"FOSS-ware" would mean "(Free/Open Source Software)-ware"
The accepted terms are "free software," "free (as in speech) software," "software libre," and if you really insist, "F/OSS" or "FOSS" as expanded above. Also valid but with slightly different definitions: "GPL-compatible" (tighter definition), "open source" (looser definition, allows prohibiting modification or even sharing), and "copyleft" (looser still).
If I were to coin a new term for something meeting RMS's Free Software Definition, I'd consider "freedomware"
I don't know how they collect their data, but it can't possibly be true. This has Linux rather consistently around half as popular as Mac, suggesting that for every two people you know with Macs, there's a third running Linux on the desktop. I don't know of any regions in which this would be true.
Furthermore, I find it disturbing that there's a lack of any data for FreeBSD, OpenBSD, or even Other when the specificity is in hundredths of a percent. That means if the sample had 20,000 "desktop" users, 1188 run Mac, 674 run Linux, and less than 1 run any of the BSDs or something else. The sum of these numbers is 100.01%, so Windows + Mac + Linux includes at least two values that were rounded up, further supporting the theory that these are absolute zeros. Most studies like this tend to show more "Other" than Linux.
I'm not a Mac guy, so I had to look this up: Apple File System (APFS) is a decent modern filesystem with most features you'd expect from something developed somewhat recently. Here's a FS comparison where you can compare it to the latest and greatest competing formats like Linux's ex4 and Btrfs, Sun's (Oracle's) ZFS, and of course Microsoft's NTFS.
Features uncommon elsewhere include native snapshotting, encryption, and error correction.
I've been saying this for years: make Computer Science (theoretical math, logic, basic linguistics) a mandatory subject in K12 education alongside (applied) math, science, etc. Also, yank pre-calculus and calculus (save it for physics majors in college, offer it as a math elective in high school) and offer statistics for students advanced enough to get that far. Statistical illiteracy is one of the main drivers behind our fake news problem.
Compared to the United States there are quite a few more high school students in Russia who choose to specialize in information technology subjects. One way to measure this is to look at the number of high school students in the two countries who opt to take the advanced placement exam for computer science.
According to an analysis (PDF) by The College Board, in the ten years between 2005 and 2016 a total of 270,000 high school students in the United States opted to take the national exam in computer science (the “Computer Science Advanced Placement” exam).
Compare that to the numbers from Russia: A 2014 study (PDF) on computer science (called “Informatics” in Russia) by the Perm State National Research University found that roughly 60,000 Russian students register each year to take their nation’s equivalent to the AP exam — known as the “Unified National Examination.” Extrapolating that annual 60,000 number over ten years suggests that more than twice as many people in Russia — 600,000 — have taken the computer science exam at the high school level over the past decade.
The hangup is on audience reaction? Pick a pseudonym. "Composed by Sound Tek featuring David Cope" would be sufficient. The audience would need to look it up in order to learn it's an algorithm written by Cope rather than a band.
It's really hard to determine that there is indeed no leak, especially when you have so many companies involved in editing the film. What if the stolen copy wasn't a final cut, e.g. before the final color corrections or whatever the last few tasks are? It could have been stolen from any of the firms Disney uses to do that.
Calling this a bluff is risky. Disney could get egg on their face for it. Or they could be right. Or they could have secretly paid and made this announcement anyway in some kind of effort to save face (... which could backfire even more drastically).
If DMARC were mandatory for all email, we'd still see plenty of spam. All snowshoe spam, for example, uses DMARC in order to look like a legitimate marketer and get the free passes that... no anti-spam system awards.
All DMARC does is prevent spoofing of the From header's domain. You can still set up your own "marketing" domain and spew spam. You can still register bankofamerica-customersupport.com or create an account for "bank0famerca@yahoo.com" or hack into "anonymous_coward@gmail.com" and change the friendly-from to "Bank of America Customer Support" and not worry about the email address since software like Apple iOS's Mail app will only show the friendly-from. Solving that kind of forgery is much harder. Trust me, it's part of my job.
Anybody could have found this by merely playing with any of the numerous views of the ocean floor we've had in the last few decades, though it is neat to see evidence of it having previously been above water with notable signs of life.
