker is able to get at people's devices, they won't be able to get the keyfile, and without that, brute forcing the password is pointless.
I do this with TC and Dropbox, so even if someone gets access to containers stored there, there is no way to get access by just guessing passwords.
Smith is playing with fire though. Right now, there is a fight on who gets to control the Internet. Will it be the US and ICANN, or will it be an international body from the UN (mainly chaired by BRIC) who gets to say who gets an IP address and who doesn't?
It would be nice to have a parameter that would allow/deny USB device requests on what port they are plugged into. That way, I can have a USB card where if a device doesn't register as a mass storage device, it doesn't register at all, while the ports on the machine itself will allow keyboards, mice, etc. to connect normally.
Another idea would be allowing devices to be "paired", where for the OS to officially recognize a keyboard or mouse, it would pop up a dialog asking the user to type in an 8 digit code, or click "ignore" if the message is in error. Similar with a mouse and clicking a short sequence of buttons with the just inserted device. That way, a device posing as a HID that shouldn't be one will be detected quite easily.
USB sticks can present themselves to the computer as more than just removable hard disks. I've seen some that will act as keyboards and when plugged into Windows, will automatically try to type things in.
If the USB device can present itself as the right item, it can potentially do more damage than "just" a drive or filesystem with malware on it.
It all depends on what security features are called "weak". On one hand, the device has full disk encryption, supports Exchange policies and profiles and Apple even has a tool to add additional protection.
One can argue this a lot. However, given the choice between SSL/TLS or depending on BES/BIS, I'll take the former any day of the week.
Slashdot Mirror
I'm a supporter of OpenID. It disperses the eggs into multiple baskets, forcing an attacker to attack multiple sites.
Plus, it adds some ability to pack one's own parachute. I could keep all my OpenID stuff on a co-located box that is heavily secured, and know exactly what measures are in place, as opposed to taking someone's word that something is secure.
I think the only real answer to this is decentralization, and OpenID, or an OpenID system. This way, I don't just have multiple choices of whom can authenticate accounts, I can have multiple IDs, each distinct from each other.
Banks would get one ID. The gaming websites, another, etc.
This also might allow real security-minded people to set up decently secure sites for authentication, and since people's IDs would not just be at one site, an attacker would have to target multiple sites in order for returns.
Oftentimes, SSO usually means Facebook. There, it violates the TOS to have more than one account per person or personality.
The ideal would be OpenID because anyone can be a provider, and someone might be able to offer "real" security. Even if it is a guy with a BSD box that used OPIE or S/Key, using that for one time passwords, that would provide almost as good security as most two factor schemes, assuming the initial setup using the key command was not intercepted or or tampered with.
Using a SMS message to a cellphone is better than nothing. Generally if a remote cracker gets access to passwords, they generally won't have the ability to intercept those.
Of all the two factor authentication mechanisms, Google has theirs done pretty well with not just the ability to call a backup number, but handing you a few one use codes to stash aside in case of emergency.
One phrase: Single point of failure.
The only system I can think of that would not be bad for a single sign-on would be something client certificate based, where the program that used your cert would prompt for access. Even then, it better support different certificates for different sites, so not every site is linked to one key.
I wouldn't mind seeing something that functioned like SecurID, except used public/private keys. That way, I could copy the key to a keyfob so I can use it for offline challenge/responses, as well as use my smartphone. If I were on a computer I trust, the client cert daemon would prompt if the site deserves a response and to hand them one from what key I used to authenticate.
Not too difficult to code, but because it is a fairly open system, not many hardware vendors would want to do it.
Trick to that is to have a flip-flop hub. Single speed for the hills, fixie for the flats.
Fixies have one nice thing going for them -- most bike thieves assume there will be a ratchet and pawl system... and when there isn't, they tend not to go far, especially if the bike is sans brakes (which is unsafe, but fairly common.)
One thing about the current connector Apple uses is that it doesn't just provide pins, it provides a structural element, allowing devices to plug in standing up. Without this, it will be a pain at least for a docking station to be built, especially ones that are engineered to support iPhones, iPods, and iPads, all of differing widths, heights, and thicknesses, but all sporting the same connector.
