The standard recommendation I've seen is to overwrite at least 3, perhaps 5, 7, or even 9 times[0], often with a final all-zero overwrite[1] at the end (since an all-zero nominal image might discourage someone from looking harder, while a disk full of random-looking data can only result from a random overwrite or a full-disk encryption system).

The "kill it with fire" technique is more a question of speed and when you can afford to destroy disks. I've heard the NSA burns their disks, and Google physically mangles disks, but consider that those organizations are going to get rid of disks either when the device using them is past its useful lifetime, or when the disk starts failing. At that point the future value of keeping the disk around is low. It's more cost effective to use a quick method that prevents data recovery (of the desired level depending on threat model), rather than tying up computers and personnel in lengthy overwrite procedures when the disk is probably going to be thrown out anyway.

The reason for multiple overwrites is that if you look at absolute magnetic readings from the disk at each bit storage position, it's not digital. Instead of "1" or "0", you might see .998 or .005.

The one in-depth article I read a while back said that an overwrite moves the charge roughly 90% of the way to the opposite value. If a bit was "1" and is overwritten with "0", the new value would be 0.1 Subsequent overwrites similarly attenuate past data. Given disk error rates today, I think 90% is optimistically high.

For the sake of simplicity, if each overwrite pass changes the data value exactly 90% of the way from the current value to the target value, every bit on the disk is going to be either between 0 and 0.1 or between .9 and 1.0. More specifically, there are four possibilities for each bit. If the reading is close to the range 0.00 to 0.01, both the current and last image stored a zero. If the reading is close to the range 0.09 to 0.10, the current image is zero and the last image was a 1. Similarly for 0.90 to 0.91 and 0.99 to 1.00 ranges.

With a perfectly accurate magnetic detector and a HDD write mechanism that is perfectly accurate, and a perfectly linear and resilient magnetic layer on the disk, you could discover past images one by one... once you determine the last image logical value, you apply a function, possibly a linear map, to strip out the computer-visible layer and derive the exact magnetic reading as it would have been before the last overwrite. Repeat, wash, rinse...

The objective of overwriting several times is to push the magnetic differences caused by the last "real" stored data into the range where it's obscured by noise, either noise of the magnetic imager used to take raw magnetic readings, or much more likely, noise of the HDD writing mechanism (it isn't writing a perfect "1" value each time), or noise or imperfections of the magnetic substrate leading to imperfect magnetic storage.

I think recommendations for 35 overwrites, or even 9 overwrites, may be overestimating the capabilities of an adversary. Not because of anything the adversary does, but because of modern hard drives. Data is crammed into such small magnetic wells that the absolute magnetic readings are less consistent than ever before. Given the error rates of modern TB-sized disks, I would expect many blocks with unrecoverable (2+ bit errors per block) read errors upon reconstruction of even the second to last magnetic image. Repeating the process, I would expect errors to increase non-linearly. My WAG is that before 9 overwrites you're in a situation where even a perfect magnetic detector is reading only low-level noise from the drive. (I'm talking about noise from the non-perfect magnetic layer on the disk surface, and fluctuating magnetic field write strength from the drive head.)

[0] see, for instance, http://www.securityfocus.com/archive/1/310128

[1] An all-zero overwrite simply provides a surface layer of plausible deniability if nobody uses a magnetic imager and instead uses commodity hardware to check drive contents. A disk area filled with statistically random data, AFAIK, has only two causes: 1. a full-disk encryption program in a mode that doesn't use a header (e.g. Truecrypt's hidden containers), or 2) a secure overwrite pass. Both might draw unwanted attention in certain instances, where an all-zero disk might be mistaken for an unused drive.

I have one. It would frequently hang (over WIRED connection) for anywhere from a few mins to 15 minutes, then suddenly start working again. I monkeyed around with settings including disabling the AOSS and WPS stuff, and it stopped hanging. I don't know what specifically fixed it, but I'm using openwrt now so I'll never know. I suspect many of the "omg my wzr-hp-*300* router is broken" stories are just bugs in dd-wrt.

