Have there been any projects to build a completely secure OS?
Sure, OpenBSD. (Super simplified history coming up.) Several years ago, they took the FreeBSD source tree and began combing it for insecurities and weaknesses. It now ships very tightly closed up by default, with most daemons off, SSL and SSH included as part of the core OS, etc. They haven't gone to the lengths you describe (I don't think), mainly because they need to maintain POSIX compliance and source-level compatibility with other Unixes and *BSD's. Definitely worth looking into if security is your passion.
Well, actually, I think you are missing Picasso's point -- the point that anything which presents only answers is useless. Real solutions and real knowledge only come from reflection, from the give and take of questions and answers going both ways. Yes, a computer can tell you the sine of 1, but it cannot explain it to you in a way you will understand (unless it has been specifically told how to do so).
And for the record I wasn't saying that the comment's poster (I don't even remember whoit was, sorry!) was getting it all wrong; I was just reminded of the quote upon initial reading of the comment. Of course we all want to hear other people's solutions. Chances are pretty good (almost 100%, in fact) that any solution to the problems discussed in the book is going to either come from someone who is not me, or someone else is going to contribute a great deal to the solution. Not seeing that is blindness, pure and simple. Well, blindness and a whole lot of egotism.
All in all, I like it. I love the fact that this is a 365K download and only takes a fraction of a second to load and start running on my system (500 Mzh PIII, 128 Megs, kernel 2.2.14).
Well, it only does JPEG's (intentional, to keep the download size small), but it does them pretty well. I like especially the font select window: it creates a list of major fonts, then has a tree-type menu to see the subtypes (bold, italic, etc). I also like the color selection window, where the area under the mouse flashes across the screen while you go over it.
However, it doesn't seem to do anything that the GIMP doesn't do, but it would have the advantage of being familiar to people from other platforms.
Re:Great book, but no answers
on
Faster
·
· Score: 3
Your comment reminded me of one of my favorite quotes, from Picasso: "Computers are useless. They only give you answers."
The only downside (if there is one) is that it's all reflection and no solutions>
But would you want someone else's solutions? I think the author's point is, "Here's some stuff I've noticed." You need to take it from there, and create your own solutions.
Personally, I'd like to see more books like this. Isn't this the kind of thing that makes for really good standup comedians? Observations? Why did so many people like Seinfeld, a self-proclaimed "show about nothing"? Because it was all observation and reflection, albeit with a humorous bent.
I definitely think I'm going to grab this book, it sounds like a great read.
Yeah, this article says nothing we don't already know.
"Just because the source is available, doesn't mean anyone is reading it."
Yeah, no kidding. But when the source is closed, I guaranteeno one is reading it. Just because the author and many of the developers he knows are not over-conscientious and don't read the source doesn't mean that there aren't many of us out there who do. I personally review the code to almost every piece of software I use regularly, to the best of my ability. Yeah, I may not be "qualified" to "judge" something like Sendmail, but at least I can have the piece of mind that its developers are not trying to pull a fast one on me, as Microsoft did. If I don't feel "qualified" to judge some code, I reread it until I am. Maybe that's just me. No wait, that's not just me -- that's a lot of people out there, and that's why open source works.
Open Source makes it easy for the bad guys to find vulnerabilities.
And leaving your car parked in a parking lot makes it easy for car thieves to find. What is that supposed to mean? The issue is not, and never was, the "bad guys" finding vulnerabilities. Last thing I heard, the bad guys find vulnerabilities in closed source stuff all the time. The issues are prevention and the ability to fix bugs as they are noticed. I can fix the bugs myself if I find them, I can apply patches myself, I don't have to wait for a new version or a binary patch to replace the compromised DLL's or shared library.
By default Canvas is set to use unmanaged windows (this means that desktop themes and services will be unavailable). You can enable managed windows by selecting the desired type of window behavior in the "Windows" menu under "Linux Window Manager" (from within Canvas)
Has anyone deciphered this line? It sounds like this says, "We let your window manager do what it's supposed to do and don't try to interfere", which is what it should do, but I've never heard it phrased this way.
Well, since it requires Wine, and Wine requires Windows DLL's (I believe), I think non-Intel folk are out of luck. Does anyone know if the real (non-beta) version will be native Xlib or GTK or Qt, i.e., non-Wine?