The Facebook founder [...] said he believed religion was "very important". It comes after a year in which Zuckerberg, who was raised Jewish, met the pope and [...] praised the Buddhism of his wife Priscilla Chan, posting a photo of himself praying during a visit to a pagoda in Xi'an.
Last week, Zuckerberg posted a message on his own Facebook page wishing followers a Merry Christmas and Happy Hanukkah. In response to a comment asking if he was atheist, he said: "No. I was raised Jewish and then I went through a period where I questioned things, but now I believe religion is very important."
This makes perfect sense for a wannabe politician: A 2012 Gallup poll concluded that potential voters were more likely to refuse to vote for an atheist candidate (43%) than a candidate that was Muslim (40%), gay/lesbian (30%), Mormon (18%), or Jewish (6%). Similar results were found in a 2014 Pew survey that found 53% of those surveyed would reject an atheist presidential candidate, leading "never held office" (52%), age 70-80 (36%), adulterers (35%), and gay/lesbian (27%). Both polls concluded that being atheist was among the least positive aspects as well (Gallop had atheists at the bottom of the list with 54% positive, beating Muslims (58%) and gay/lesbians (68%), while Pew had atheists as tied with gays/lesbians at 5% positive, with the only less supported group being adulterers (2%).
The Gallup poll also tracks favorability of these traits over time, demonstrating that support for an atheist presidential candidate is very slowly improving from 1978's 40% to 1999's 49% to 2012's 54%. Contrast that to the support for a Jewish presidential candidate, which has grown from 82% to 92% to 91% in the same respective polls. They also break these figures down by political party: Republican voters care more about these sorts of things, and their atheist/Jew favorability gap (48% vs 95%) is far greater than the Dems' (58% vs 92%). The GOP's 95% willingness to vote for a Jew is even larger than their willingness to vote for a woman (92%).
Zuck may milk the Jew+Businessman stereotype for personal gain but he is also showing his diversity through the aforementioned visit with the pope. Expect to see similar press-friendly stories on his 50 state tour, whose primary objectives will probably be publicity and then research for where he wants to align his political platform.
In Declassified Edward Snowden Report, Committee Walks Back Claims About 'Intentional Lying'
The House Intelligence Committee in September issued a three-page document alerting the public that information from its two-year investigation of former National Security Agency contractor Edward Snowden had turned up evidence that Snowden was a “serial exaggerator and fabricator” who exhibited a “pattern of intentional lying.”
This is merely a rebranded version of Hiya, which still requires surrendering your entire contact list and conversation metadata to a third party without any masking.
Then again, even if each phone number was stored as a PBKDF2 hash, since there are only 3-4 billion legal phone numbers in the NANPA numbering system (given 370 area codes). I estimate this would take under 45 minutes on a quad-GPU system (divide by the number of nodes in your cluster). I suppose this is a decent hurdle, but not quite good enough to make me happy. Maybe the solution would be to also include the victim's area code's primary state in the hash (which would then require 12-36 hours to break), but then you'd have limited utility when dealing with interstate regions like the DC Metro area or the Tri-State Area.
Security and privacy often butt heads, but I think that the right design can facilitate the right balance. The same goes with security vs freedom (we all know the Ben Franklin quote, right? "Those who sacrifice liberty for security deserve neither"). None of these are opposites.
clouds have baked private keys into their public images, so that any user could SSH into any machine
The first capture the flag hacking event hosted by my college's volunteer systems team (which supplemented the IT staff) had this problem. Every system had the same SSH keys, so it was easy to man-in-the-middle your opponents, gain their credentials, then log into their actual systems. One of the teams that discovered this (and won the contest) went on to host the next year's event. (This was not recent.)
You can't whitelist everything you need to, and you can't trust end users to be able to do that all themselves (no matter how many dialogs you pop up). A/V is only capable of doing so much, so users still need educations.
The other option, as this Google engineer proposes, is to lock everything down and only allow vetted programs. This is called Trusted Computing (a.k.a. Treacherous Computing) for software and digital rights management (digital restrictions management) for media. These are very secure (so long as you trust the vetting agency), but they promote too much vendor lock-in and they directly combat Free Software.