Oops, the dual band buffalo is wzr-hp-ag300h, not -nh.

Atheros:
Netgear wndr3700v1: 8MB flash, 64MB ram
Netgear wndr3700v2: 16MB flash, 64MB ram
Netgear wndr3800: 16MB flash, 128MB ram
Buffalo wzr-hp-g300nh: 32MB flash, 64MB ram (more chance of a lemon than the netgear wndr series)
Buffalo wzr-hp-ag300h: 32MB flash, 128MB ram

Broadcom
Netgear wndr4000: 8MB flash 64MB ram (BCM4718 ?)
Netgear wndr4500: 128MB flash 128MB ram (BCM4706 ?)
Linksys/Cisco e3000: 8MB flash 64MB ram (BCM4718 ?)
Linksys/Cisco e4200: 16MB flash 64MB ram (BCM4718 ?)

The ciscos from what I've read are very picky about nvram size.

wndr3700 or 3800.

They are atheros based, so there's the issue of occasional wireless drop-outs that may be fixed in openwrt snapshots (check svn changelog for late November '11), but that's a lot better than the wndr4500 and other broadcom SOC devices that are proprietary and difficult to reverse engineer.

Also, the wndr3700 is hard to brick, and easy to tftp to. There are similar atheros-based devices like the buffalo wzr-hp-g300nh (2.4GHz-only) and ag300nh (2.4 + 5 GHz), but they're harder to flash and maybe have quality control problems on transmit power (some people complain).

...is actually 3.0.6. kernel.org is back up but it's not updating properly.

I think the point is that the pharma/food industries generally aren't recruiting kids to produce propaganda like flu shot or Got Milk PSAs. The media giants, in contrast, generally don't have as many scruples.

The media industry is more desperate than those other industries. It doesn't matter whether you're for copyright or against it, virtually everyone without a large vested interest is against current absurd copyright terms, anti-circumvention, ACTA, etc. So the people trying to create propaganda supporting current copyright laws are desperate to expand their "piracy is theft" meme, and one of the things desperate people do is use non-rational means to persuade people.

This is not so much about creating an anti-piracy PSA (they could hire a media firm to do it for 5 figures, which is peanuts), but rather to indoctrinate the children into the belief that piracy is bad by enticing a bunch of young impressionable kids to regurgitate the industry's talking points.

(Unrelated, but worth noting since you brought it up: Trying to counter the Got Milk stuff could run into food libel laws.)

"Pulls just a little power" for a desktop computer maybe, but compared to embedded wireless routers that are going to draw 5-15W (good ones closer to 5, I put 15W because the at&t 2wire uverse proprietary box draws something like 16-17W), or even an atom system which will probably draw 20-30W, it'll pull many times that. The good old wrt54gl I have pulls 2 to 3 watts.

Figure 1W is roughly $1/yr in costs (+- 10-20% depending on your energy provider), if you don't need more capability than a wireless router provides, even if you already had old hardware, you're likely to pay more over a couple years to power a headless desktop box than you would to pay retail for a wireless router + power. A modern video card at idle will draw about the same order of magnitude of power as an entire embedded router, too.

Do not say anything. Tell them to fuck off and don't address in particular or in general anything they alleged.

The *only* time you open your mouth to an agency (public or private) that is investigating you, whether it's the IRS, police, feds, or the BSA, is through a lawyer. That would typically take the form of a *response* to a demand letter.

A consultation and getting a response letter written by a good lawyer may run you circa $1-2k, but if the alternative is getting sued by the BSA or shutting down your company, it may be worth it.

If you use noscript, about 90% (made-up large percentage) of the web is broken or functionally degraded.

No problem. I'll just run GNU Hurd.

Mr. Whitehurst, CEO, Redhat, Inc:

You are infringing on my client's patent 2938562906716 relating to a method by which CEOs can maximize shareholder value by settling frivolous patent lawsuits for less than the cost of a full legal defense.

We are prepared prepared to defend our patent all the way to the Supreme Court if necessary.

