This article (Protect passwords? Not if latte is free) was passed on to me from a colleague who also saw the irony in this.  I would say that we're 3 years too late in making 2-factor auth a base part of computing.  This makes identity theft almost too easy... fish in a barrel. 

What do you do to keep your passwords secure?  Use the same one everywhere?  Write them down?  Keep them in your cell phone? None of these are great options. 

The alternative is a something that you need to carry around.  Any ideas on what could work?  Iris and fingerprint scanners still aren't reliable enough (in the home market).  Smartcards would work, as would token generators such as those sold by RSA and others.  But equally important is who the issuer is.  Because I don't want 20 fobs hanging off of my keychain, I want one or two to cover every site that I visit. 

My group didn't write this... that is, I don't think we did, although this may have come out of our Consumer team.  But it is pretty good, basic advice for students that are heading off to school with their new laptops. 

School is in: 7 computer security tips for students

Awareness is our biggest challenge, but we've been doing a lot to make this happen.  At this point the consumers that are walking into these rediculous schemes need to accept that they are, to some extent, the authors of their own misfortune.  I like this editorial by Robert MacMillan at the Washington Post.  Here's an excerpt:

I am a staunch defender of what I call the average computer user, but I wonder whether it's time to change my tune...  It makes sense that the Internet service providers and other stewards of our online experience should do their part to protect people from online danger.  But I need to modify that point of view. Everyone should know by now that we should never trust e-mail, mobile phone messages or instant messages from strangers who want to deal with our money. If you don't know the source, delete immediately. Some of you will be yawning by now because you know this already, but the Times piece points out a tragic reality that criminals know well already -- a sucker signs on to the 'Net every minute.

Link. Microsoft Q&A.

They provide email customers with security and compliance services (retention, etc.).  As IT environments get more complex there are more opportunities for providing this type of service for part of the infrastructure.  THis is somewhat in contrast to the old approach of outsourcing everything.

Some interesting papers came out of the third annual Workshop on Economics and Information Security.  If you're an IEE Computer Society member you can read the full text.  Eric Rescorla's article, "Is Finding Security Holes a Good Idea?", provides a statistical analysis of a point I have long held:  that disclosure of holes is the prime driver for exploits, and that holding off on disclosure (which also means holding off on the fix) can in many cases reduce costs and improve security.  That may be counter-intuitive, but read Rescorla's paper and judge it for yourself.

S&P: Economics of Information Security