I was going to post on this but Tony Bailey beat me to it (link).  We have several sessions at TechEd, and 6 program managers and subject matter experts from my team will be in the Security Cabanas.  I can't make it down this year but I have reviewed many of the security sessions and they're awesome.  If you're down there drop into the security cabana and say that jeffnew said to say "hi". 

You know that a concept has truly entered the mainstream when it spawns politically correct euphemisms.  Potentially unwanted software is the latest safe and approved term for what most people think of as spyware and adware.  So the House has just approved a bill that adds some deterrents and safeguards for consumers, to make spyware (oops... there I go again) somewhat less attractive as an advertising medium (link).  However, the bill doesn't provide for protection for anti-spyware (should that be "anti-potentially-unwanted-software"?) makers -- companies who feel that they've been unfairly targeted can sue (link).  This seems odd... if the anti-spyware product is erroneously removing desired software, you would think that the word would get out and no one would use it.  However, if the software wasn't explicitly desired and installed by the customer, what's the argument? 

Lawyers probably have a different view.  I can think of a couple of products (which I won't name) that appear to do something useful, and then install adware as well.  They protect themselves legally (but not IMHO ethically) by hiding the "consent" for installing the adware in an unnecessarily long click-through end user license agreement (EULA).  So they say that the user must have desired it since they accepted the EULA. 

So, what do you think?  Obviously since I work for the Big M you could say that I am biased.  But ethically this appears to be pretty clear-cut.  The medical profession went through this whole "informed consent" problem several years ago, and now bend over backwards to ensure that the patient's consent includes an understanding of the procedure and the risks.  Do we need some type of EULA law as well, in order to allow anti-spyware vendors to have a clear line of demarcation between wanted and unwanted? 

This article (Protect passwords? Not if latte is free) was passed on to me from a colleague who also saw the irony in this.  I would say that we're 3 years too late in making 2-factor auth a base part of computing.  This makes identity theft almost too easy... fish in a barrel. 

What do you do to keep your passwords secure?  Use the same one everywhere?  Write them down?  Keep them in your cell phone? None of these are great options. 

The alternative is a something that you need to carry around.  Any ideas on what could work?  Iris and fingerprint scanners still aren't reliable enough (in the home market).  Smartcards would work, as would token generators such as those sold by RSA and others.  But equally important is who the issuer is.  Because I don't want 20 fobs hanging off of my keychain, I want one or two to cover every site that I visit. 

Has anyone else read this article on "safecount.org" wanting to encourage people to not delete cookies?  While I understand that the advertisers have a difficult task, it makes me crazy that sites such as TechWeb just take press releases and post them without providing any context or value-add.  In fact, they become a value-subtract, since some less discriminating readers will look to TechWeb for factual news articles and perhaps actually believe what they're reading.

I don't mean to pick on TechWeb; it's just that I read this piece this morning and it just pissed me off.  If you want to get your news from the 'net, you have very few places to choose from.  Most sites do the sam ething -- get a flurry of press releases, have someone reword them into a semblance of an objective article, and publish.  This particular article is great -- the position of safecount.org is that you shouldn't delete your cookies because it makes life harder on their advertiser members.  The writer makes no comment regarding privacy, and quotes "analysts" (which ones, I wonder) to make the story more believable.

Please take everything you read with a grain of salt, particularly if it comes from a news source that you didn't pay for.  Remember, they have to get their expenses by someone...