Awareness is our biggest challenge, but we've been doing a lot to make this happen.  At this point the consumers that are walking into these rediculous schemes need to accept that they are, to some extent, the authors of their own misfortune.  I like this editorial by Robert MacMillan at the Washington Post.  Here's an excerpt:

I am a staunch defender of what I call the average computer user, but I wonder whether it's time to change my tune...  It makes sense that the Internet service providers and other stewards of our online experience should do their part to protect people from online danger.  But I need to modify that point of view. Everyone should know by now that we should never trust e-mail, mobile phone messages or instant messages from strangers who want to deal with our money. If you don't know the source, delete immediately. Some of you will be yawning by now because you know this already, but the Times piece points out a tragic reality that criminals know well already -- a sucker signs on to the 'Net every minute.

The Payment Card Industry (credit-card issuers) have created their own set of regulations that e-commerce sites must follow if they're to continue processing credit card payments.  The regs are pretty good -- a 12-point checklist of areas that need to be covered.  For example, Do not use vendor default passwords on IT products and Uniquely authenticate each person accessing computer systems.  It's a great idea, but is yet another regulation that needs to be dealt with. 

http://www.ecommercetimes.com/story/113003FF5PFJ.xhtml

More progress being made on the anti-spyware front:  http://www.eweek.com/article2/0,1759,1788844,00.asp.  Industry players are banding together to try and define this.

I'm not sure that this is a good idea -- while I agree that the term "spyware" has unfortunate connotations to anyone branded as such, creating a specific definition just seems to me to open the door to firms trying to work around the definition while achieving the same effect.

Although it had a terrible acronym, I really thought that "potentially unwanted software" captured the category in a nutshell.

This is one of those times that I love this company -- building a tracking system to fight kiddie porn, and giving it away to police departments worldwide.  Link.

TechWeb just posted an article on DNS cache poisoning continuing.  The Microsoft KB article can be found here.  The problem: cache protection (in Windows 2000 SP3 and above) only applies when the DNS server is a master.  If it is forwarding all requests, then the data is assumed to be filtered by the upstream DNS server.  If that server isn't filtering properly, then the cache could still be poisoned.  This is often the case when Windows DNS is set to forward requests to an older version of BIND.  The Internet Storm Center (link) has a pretty good description of the several scenarios, and how you need to protect your organization depending on your scenario. 

Lesson learned:  Look at the whole chain to understand how you're protected.