A lot of these ideas (a web site or daemon that keep and categories your bookmarks) are missing one important thing: Using the builtin bookmarking feature of your browser is convenient. The easy solution, of course, is, once you have a web-based interface for adding your bookmarks, you would write some javascript that hits that web site with the current location (document.location) as the query string. Put it in a button on your personal toolbar, or call it through your favorite window managers root menu (netscape --remoteURL(...)), or whatever, and you hit that button instead of the builtin bookmark feature. Or, if you aren't afraid of your.Xresources file, you can add it to your navigation tool bar with a custom icon and everything (isn't X wonderful?)
Have you considered using sudo to give selective root access to users? sudo stands for "superuser do", and allows selective superuser access. sudo lets the admin define, in a shared config file, individual executables and scripts (by full path), and who they run as. You can give a user access to/bin/rpm as root, for example, so they can install packages, without giving them access to any thing else as root. You can also define rights by group and by machine, in addition to by user. Users use their own password to perform the function, so there are no extra passwords to distribute and remember. As an added bonus, sudo logs to syslog not only that user jsmith used sudo, but the entire command line -- very useful for auditing (where su logs only that the user became root).
Technical info: sudo is developed and maintained by Courtesan Consulting; the homepage is at http://www.courtesan.com/sudo/; it is distributed under a BSD-style license; it is at version 1.6.3. It compiles easily on (at least) Linux and Solaris (using gcc and Sun's native crap-piler, er, compiler), and lets you optionally define error message (there are some included and adding your own is simple). Here's a nutshell intrioduction.
I highly recommend it. We use it all the time. It takes a little bit of planning, as well as trial and error, to setup correctly, but once it is set up, it is a huge time saver.
In your situation, you would have to set up the complete config file (called sudoers) on an shared filesystem, make sure sudo is in everyone's path, and then change the root passwords on everyone's machine. You'll get a lot of complaints at first, naturally, and then you'll get a lot of requests like "Why can't I run foobarbaz.pl anymore?", which you would either have to add to the sudoers file or beat down the request.
You can get the first reading and third reading (the third is the one that passed). Looks like it took almost 3 months from initial presentation (on January 18) to it's passing, but the pass wasn't unanimous (37-8). The results of the vote are here (plus the votes from the first reading, when it was rejected). There were two amendments, also (one adopted, one rejected).
As an aside, this site is pretty well-organized... a lot of information here, easy to find, well cross-referenced.
Anyone know why the bill is posted in Rich Text Format, and where I can get a reader for Linux? I don't want to have to strip the formatting manually...
Is it just my imagination, or does this scream "Buggy!" at the top of its voice?
Oh, come on. Can you honestly tell me that every major program (I mean big ones, like Netscape, or IE, or Apache, not stuff like 'ls' or 'chmod') doesn't crash occasionally? I think this is a great idea, although what I'm unsure about is what exactly are they going to do? Run the entire process in a big try/catch/finally or eval block?
I'll stick to IE 5.5, which doesn't seem to crash at all
Of what use is a stable app on an unstable platform? You still lose IE when you lose Windows...
Surely the coders could remove these bugs, unless the whole design is fundamentally flawed.
Hm... good point. See my comment on your "IE 5.5" statement.
I agree -- JavaScript is a broken language that really only makes sense in the context of a web page; using it for scripting of anything else is really pushing it. I've always thought that Microsoft's use of JavaScript in the Windows Scripting Host was pretty dumb (it's not a system scripting language, people! It's just not!) However, embedding Perl into Mozilla would add 1 Mb to the size of the runtime... is that what we want? Although it does sounds like a groovy idea. There would be no limit to what you could make Mozilla do.
Does/will Mozilla allow for things such as an embedded interpreter be loaded dynamically, or will it always load everything on startup?
What I got from the article was that Mozilla is going to contain programming hooks and tons of modules and skins, of which Navigator 6 will be using the browser component. Mozilla will be much more than just the browser, and Navigator 6 won't.
I admit that I haven't been following the Mozilla story as closely I as I probably should be over the last few months, but now I see the reason that there isn't a fully functional browser release. Since when has the Mozilla project been about a platform? It sounds like Mozilla is trying to be all things to all people, instead of just concentrating on one thing, and doing it well. While I appreciate that a platform is of more use overall than a single application, there are some of us that have been waiting patiently for the browser that Mozilla promised for a long time.
It sounds like the project has become a little too ambitious too quickly. I would love to see all these various projects come to fruition, but it sounds like all the projects are being delayed up by all the others.
