I'm extremely happy that you included SysAdmins in the list. I've long since pointed out that the best sysadmins all seem to at least understand programming and have some experience in it. Being able to understand the full stack, even if only slightly, is a skill most need.

Is the talk recorded anywhere? Seems like it could have been a great talk. Also, please please please host the stuff on another site.

Firstly, to SCdF. The two factor auth sorts out keyloggers or insecure wire transfers. Both are *way* more common than you'd believe. I've seen compromised accounts with passwords so complex, that is the only way they could have been hit. As others have pointed out, the best thing about this is that it is simple. You can explain this sort of two factor auth to your grandmother, same reason the banks use it. Its even quicker with the app and means it is actually ok to login to your account on an untrusted pc these days. Just remember to terminate all the logins, not just logout when finishing. As for gmail blocking accounts, they do indeed shut down access for failed attempts. Even if you connect too many times using the "correct" password, it will get blocked. The blocks appear to be timelimited and IP based, so I'm not sure how that works for something like tor but I'm guessing they have a system to protect against those attacks.

One thing that is coming is properly signed ssl certs (http://googleonlinesecurity.blogspot.com/2011/04/improving-ssl-certificate-security.html) In effect, the owner of the cert publishing the list of their certs in DNS so the browser knows if the cert is real or one from an interceptor. Tie in some DNSSEC and you get a much more secure channel.