SpamCop is not dead. It is still up and running and the free blocklist is a great part of your anti-spam arsenal. Compare RCVD_IN_BL_SPAMCOP_NET to the other free options using SpamAssassin rule vetting stats and you'll see it's among the top performers. ("S/O" is a measure of relative precision, "SPAM%" is recall.)
Unlike the other DNSBLs, SpamCop also reports spam back to the networks that sent it (with filters to deal with spammer-friendly and negligent network operators, either of which might ignore or even pass on the heads-up to spammers rather than disciplining them).
In particular, SpamCop did well against this Necurs attack but it does not fare as well against hailstorm/snowshoe spam attacks (which IP reputation doesn't help combat). IP-based DNSBLs aren't anywhere near as effective today as they were ten years ago, but they're still quite worthwhile. That said, you're right in that the best ones cost money.
I feel happy, oh so happy. I don't want to go on the cart.
This report looks at a lot of data, but (as noted in the Limitations section) it's only what was publicly available. Lots of breaches, especially w.r.t. ransomware, go unreported. Lots of breaches go undetected and/or aren't as easily measured as money (e.g. a rival company steals your un-patented trade secrets).
However, my biggest issue with this analysis is that its conclusion makes no sense. It says that the cost of cyber breaches is roughly equal to the cost of maintaining a defense. This paper fails to account for how money spent on cyber-defense reduces the money lost to cyber-attacks. If you're advocating for a radical reduction in InfoSec, this is the (only!) figure that matters.
Information Security is important, and there is good work being done here and more work needed. Cutting the InfoSec teams down will correlate to an increase in attacks that get through. This paper seems to be suggesting that reduced InfoSec budgets will somehow also limit the damage they combat. That makes no sense.
In June, Google announced that it would acquire Webpass, an urban ISP that delivers ethernet drops rather than requiring cable or DSL modems. WebPass has fiber connections throughout its various cities ("San Francisco, Oakland, Emeryville, Berkeley, San Diego, Miami, Miami Beach, Coral Gables, Chicago, and Boston") and connects the last mile with a wireless connection to the customer's rooftop using point-to-point radios.
Google Fiber last month bought Webpass Inc., a company that beams internet service from a fiber-connected antenna to another antenna mounted on an apartment building. The company serves roughly 820 buildings in five cities.
Webpass already offers 100+mbps (up and down!) for $46/mo ($550/y or $60/mo) at the residential level, and I'm under the impression the speed is actually bottlenecked by the ethernet switching and cabling within each participating building rather than the wireless signal; they support up to 1Gbps using this model.
I've thought about this a bit. Consider a consortium of like-minded privacy-concerned people that has a pool of virtual SIM cards (exceeding the user base by perhaps 2x or more). The group pays for the whole pool of SIM cards (end users pay the group, perhaps through bitcoin). Participating phones check out random virtual SIM cards (using some kind of cryptographic signature perhaps similar to blockchains to assure anonymity) periodically in order to ensure apparently random distribution. All transactions flow over a VPN to a common network and the phone itself is disabled (use VoIP). Web access runs through Privoxy or similar filtering to ensure there are no traceable bits. This should be fine until you start installing other apps.
This probably requires special hardware in order to "spoof" the consortium's SIM cards and swap between them with minimal downtime.
I'm not sure I follow; just because a piece of malware comes from the internet doesn't mean your only diligence must be in your web browser (... and email client, torrent client,...). Nowadays, we're more plagued than ever when it comes to zero-day malware, meaning that A/V misses it the first time around. You need a local A/V scanner that regularly evaluates potential threats, ideally upon each execution.
Ad blockers only protect you from malvertising, not straight-up malicious web sites. These days, they're as important as A/V (and often more effective), but you really want both. Microsoft has in the past caught fewer viruses than even ClamAV (Windows Defender is lauded as "better than nothing, but it’s not a whole lot better. Most of the popular antivirus [solutions] can do better." I'd happily take the free solutions from Avira, Avast, AVG, or Panda over it. I currently suggest Avira to my friends and family, though I don't run Windows.