This is probably too simplistic a view, of course; I don't mean this as flamebait, and I'm sure I will be corrected. Am I the only one who is frustrated from two years of waiting for Mozilla?
Location is what most projects are lacking, whether it be co-location or project-hosting, or whatever. I like the idea of being able to bring in a box or two of my own, use your rack space, your network drop, and your power to power my box(en). In return, I pay for bandwidth, rack space, and power consumption; according to usage for bandwidth, and fixed rates for the latter two.
For this kind of service, basically you need a big fat pipe coming into your space (probably more than one is ideal, each attached to different backbones), a lot of power, and space. Co-location facilities often have cages or some other type of physical protection for the boxen themselves, but you could probably knock off some of the space charges if customers bring in their own cages.
I would say you will get mainly bigger setups as customers. Smaller businesses/projects tend to be OK with just web-hosting, rather than full-scale co-location (I may be wrong about this). Note than I mean big in terms of both number of boxen and amount of bandwidth.
Services such as DNS and the like are unrelated to co-location -- if you put your own boxen somewhere you should have one to handle DNS requests as well. I would concentrate on the power, space, and bandwidth issues and leave the extra services to the customers (or at least put off offering them for a long time).
While I definitely understand Stephenson's point, and agree to a certain extent, the reason that I (for example) tend to be more focused on security and privacy issues is because that is something over which I have some control. There is only so much that I can do about stray bullets, sad to say, but I can definitely help people to understand why they need to use encryption software to protect themselves and their privacy. I can definitely help people install and configure PGP, and create key pairs and distribute them. Yeah, maybe it's not as noble a cause as some others, but it's what I can do. I'm a programmer, not a politician, or a police officer, or a lawyer. The same or similar probably goes for most of the readers on slashdot and most of the CFP attendees. People I know trust my judgement about computers and the Internet, so that's where I try to help.
Too often people try to get involved in what they don't adequately understand (such as politicians and lawyers trying to regulate the Internet), and this is the source of many many problems. I don't know how to help prevent random violence, or shootings, or kidnappings, or most of the other attrocities that take place in the modern world, so I do what I can. I try to help prevent things like privacy violations, to the best of my abilities.
It's not about hiding things from Big Brother, it's about personal privacy and personal freedom. This is how I can help, so this is what I do.
seems like they'll be creating an opportunity for smaller companies to sell 3.5... I'm sure many people are not sure about upgrading, or don't plan to right away. Someone with a cd burner and a fast connection could probably do pretty well selling 3.5. Just a thought...
With a password policy like that, I have to ask: has your network been broken into lately? Do you work for a government contractor or something else that deals with sensitive data, like a bank? Otherwise, in normal, day-to-day use, this sounds like overkill. If the admin is that worried about passwords, get a strong firewall product to protect your network from the external world, so that you can lift some of the password restrictions for local users.
If your network has been broken into lately, it sounds like an overall security audit is called for -- most of the time the problem is not that passwords aren't strong enough, but that vital services are vulnerable (holes in FTP or Web servers, for instance, or Sendmail improperly configured, or SMB over the internet). The problem could could also be that the users are not careful with their passwords -- you can have the strongest password policy in the world, but if Joe in Marketing keeps giving his password to his brother every time he changes it, you will continue to have problems.
If you are working for an organization that has sensitive data and resources to protect, there are many methods of authentication that don't require passwords -- someone already mentioned biometrics. I prefer using encrypted connections, such as SSH with key exchanges, where passwords are not send (passphrase are maintained on the local machine only and not sent over the network). Many of these are transparent to the user (though of course totally different to the machine, often requiring installation of specialized clients or other software).
It seems to me that if you make password policies too outrageous, users will find a way to circumvent the system
Slashdot Mirror
Sure, OpenBSD. (Super simplified history coming up.) Several years ago, they took the FreeBSD source tree and began combing it for insecurities and weaknesses. It now ships very tightly closed up by default, with most daemons off, SSL and SSH included as part of the core OS, etc. They haven't gone to the lengths you describe (I don't think), mainly because they need to maintain POSIX compliance and source-level compatibility with other Unixes and *BSD's. Definitely worth looking into if security is your passion.
darren
Cthulhu for President!
Well, actually, I think you are missing Picasso's point -- the point that anything which presents only answers is useless. Real solutions and real knowledge only come from reflection, from the give and take of questions and answers going both ways. Yes, a computer can tell you the sine of 1, but it cannot explain it to you in a way you will understand (unless it has been specifically told how to do so).
