They say the false accept rate is .001, or one in a thousand. That is, they can extract about 10 bits of information from a picture. From those 10 bits they claim to get the SSN? Or, they have the picture of a person, and need to identify them in a sample of a million people, they will get back 1000 possible matches.

The complaints about privacy seem greatly overblown. In essence they are saying that if you post a picture with your name, and then another picture without your name, someone with a million dollars of software might recognize the similarities. Of course they might without the computer too. This is just another in the long line of "security" scares which presume that items of public knowledge such as your appearance, name, DOB and SSN can be turned into a secret passwords after 40 years of being public knowledge. The security experts should be spending their time convincing banks not to pretend an SSN is a secret, rather than enabling them by agitating for legislation to make it so.

According to the article, the defendent is not distributing code containing GPL code. Rather, they are distributing a program that reads from a DSL router and modifies the (perfectly legal) GPL code on the router, reinstalling the modified code. The defendent doesn't think this is a violation, since he does not distribute any GPL code to users, only the binary "diffs". The modified code is never "distributed", only installed on the individuals own router. Since the GPL limits distribution, but doesn't affect "internal" use, there is an argument that the GPL is not violated. However, there is a further section in the GPL that takes up just this point, which is quite orthogonal to any of the arguments posted here. Even if this section of the GPL was not enforced in Germany, it wouldn't be the end of the GPL, as this is an extremely inconvinient way to distribute software, and the liklihood that the "diffs" didn't include GPL code is very small.

IPv6 will be very slow in coming, and there will be no crisis. As ISPs run our of v4 address space, they will offer natted rfc1918 space by default, and charge a few dollars extra for public addresses. Only a few people prefer a public address if charged $5/month for it, and they won't miss anything either. While lots of public servers will be offered in both v4 and v6 space, nothing interesting will require v6. v6 will grow slowly based on its use in purely internal networks. The things lusers need will always be available in v4 and there aren't enough clued users to create a real shortage.

Maybe sweeps are in November because that is when the elections are? Anyway the problem with electronic voting is not only that it is hard to do right, but also that it is impossible to show the average voter that it has been done right. With paper ballots and each party having a representative at the polling place and at the counting, voters are willing to believe the count is accurate. The offer to examine the source code is less convincing. Saying that the source code has been examined by someone paid for by the company that wrote the code is nothing at all.

The good news is that the Marvel chip won't support Windows.

The bad news is that the child with an OLPC while she may learn to do art on her computer, won't learn to do anything helpful in any labor market on earth. With a tablet, she won't even learn to touch type. I know that the project wants to prepare her for more self-actualizing career, such as poet, designer, president or CIO, very few will have that opportunity if they can't get an entry level job in the urban sector.

You can use the ITA engine at http://matrix.itasoftware.com/cvg/dispatch and it is really quite good compared to most airline/agency websites. However, it won't actually sell you a ticket.

I have been amazed over the last few years that both the general public and security professionals think that email addresses and social security numbers can be made confidential, like passwords. Surely that is impossible to achieve. If spam is to be stopped, it will certainly be another way. If identity theft is to be stopped, it is certain to be another way.

I am not sure where the idea that PXE boot files are limited to 32KB comes from, but we are booting FreeBSD 8.0 with a 240KB boot file with PXE and tftp and have not had to do anything special. We also boot Linux (Fedora 11) with a 4MB initrd over tftp and that has not posed any difficulties either. Our FreeBSD experience is documented at http://www.nber.org/sys-admin/FreeBSD-diskless.html - it works quite well for us. I looked at gPXE and it doesn't really solve any problems we have had. Actually, we have had only one problem - sometimes the OS boot code doesn't support the motherboard ethernet, and we have to add a different ethernet card for post-boot LAN access.

Yes, in fact there is no evidence that any password has ever been brute-forced, except in a demonstration. (Dictionary attack is not brute-force).

Interestingly, we had support contracts for several SPARC machines until recently, but when the time
for renewal came around SUN didn't send any notice, and we let it go. I think of this as
"passive/aggressive" behavior on their part and seems typical of our experience with the administrative
side of SUN, although past adventures (such as wrong addresses on shipments) have been worse. .

The patent makes no sense, because it includes no description of a mechanism for achieving the stated objective. You should be able to get a patent on a particular method of doing something, but since when can you patent all possible methods of doing something? Especially when there aren't any. We have been doing this at work for over a decade, using IP address information from whois servers. It isn't very accurate, but it works well enough for us.

Daniel Feenberg

I have worked with anonymized government data extensively, and birthdate and zipcode are always considered personally identifiable information. Sometimes birth year is available, and sometimes state or (rarely) county is available, but I have never even heard of a dataset with both. Datasets with month and day of birth are never considered to be anonymized, and are not released. The author of the paper is much overwrought.

There is no need to physically destroy a drive to prevent data from being read. The claims of Gutmann that it was possible to read overwritten sectors were never sustained by his sources. I investigated this years ago and reported in Can Intelligence Agencies Read Overwritten Data that he was very much overwrought. I see he has gone on to tilt at other windmills since he propagated that myth.

OK, suppose the tamper-evident seal is found to be broken at the end of the election day. What happens then? Are those votes not counted? I wouldn't expect that result. That would open a door to an intruder going to a district favoring the opponent and merely tampering with the seal. I'd expect the votes to be counted in spite of the broken seal. Is there actual experience anywhere on this point?