My client wishes to advise you that in order to settle this lawsuit, you will have to pay an additional $500,000 in royalties for using his patent.

I trust we will be receiving a check from you soon.

Yours,
Slimy Lawyer, Esq.

Already posted a solution for that.

http://ask.slashdot.org/comments.pl?sid=2120414&cid=36004040

Double NAT works tolerably well if you set up your interior router as DMZPlus under the 2wire router config. DMZplus eats incoming ICMP traffic, so if you have MTU problems on your vpn link, the link may appear to be dead, but you can probably fix it by manually reducing the vpn's mtu. VOIP shouldn't be a problem; SIP uses tcp/udp so you can forward that through like any other app even if you don't use DMZplus.

The 2wire routers also have horrible routing capability, so getting a static IP block is a bad idea, and the 2wires are also very picky about what's on their local layer-2 network. Plugging a device onto the 2wire's visible ethernet (i.e. not behind another router) and giving the device multiple IPs, or switching its IPs, is a great way to confuse the 2wire router. The firmware was written by morons.

Recommendations for 2wire router users: get another router (my current favorite is the buffalo wzr-hp-g300nh, 32mb flash 64mb ram, comes with branded dd-wrt and can be easily flashed with openwrt). Put that router behind the 2wire in dmzplus mode. Connect a switch to the interior router and connect everything to that.

The only things that need to be on the 2wire's local layer 2 lan are the interior router and the uverse cable DVR if you get TV as well (and if you get voip through uverse then you probably need that on the 2wire's ethernet domain too).

Matt Dillon complains about the 2wire router: http://leaf.dragonflybsd.org/mailarchive/users/2011-02/msg00074.html

#!/usr/bin/ruby
# I would have put this on github, but first it's horrible code and second I don't want my slashdot identity linked to my github one.
# create database 2wire; use 2wire;
# create TABLE readings (timestamp TIMESTAMP DEFAULT NOW(), port INT NOT NULL, txbytes BIGINT, rxbytes BIGINT, txpackets BIGINT, rxpackets BIGINT, txerrors BIGINT, rxerrors BIGINT, primary key `dateport` (timestamp, port));

series = `curl -s 'http://172.16.0.1/xslt?PAGE=C_2_0'`

(activeport, activeline) = [ nil, nil ]
data = Array.new

series.each_line {|line|
        if activeline == 4 then activeport = nil; activeline = nil end
        if activeport then
                line =~ /.*([0-9]*).*/
                $1 == "--" ? value=0 : value=$1.to_i
                data[activeport].push value
                activeline += 1
        elsif line =~ /rowlabel.*Port ([0-9]+) / then
                activeline = 1
                activeport = $1.to_i
                data[activeport] = Array.new if data[activeport].nil?
        end
}

1.upto(data.size - 1) {|port| # remember data is a zero-based array, but the ports from 2wire are positive integers
        (txbytes, txpackets, txerrors, rxbytes, rxpackets, rxerrors) = data[port]
        `mysql 2wire -e "INSERT INTO readings (port, txbytes, rxbytes, txpackets, rxpackets, txerrors, rxerrors) \
                VALUES (#{port}, #{txbytes}, #{rxbytes}, #{txpackets}, #{rxpackets}, #{txerrors}, #{rxerrors})"`
}

512MB? What kind of a joke is that? My two older boxes (2-3.5 years old) both have 8GB, and this one has 12GB and is about to get upgraded to 24GB.

The last computer I had with 512MB was a p3-1ghz back in 2001. At the same time I built a dual p3-1ghz with 1GB ram, so 512MB was the lower end of what was acceptable even back then.

I have trouble believing a modern browser (chrome or FF) could even run on a system with 512MB ram. That system must swap a lot.

Great. A duopoly instead of a monopoly. I feel SO much better.

Unfortunately, for wired, there is no competition with Vzn. I can't get Verizon's fios where I live; it's either AT&T's capped uverse, AT&T's capped DSL, or comcast's capped cable.