And for the record I wasn't saying that the comment's poster (I don't even remember whoit was, sorry!) was getting it all wrong; I was just reminded of the quote upon initial reading of the comment. Of course we all want to hear other people's solutions. Chances are pretty good (almost 100%, in fact) that any solution to the problems discussed in the book is going to either come from someone who is not me, or someone else is going to contribute a great deal to the solution. Not seeing that is blindness, pure and simple. Well, blindness and a whole lot of egotism.
darren
Cthulhu for President!
All in all, I like it. I love the fact that this is a 365K download and only takes a fraction of a second to load and start running on my system (500 Mzh PIII, 128 Megs, kernel 2.2.14).
Well, it only does JPEG's (intentional, to keep the download size small), but it does them pretty well. I like especially the font select window: it creates a list of major fonts, then has a tree-type menu to see the subtypes (bold, italic, etc). I also like the color selection window, where the area under the mouse flashes across the screen while you go over it.
However, it doesn't seem to do anything that the GIMP doesn't do, but it would have the advantage of being familiar to people from other platforms.
darren
Cthulhu for President!
$ cd /home/ftp/mirrors
$ ls
DeCSS.tar.gz
pchack.exe
quakelives-2-19-00.zip
$ wget --no-parent -rqm -l1 http://cryptome.org/mi5-lis-uk.htm
$ ls
DeCSS.tar.gz
pchack.exe
quakelives-2-19-00.zip
mi5-lis-uk.htm
$
Everybody download the page and put it next to their deCSS and PCHack mirrors!
darren
Cthulhu for President!
Your comment reminded me of one of my favorite quotes, from Picasso: "Computers are useless. They only give you answers."
But would you want someone else's solutions? I think the author's point is, "Here's some stuff I've noticed." You need to take it from there, and create your own solutions.
Personally, I'd like to see more books like this. Isn't this the kind of thing that makes for really good standup comedians? Observations? Why did so many people like Seinfeld, a self-proclaimed "show about nothing"? Because it was all observation and reflection, albeit with a humorous bent.
I definitely think I'm going to grab this book, it sounds like a great read.
darren
Cthulhu for President!
Yeah, this article says nothing we don't already know.
Yeah, no kidding. But when the source is closed, I guaranteeno one is reading it. Just because the author and many of the developers he knows are not over-conscientious and don't read the source doesn't mean that there aren't many of us out there who do. I personally review the code to almost every piece of software I use regularly, to the best of my ability. Yeah, I may not be "qualified" to "judge" something like Sendmail, but at least I can have the piece of mind that its developers are not trying to pull a fast one on me, as Microsoft did. If I don't feel "qualified" to judge some code, I reread it until I am. Maybe that's just me. No wait, that's not just me -- that's a lot of people out there, and that's why open source works.
And leaving your car parked in a parking lot makes it easy for car thieves to find. What is that supposed to mean? The issue is not, and never was, the "bad guys" finding vulnerabilities. Last thing I heard, the bad guys find vulnerabilities in closed source stuff all the time. The issues are prevention and the ability to fix bugs as they are noticed. I can fix the bugs myself if I find them, I can apply patches myself, I don't have to wait for a new version or a binary patch to replace the compromised DLL's or shared library.
darren
Cthulhu for President!
Has anyone deciphered this line? It sounds like this says, "We let your window manager do what it's supposed to do and don't try to interfere", which is what it should do, but I've never heard it phrased this way.
darren
Cthulhu for President!
Well, since it requires Wine, and Wine requires Windows DLL's (I believe), I think non-Intel folk are out of luck. Does anyone know if the real (non-beta) version will be native Xlib or GTK or Qt, i.e., non-Wine?
darren
Cthulhu for President!
A lot of these ideas (a web site or daemon that keep and categories your bookmarks) are missing one important thing: Using the builtin bookmarking feature of your browser is convenient. The easy solution, of course, is, once you have a web-based interface for adding your bookmarks, you would write some javascript that hits that web site with the current location (document.location) as the query string. Put it in a button on your personal toolbar, or call it through your favorite window managers root menu (netscape --remoteURL(...)), or whatever, and you hit that button instead of the builtin bookmark feature. Or, if you aren't afraid of your .Xresources file, you can add it to your navigation tool bar with a custom icon and everything (isn't X wonderful?)
darren
Cthulhu for President!
