Why an ATM PIN Has Four Digits
Bruce Schneier has an interesting blog entry which explains why our ATM PIN is four digits. A four digit password is laughable, but in the same respect, so is writing your password down and sticking it to your monitor. A big reason a four digit PIN works for an ATM is that you also need the ATM card in order to use the PIN. That's known as two factor authentication, what you know (PIN) and what you have (card). Any group that wishes to keep their users secure will rely on a multi factor authentication system. It's a lot harder to steal my ATM card and my PIN than it is to find just one of them. From a user perspective it makes more sense to let them choose a crappy password they can remember, then secure their crappy password with something like smart card or token.
Vulnerability for sale
Another vulnerability auction site has arisen. This isn't the first site to attempt this and surely won't be the last. Most of these sites are really just marketing scams that attract a great deal of attention to the group conducting the auction. It's very possible that these flaws are real, but it's far more likely they are extremely lame flaws, or are just plain fakes. Even if these flaws prove to be real, one of the significant advantages to open source software is the speed that flaws can be fixed. There are few companies that can claim to have a large group of well qualified people able to help develop a fix for a flaw. Rather than fret over a site such as this, it makes far more sense to just keep doing the things that make Open Source great, and deal with bumps as they appear.