I hope this isn't the case, since it means that the whole accessory market, from the docking station that is a part of a new motorhome to the one that is built into a home theater system, to the dock that is part of a construction grade battery charger are all useless.
The only thing keeping iOS apps from being pirated is the "jail" system. JB an iPhone, slap on a certain app [1] via adding a shady repo to Cydia, and start leeching.
Android is not built with just keeping people away from root as the single source of protection. Apps have the LVL functions to check if they are legit or not. In Jelly Bean, apps are encrypted per device and mounted via a loopback filesystem on the fly.
The reason why iOS apps have a less pirate rate is because in some countries where piracy is rampant, Android is available on the inexpensive devices. Where piracy goes, malware goes, so that is why we heard about malware running loose in Asian markets before it ever reared its head on US or European shores. iOS tends to be on more expensive phones [2], so generally people who can afford the phone can generally afford apps.
All and all, it isn't the OS that is the issue here. Android has a more robust security mechanism than iOS. However, Apple does a lot of work in being the gatekeeper, and ensuring their walls are high and stay high (especially with the fact that on newer iDevices that one can't save SHSH blobs on, all jailbreaks can be just one restore away from being gone and gone for good until a new one is made after Apple does an iOS update.)
[1]: The Dev Team and most people who use JB functionality abhor the pirates, because there are a lot of legit uses for a jailbroken device and pirating attacks the JB ecosystem as a whole. If they could block the pirate apps, they would, but there will be someone who would "jailbreak the jailbreak", so it would be pointless.
[2]: Expensive on a world basis. Just taking price comparisons in the US is different because in a lot of places, phones are not subsidized, so the user has to pay the entire cost. That is why the low end Huwei and ZTE phones are extremely popular.
If I were storing stuff for a long time, I would consider using an airtight sealed case, oxygen absorber and a dessicant, making sure that if any liquid came out, it could not touch the protected device. I would separate out items just to be safe.
Some items, like SD media, I'd also consider using anti-static packaging just for peace of mind as well.
From the TFA, the USB stick was not encrypted.
This in itself is pure stupidity. You can buy USB flash drives with hardware AES encryption on the cheap. Even the more expensive drives that are physically tamper resistant like the IronKey are not that pricy.
As for software locking, BitLocker comes with Windows 7, and TrueCrypt is available at no charge.
There is no excuse for unencrypted USB drives, none.
I'd rather have children that ask, "why?" as opposed to just asking "how high" when someone commands them to jump.
There are a lot of things out there pretending to be authorities, when in reality, they are at best propaganda machines, at worst scam artists. Giving kids a sophisticated bullshit detector is crucial if they are to succeed in today's world.
This applies to so many facets of life.
Businesses will switch when IPv4 addresses get so expensive that there is no other option, and the ugly hack on ugly hack to maximize the use for them gets to a point where it isn't worth doing.
Call me crazy, but NAT, ugly as it is, may still be a useful tool. It isolates the internal fabric, so that regardless of what the external routers are talking to, packets get out. Does it improve security? NAT by itself doesn't, but that is what SPF, a good IDS/IPS, and proper segmenting is for.
IPv6 has been around for a long time now. You can't buy an IPv4 only device pretty much, as almost anything that has Net capabilities has at least a dual stack.
I'd check the locksport sites. Medeco locks are pickable, but take a lot more time than the average five cylinder bump special on most doors.
So far, the lock most resistant to picking I know of (provably) is the Abloy PROTEC, which takes a top tier locksport person about 12 hours to get. If the best in the biz takes 12 hours on a cylinder, that is good enough.
As for handcuffs, there are some makers (Peerless and BOA) that use Medeco locks. With those, all bets are off when it comes to keys, as they can come keyed alike, keyed different, master keyed, etc. Where these are mainly used is dealing with high security transports, or transporting someone on a plane where someone nearby might try to toss the prisoner a generic key. There are two types of Medeco cylinders, and the ones on these handcuffs are the type that is impossible to bump (the upper and lower pins are both in the plug, and it uses a sidebar, so there is no easily accessible shear line.)