Er, it looks like you submitted this one a while back (Linux 2.2.11), and there was the Andover sues Kuro5hin joke from April 1st, as well as a not so subtle Scoop plug (from the search page).
Don't mean to pick. Good work with Scoop, BTW (another free plug!).
darren
Cthulhu for President!
Have you considered using sudo to give selective root access to users? sudo stands for "superuser do", and allows selective superuser access. sudo lets the admin define, in a shared config file, individual executables and scripts (by full path), and who they run as. You can give a user access to /bin/rpm as root, for example, so they can install packages, without giving them access to any thing else as root. You can also define rights by group and by machine, in addition to by user. Users use their own password to perform the function, so there are no extra passwords to distribute and remember. As an added bonus, sudo logs to syslog not only that user jsmith used sudo, but the entire command line -- very useful for auditing (where su logs only that the user became root).
Technical info: sudo is developed and maintained by Courtesan Consulting; the homepage is at http://www.courtesan.com/sudo/; it is distributed under a BSD-style license; it is at version 1.6.3. It compiles easily on (at least) Linux and Solaris (using gcc and Sun's native crap-piler, er, compiler), and lets you optionally define error message (there are some included and adding your own is simple). Here's a nutshell intrioduction.
I highly recommend it. We use it all the time. It takes a little bit of planning, as well as trial and error, to setup correctly, but once it is set up, it is a huge time saver.
In your situation, you would have to set up the complete config file (called sudoers) on an shared filesystem, make sure sudo is in everyone's path, and then change the root passwords on everyone's machine. You'll get a lot of complaints at first, naturally, and then you'll get a lot of requests like "Why can't I run foobarbaz.pl anymore?", which you would either have to add to the sudoers file or beat down the request.
darren
Cthulhu for President!
You can get the first reading and third reading (the third is the one that passed). Looks like it took almost 3 months from initial presentation (on January 18) to it's passing, but the pass wasn't unanimous (37-8). The results of the vote are here (plus the votes from the first reading, when it was rejected). There were two amendments, also (one adopted, one rejected).
As an aside, this site is pretty well-organized... a lot of information here, easy to find, well cross-referenced.
darren
Cthulhu for President!
Anyone know why the bill is posted in Rich Text Format, and where I can get a reader for Linux? I don't want to have to strip the formatting manually...
darren
Cthulhu for President!
Oh, come on. Can you honestly tell me that every major program (I mean big ones, like Netscape, or IE, or Apache, not stuff like 'ls' or 'chmod') doesn't crash occasionally? I think this is a great idea, although what I'm unsure about is what exactly are they going to do? Run the entire process in a big try/catch/finally or eval block?
Of what use is a stable app on an unstable platform? You still lose IE when you lose Windows...
Hm... good point. See my comment on your "IE 5.5" statement.
darren
Cthulhu for President!
... but you need a plug in for it, and as far ass I know, only works in IE.
darren
Ooops -- the extra 's' in 'as' was an accident, but I leave it there just in case this statement is wrong! ;)
Cthulhu for President!
I agree -- JavaScript is a broken language that really only makes sense in the context of a web page; using it for scripting of anything else is really pushing it. I've always thought that Microsoft's use of JavaScript in the Windows Scripting Host was pretty dumb (it's not a system scripting language, people! It's just not!) However, embedding Perl into Mozilla would add 1 Mb to the size of the runtime... is that what we want? Although it does sounds like a groovy idea. There would be no limit to what you could make Mozilla do.
Does/will Mozilla allow for things such as an embedded interpreter be loaded dynamically, or will it always load everything on startup?
darren
Cthulhu for President!
What I got from the article was that Mozilla is going to contain programming hooks and tons of modules and skins, of which Navigator 6 will be using the browser component. Mozilla will be much more than just the browser, and Navigator 6 won't.
darren
Cthulhu for President!
I admit that I haven't been following the Mozilla story as closely I as I probably should be over the last few months, but now I see the reason that there isn't a fully functional browser release. Since when has the Mozilla project been about a platform? It sounds like Mozilla is trying to be all things to all people, instead of just concentrating on one thing, and doing it well. While I appreciate that a platform is of more use overall than a single application, there are some of us that have been waiting patiently for the browser that Mozilla promised for a long time.
It sounds like the project has become a little too ambitious too quickly. I would love to see all these various projects come to fruition, but it sounds like all the projects are being delayed up by all the others.
