So the gap is "the secret key must be kept secret"? I don't see that as a digital certificate failing. It's also the reason we have revocation lists.

The 3rd party would only ever get the intersection of "do not mail" and their own marketing list. And emails wouldn't be sitting around in clear text in a database / filesystem..

Here's what 'supercookies' actually are (from the horse's mouth: http://cyberlaw.stanford.edu/node/6715)
* you hit a page which includes a wlHelper.js script
* wlHelper.js is served with header that tell your browser - cache this forever
* wlHelper.js contains code something like this:
      var unique_id = 'RANDOM_LOOKING_STRING_JUST_FOR_YOU'
      if MUID cookie doesn't already exist
            set MUID cookie to unique_id

You delete your MUID cookie - but next time you hit a page that contains wlHelper.js the cached version is pulled form your browser. unique_id is there in the cached code, so the cookie gets set again.

Combine centralized and "multi-factor"? Build more PCs with smart card readers?

I'd like to see google offer some form of multifactor on their openid provider. A keyring token generator, or maybe a smartphone app?

Here's someone who has already done it..
http://waxy.org/2008/09/audio_transcription_with_mechanical_turk/

Split up the audio into 5 min pieces.
Set up a template on Amazon Turk for'workers' to grab the 5 min mp3 files, and pay them $2 for each file translated.

More info in the comments. http://www.audiobookcutter.com/ is capable of chopping up the file at the silences for you.

Could be "call back" spam, i.e. I look at my phone and see "missed call from 555-1234". I swear I didn't hear that ring, but I call the number back anyways - and I get a recorded message selling some crap. So I generally google / don't call numbers I don't recognise now. If someone has something important to tell me they'll leave a message.

I'm surprised a nasty worm hasn't propagated via torrent client exploits. Get a list of IPs from a tracker AND the client/version they are using. Not only that: all the users would've opened the port on their router..

X-files has gone off TV?

In this case CoralCDN was effectively acting as a proxy - the IP address wasn't being falsified. Although these guys did appear to have some luck with falsified IP addresses: Why My Printer Received a DMCA Takedown Notice.

Two more strikes and Google gets their internet connection cut? Oh, no!

whoops: (i was in the process of RTFA)

I get the impression it doesn't. Just connects SSH, and sends some commands to change your desktop.

No self propagation = not really a worm.

what usually happens:
* you request a cert common-name=serverbox.mydomain.com from a Certificate Authority (CA)
* CA determines you are authorized to make this request on behalf of mydomain.com
* serverbox.mydomain.com serves down the signed cert, your browser makes sure website == common-name == serverbox.mydomain.com

what these clever guys discovered:
* you can request a cert common-name=paypal.com\0.mydomain.com
* CA determines you are authorized to make this request on behalf of mydomain.com
* man-in-the-middle sits in between you and paypal.com, serves down this cert, victim's browser makes sure website == common-name == paypal.com (whoops!)
* victim sees paypal.com in their browser with that reassuring padlock

How does the company paying commission make money off this? Redirecting your browser to their spammy search engine, pop up ads?