As for handcuffs, if one looks at Yossie's collection or other sites, there have been tons of keys out there, and there have been tons of handcuff models as well that have been touted to be escape proof. The reason we are still using the old swing-throughs is not security, it is because they are inexpensive to use and that keys are easily available. They are not intended for anything more than a temporary restraining.
If I were buying cuffs for an entire department with unique keys, I'd probably go for "Gotcha" cuffs as the best compromise. Those come keyed individually to each department, and the spring mechanism is stiff enough to tear up plastic keys. They are nowhere near as secure as the Medeco BOAs, but good enough to keep people from getting out if they had a key on their person.
I can see using RelayRides for a ratty subcompact car whose only purpose is to be a backup vehicle, or for something to drive downtown that it doesn't matter if it gets hit by car doors, vandalized, broken into, or set on fire. At least the vehicle can perhaps pay for itself.
It would not have much value when selling though. I'm sure Carfax or other places will note the vehicle has been used as a rental, and this will disastrously impact the thing's resale value.
The only way I see to get around this is to liquify the air and pour it in, similar to how LNG and LP gas is processed for storage. I doubt the liquid would last very long, but if this is done, there will be significantly more energy able to be stored because of both the temperature and pressure difference, as well as the phase change which happens at 330 bars/5000 psi at 68 degrees (F).
This isn't to say LastPass is bad. I just prefer to "pack my own parachute" and use clientside encryption.
In theory (and this is pure conjecture, mind you), a cloud provider with a dedicated client can push a single update to a person with modified code that would log the key when typed in and send it up. Then another code push would wipe the evidence.
Say we have a cloud provider. I can't think of a good name, so will use $PROVIDER. $PROVIDER offers a service where users can store data as backups similar to Mozy or Carbonite. $PROVIDER's client uses a key only stored on the user's machine for encrypting files before they sre sent up. Sounds well and good because no cleartext ever is stored on the cloud provider's servers.
Later on, someone who doesn't like a user pays $PROVIDER some cash in return for some files that would get "accidently" divulged. $PROVIDER pushes out a simple update quietly to that single user. The update grabs the key stored, be it a keyfile or typed in text, and uploads it. Then the code removes itself.
It is highly unlikely in the real world, but it can happen. It tends to be harder to make multiple entities collude than it is to demand one organization do a small and likely undetectable code modification.
Authentication != encryption. A place can require a lot of passwords and other things before allowing access, but that means nothing if an intruder can snarf the backend database and dump it.
Two factor encryption is very useful. TrueCrypt supports keyfiles which are XOR-ed with the user's passphrase. No keyfile? No way to figure out the passphrase that unlocks a container.
Another implementation can be public/private keys where the master key is encrypted to list of public keys, which the OpenPGP format is for. This way, device A's key can unlock and modify data, as well as device B which has a different public key. All of this can be done with the backend seeing nothing but encrypted data. Of course, there are some attacks that can be done via traffic analysis.
Multifactor authentication is useful. However, for storing very sensitive data like passwords, multifactor encryption is critical, especially if the backend is remote.
Maybe PC makers should start adding features home [1] users want/need:
1: Lots and lots of USB ports, on multiple USB buses. There are so many USB gadgets these days that the average 4-8 ports isn't enough.
2: Some standard for removable drives. HP sort of had this with the Pocket Media drives. Couple this with some decent backup software. That way, a user can unbox the drive, jam it in a slot, and let the backup software do the rest.
3: A beefier power supply to handle the USB stuff.
4: A read-only flash drive on the motherboard which has an OS image and recovery tools. This way, even if the HDD is replaced, the machine can boot to something and have some sort of OS available for the user. The key for this feature, is to have it be read-only, so that malware or other stuff cannot mess with it. If it has to be updated, have it be by a BIOS application. There have been so many times which the user has lost the CDs (if a Dell), or never made them (if a HP), which essentially forces them to re-purchase the OS. Having the OS permanently on the computer at least will get them up and running in some shape or form.
5: A hardware firewall NIC. Some older HPs had technology by nVidia which could allow the NIC to do the packet filtering, regardless of the OS. This was problematic, but it would be nice to see this revisited. Maybe even with full CNA functionality so a machine can be hooked up to a server, and use FCoE.