This is probably too simplistic a view, of course; I don't mean this as flamebait, and I'm sure I will be corrected. Am I the only one who is frustrated from two years of waiting for Mozilla?
darren
Cthulhu for President!
Location is what most projects are lacking, whether it be co-location or project-hosting, or whatever. I like the idea of being able to bring in a box or two of my own, use your rack space, your network drop, and your power to power my box(en). In return, I pay for bandwidth, rack space, and power consumption; according to usage for bandwidth, and fixed rates for the latter two.
For this kind of service, basically you need a big fat pipe coming into your space (probably more than one is ideal, each attached to different backbones), a lot of power, and space. Co-location facilities often have cages or some other type of physical protection for the boxen themselves, but you could probably knock off some of the space charges if customers bring in their own cages.
I would say you will get mainly bigger setups as customers. Smaller businesses/projects tend to be OK with just web-hosting, rather than full-scale co-location (I may be wrong about this). Note than I mean big in terms of both number of boxen and amount of bandwidth.
Services such as DNS and the like are unrelated to co-location -- if you put your own boxen somewhere you should have one to handle DNS requests as well. I would concentrate on the power, space, and bandwidth issues and leave the extra services to the customers (or at least put off offering them for a long time).
Good luck!
darren
Cthulhu for President!
While I definitely understand Stephenson's point, and agree to a certain extent, the reason that I (for example) tend to be more focused on security and privacy issues is because that is something over which I have some control. There is only so much that I can do about stray bullets, sad to say, but I can definitely help people to understand why they need to use encryption software to protect themselves and their privacy. I can definitely help people install and configure PGP, and create key pairs and distribute them. Yeah, maybe it's not as noble a cause as some others, but it's what I can do. I'm a programmer, not a politician, or a police officer, or a lawyer. The same or similar probably goes for most of the readers on slashdot and most of the CFP attendees. People I know trust my judgement about computers and the Internet, so that's where I try to help.
Too often people try to get involved in what they don't adequately understand (such as politicians and lawyers trying to regulate the Internet), and this is the source of many many problems. I don't know how to help prevent random violence, or shootings, or kidnappings, or most of the other attrocities that take place in the modern world, so I do what I can. I try to help prevent things like privacy violations, to the best of my abilities.
It's not about hiding things from Big Brother, it's about personal privacy and personal freedom. This is how I can help, so this is what I do.
darren
Cthulhu for President!
Loki has a modified version of Bugzilla called Fenris which adds a little to Bugzilla. The code is available at http://fenris.lokigames.com/fenris-c ode.tar.gz, and it is running at http://fenris.lokigames.com/. It's pretty well suported and being actively developed by Michael Vance. darren
Cthulhu for President!
So, are there any CPHack mirrors out there, so I can add it to my deCSS mirror?
Cthulhu for President!
I'm wondering what took the ACLU so long to get in on the action. It seems like this is their kind of thing.
Cthulhu for President!
seems like they'll be creating an opportunity for smaller companies to sell 3.5... I'm sure many people are not sure about upgrading, or don't plan to right away. Someone with a cd burner and a fast connection could probably do pretty well selling 3.5. Just a thought...
darren
Cthulhu for President!
With a password policy like that, I have to ask: has your network been broken into lately? Do you work for a government contractor or something else that deals with sensitive data, like a bank? Otherwise, in normal, day-to-day use, this sounds like overkill. If the admin is that worried about passwords, get a strong firewall product to protect your network from the external world, so that you can lift some of the password restrictions for local users.
If your network has been broken into lately, it sounds like an overall security audit is called for -- most of the time the problem is not that passwords aren't strong enough, but that vital services are vulnerable (holes in FTP or Web servers, for instance, or Sendmail improperly configured, or SMB over the internet). The problem could could also be that the users are not careful with their passwords -- you can have the strongest password policy in the world, but if Joe in Marketing keeps giving his password to his brother every time he changes it, you will continue to have problems.
If you are working for an organization that has sensitive data and resources to protect, there are many methods of authentication that don't require passwords -- someone already mentioned biometrics. I prefer using encrypted connections, such as SSH with key exchanges, where passwords are not send (passphrase are maintained on the local machine only and not sent over the network). Many of these are transparent to the user (though of course totally different to the machine, often requiring installation of specialized clients or other software).
Like what, actually remember their passwords?
Cthulhu for President!