Apparently it's old news, but World of Warcraft has the option of using a one time password token for their login.  US banks were required to implement two factor authentication, with mutual identification, but I'm not aware of any who implemented anything involving tokens.  My bank uses secret questions plus a special image with a description.  It doesn't make me feel any safer.

Lifehacker poses the question, "Would You Pay $7 for Two-Factor Online Banking Authentication?"  I think most of the people are saying they would pay $7, and I saw at least one poster who said he would even pay $7 a month for the feature.

I'd definitely pay $7 (well $14, since Mary would need one, too).  I'd love to see Verified by Visa use the same token and more web vendors use Verified by Visa.

The unfortunate thing is that banks have no incentive at this point to implement these kinds of systems.  They have very little liability, and the cost of what they are liable for is obviously cheaper than implementing reasonable security.  I assume that the governments in Europe (where most banks have tokens or other two factor security plus smart card based cards) must have forced the issue at some point.

Here's to hoping that our banks implement stronger security some day soon.

My default configuration on a non-development Windows box is to run as a standard user (i.e. one that isn't in the Power Users or Administrators group.)  When I first bought the MacBook, I wasn't with it enough to try this configuration.

At this point, I've learned enough, that I thought it was time to switch my login from an Admin to a Standard account.  Doing so was trivial (after first creating another Admin user.)  There was a little challenge of changing the ownership of some applications.  It seems that apps which were installed using an installer were all owned by root, however apps which were installed using the drag & drop into /Applications method were owned by me.  A quick chown -R later and everything was happy.

Except Photoshop Elements.  When attempting to use any of the effects or layer styles, none of the selections show up.

The left image is from an Admin user, and the right image is from my standard login.  A quick google search turned up this Mac OS X Hints article and this Adobe Forums thread. It seems that PSE users need write access to /Library/Applications Support/Adobe/Photoshop Elements/File Agent/6.0/en_US, and the two articles give several options for setting the permissions. 

My first attempt was to use chmod (being somewhat command-line oriented.)  Major FAIL.

Even though I can create a file in /Library/Applications Support/Adobe/Photoshop Elements/File Agent/6.0/en_US, PSE doesn't seem to be able to do it's thing with MediaDatabase.db3 (that file doesn't exist for me.)  Another odd thing is that my test file (created with touch) was created with rlobrecht:admin as it's owner, instead of rlobrecht:staff.  Weird.  chown-ing the en_US directory to root:staff doesn't seem to help either.

Even logging in as my Admin user (which does work) I don't create the MediaDatabase.db3 file referenced above.

Back to the web for a huge RTFM moment.  It seems there are two directories referenced:  /Library/Application Support/Adobe/Photoshop Elements/6.0/Locale/en_US is the other one.

RedBox (those $1 DVD rental boxes you see at grocery stores, McDonald's, etc.) sent me an email saying that three of their locations have evidence of skimming devices on their machines.

Pay attention, and be safe.

I now have a very unique set of requirements for a password wallet.  I realistically need something that is file based (as opposed to database based) and runs on Windows, Windows Mobile, and Mac OS X.

It needs to be file based, so I can use FolderShare to keep it in sync between our fileserver, my work PC, and the Mac.

The platforms are obvious.  I still have a Windows based desktop in my home office, and a Windows based laptop for work.  I won't be switching phone platforms for quite a while.

I've been using Ilium Software's eWallet for ages.  It meets all of my requirements, almost.  I actually have it working on the Mac under Darwine, however there are some issues.  Occasionally, the clipboard between X11 and the Mac has stopped working (i.e. things copied in eWallet can't be pasted into a normal Mac app and vise versa.)  It also has this totally bizarre problem where in the card view, all the text is in some bizarre symbol based font.

I went on a big hunt for a cross platform password wallet.  SplashID looked perfect, until reading the fine print.  The only way to move from a desktop platform to a handheld platform is via it's appropriate sync manager.  I don't actually ActiveSync my phone with anything except the Exchange server.  They do have this awful export/import work around, which would mean clear-text versions of my wallet available every time I needed to update it.  It's also not clear if the Mac and Windows versions are file compatible.

The last one that I checked was the open source project Password Safe.  Their tact for cross platform seems to be to go the Java route.  There's an ancient Pocket Pc version (from 2003) but that seems to be dead.  I guess I could attempt to port it to Windows Mobile and Mac OS X, but given my lame coding skills, and lack of time, this seems like a very poor choice.

I've just now seen KeePass which is another open source option, this time with active Windows, Windows Mobile, and OS X versions.  I think I know what I need to test next.  Migrating my data is going to be a bitch.

[update 03-14-2008]
Marc Tassin from Ilium Software sent me an email pointing to their official blog, and their iPhone announcement.  This quote definitely gives me something to think about:
"4. Will you make a Mac version?
I’m not allowed to give you a definite answer on that one yet, but as some technical types might already know, the iPhone and the Mac run very similar software. I’ll leave it at that for now."

Apparently, H&R Block's programmers don't know about least priviledge.  Yes, their app has an auto-update feature, but so does Firefox, and it runs as a non-administrator just fine.

Here's my work around to run TaxCut as my user account (so the files can be in my My Documents) but still be an Adminstrator:

@echo off

setlocal
set _Admin_=%COMPUTERNAME%\Administrator
set _Group_=Administrators
set _Prog_="C:\Progra~1\TaxCut07\Program\TaxCut.exe /N version.taxcut.com"
set _User_=%USERDOMAIN%\%USERNAME%

if "%1"=="" (
    runas /u:%_Admin_% "%~s0 %_User_%"
    if ERRORLEVEL 1 echo. && pause
) else (
    echo Adding user %1 to group %_Group_%...
    net localgroup %_Group_% %1 /ADD
    if ERRORLEVEL 1 echo. && pause
    echo.
    echo Starting program in new logon session...
    runas /u:%1 %_Prog_%
    if ERRORLEVEL 1 echo. && pause
    echo.
    echo Removing user %1 from group %_Group_%...
    net localgroup %_Group_% %1 /DELETE
    if ERRORLEVEL 1 echo. && pause
)
endlocal

The open-source disk encryption leader, TrueCrypt, has shipped their latest version, and is now supporting encryption of a complete Windows system (similar to what PGP does.)  I happily used PGP's full disk encryption on my work laptop for a while, until a policy came out about not using any non-approved encryption on company machines.  I've happily used TrueCrypt for creating encrypted containers, and love it.

The other interesting new feature is a Mac version of the software (without system encryption support.)

Bruce Schneier linked to the Handbook of Applied Cryptography which has now been legally posted in ps and pdf formats for personal use.

Our mortgage company sent us a letter with their procedures for online and telephone access to our account.  In addition to our account number, and a personally assigned pin, we also have a secret decoder ring.  Ok, so its not a ring, but we have a list of letters, and their corresponding numbers.  Apparently, they will give us a series of letters, and we'll have to respond with the correct numbers.  Interesting (at least until we misplace the letter from them.)