6: A built in hypervisor with automatic snapshot functionality. This way, even if the OS is compromised, the user can roll back the machine to before they got hit. This might even do for backups if snapshots can be saved off to disk.
7: Built in 3G/4G/LTE radio that the user can turn on. This way, a desktop machine could be anywhere and still have Internet access without needing tethering in any form. It also would allow for functionality like being able track or erase the machine from remote.
8: A way to lock the case other than the Kensington locks. I miss the heavy cases of yore which had a sturdy Medeco lock on them, as well as the ability to be chained down (not just cabled with a little "anti-theft" item.) Physical security isn't something to be ignored.
9: HP's low end desktops are really netbooks in a different form factor. Instead of a PSU, it has a power brick and a cable that plugs into the motherboard. Why not go all the way, and have a removable battery? This way, a user doesn't have to worry about a UPS.
10: Most importantly, have decent customer support. For consumers, the only game in town for decent CS is Apple. HP and Dell offer good CS if you go for the business line PCs and their upgraded support contracts, but the consumer level support isn't regarded very highly.
[1]: Home, as in the archetype who browses the Net, pays bills, maybe fires up a game or two. They don't care about replacing a video card, but just having everything working.
That is exactly my suggestion, although I'd not bother with Good and just use Nitrodesk's Touchdown.
This allows IT to keep all their Exchange data separated from the data of the phone. This also benefits the user because a remote wipe only will destroy that app's data, and not erase the phone.
Touchdown is not perfect -- it has some user interface quirks, and only works with one Exchange account, but it does a decent job.
Another good Exchange program is RoadSync. I use this so I can get functionality that I don't get with the Android OS, such as flagging messages, setting tasks, etc.
Nail, head hit.
To boot, with all the information floating around, it is easy to do a targeted attack. I'm sure GPS info can be obtained to track where someone goes in a day. Combine that with some criminal element in a local area doing the HUMINT (or just basic thuggery), and things can get pretty scary.
What I would like to see is a service similar to LastPass except that every device, be it a computer, smartphone, tablet, or embedded PDA dedicated for authentication would have a public/private key. Then, the database would be stashed/synced in a format like OpenPGP where each key can open the database. That way, if the server storing it is compromised, the data is still encrypted until they get their hands on one of the people's devices and get access to that. Then figure out what the password is. Of course, there is always the issue of recovering access if all devices having keys to it are erased/lost/destroyed.
What might be ideal would be a way for an front end to Lastpass to be able to communicate a keyfile to other devices. So, one can have a local keyfile stashed on their workstation, a keyfile on their mobile device, and one on their tablet.
This in combination with a password would make unauthorized access to a Lastpass database pointless. Unless the attacker is able to get at people's devices, they won't be able to get the keyfile, and without that, brute forcing the password is pointless.
I do this with TC and Dropbox, so even if someone gets access to containers stored there, there is no way to get access by just guessing passwords.
Smith is playing with fire though. Right now, there is a fight on who gets to control the Internet. Will it be the US and ICANN, or will it be an international body from the UN (mainly chaired by BRIC) who gets to say who gets an IP address and who doesn't?
Another SOPA-like item might be the final straw.
It would be nice to have a parameter that would allow/deny USB device requests on what port they are plugged into. That way, I can have a USB card where if a device doesn't register as a mass storage device, it doesn't register at all, while the ports on the machine itself will allow keyboards, mice, etc. to connect normally.
Another idea would be allowing devices to be "paired", where for the OS to officially recognize a keyboard or mouse, it would pop up a dialog asking the user to type in an 8 digit code, or click "ignore" if the message is in error. Similar with a mouse and clicking a short sequence of buttons with the just inserted device. That way, a device posing as a HID that shouldn't be one will be detected quite easily.
USB sticks can present themselves to the computer as more than just removable hard disks. I've seen some that will act as keyboards and when plugged into Windows, will automatically try to type things in.
If the USB device can present itself as the right item, it can potentially do more damage than "just" a drive or filesystem with malware on it.
It all depends on what security features are called "weak". On one hand, the device has full disk encryption, supports Exchange policies and profiles and Apple even has a tool to add additional protection.
One can argue this a lot. However, given the choice between SSL/TLS or depending on BES/BIS, I'll take the former any day of the week.