I couldn't see notes about how the thing is powered, but a third major benefit from this sort of thing may be that its battery usage is negligible. That means you can do so much more than an ambient light sensor. Consider a wearable that scans QR codes automatically, so it's already available when you want it (you never miss the opportunity to get it, nor do you have to fumble around with lining it up or getting it in focus). Now consider the same for facial recognition. This clearly has privacy implications even without being ~invisible.
If it's also cheap enough, you could even knit it into clothing (just encase it so it's water-safe and able to handle temperatures from -40 to 200F). Sensors everywhere, knowing everything you've been in contact with, helping track the spread of diseases... or just your lost keys.
Also, a big thank you to the submitter, who actually linked the original academic paper in the main Slashdot story. We need more of that.
At my last job, I walked a coworker through setting up a LinkedIn account. As soon as he had created the account, but before he had entered any information (beyond an email that had never been shared with coworkers), he was getting suggestions from lots of coworkers, not including me. Why? Presumably because our network was behind a NAT, so these people had all connected from the same IP address. (I wasn't suggested because I used a proxy to surf the web.)
IP addresses are decently telling. If I were Facebook or LinkedIn, I'd certainly leverage IP CIDRs (or else ASN + GeoIP) as a part of the friend suggestion algorithm, and if it was the only data available, it'd end up being decently obvious to anybody thinking about where their suggestions come from. Of course, I'd also filter that list of suggestions by perceived "social hubs," people who tend to be well connected, as that's the best way to grow a social network.
Phones' locations may be too specific for this sort of thing – unless they're kept in a database to note the places you frequent (are you at the festival, or are you passing by it to go to the store? are you regularly at auto parts stores, or do you just need new tires?). There's enough information from photo geotagging, check-ins, likes, and IP CIDR/ASN/geolocation to sufficiently boost the more informative social network itself.
I'm not sure how knowing your LAN IP is 192.168.0.101 is going to identify you. The only way to make that a viable attack would be to pwn another system on the LAN (such as the router) and phone home through it. At that point, you don't even need WebRTC, just a JS-based port scanner.
Expiration dates are indeed predictable. One common trick used by subscription services is to merely bump it the appropriate number of years during their auto-renew phase rather than complaining to the user (and therefore offering a reminder that it exists, thus possibly getting the service canceled, and that's lost revenue!).
Giving a random range of -1 to +4 months from the standard shouldn't harm anything (except the aforementioned squirrelly services?) and would offer a lot more protection. Consider googling 4147 visa for example; you'll find a few expired credit cards. Now bump the expiration dates by 2 or 4 years. (Slashdot covered this two years ago.)
Slashdot Mirror
"FOSS-ware" would mean "(Free/Open Source Software)-ware"
The accepted terms are "free software," "free (as in speech) software," "software libre," and if you really insist, "F/OSS" or "FOSS" as expanded above. Also valid but with slightly different definitions: "GPL-compatible" (tighter definition), "open source" (looser definition, allows prohibiting modification or even sharing), and "copyleft" (looser still).
If I were to coin a new term for something meeting RMS's Free Software Definition, I'd consider "freedomware"
I don't know how they collect their data, but it can't possibly be true. This has Linux rather consistently around half as popular as Mac, suggesting that for every two people you know with Macs, there's a third running Linux on the desktop. I don't know of any regions in which this would be true.
Furthermore, I find it disturbing that there's a lack of any data for FreeBSD, OpenBSD, or even Other when the specificity is in hundredths of a percent. That means if the sample had 20,000 "desktop" users, 1188 run Mac, 674 run Linux, and less than 1 run any of the BSDs or something else. The sum of these numbers is 100.01%, so Windows + Mac + Linux includes at least two values that were rounded up, further supporting the theory that these are absolute zeros. Most studies like this tend to show more "Other" than Linux.
I'm not a Mac guy, so I had to look this up: Apple File System (APFS) is a decent modern filesystem with most features you'd expect from something developed somewhat recently. Here's a FS comparison where you can compare it to the latest and greatest competing formats like Linux's ex4 and Btrfs, Sun's (Oracle's) ZFS, and of course Microsoft's NTFS.
Features uncommon elsewhere include native snapshotting, encryption, and error correction.
I've been saying this for years: make Computer Science (theoretical math, logic, basic linguistics) a mandatory subject in K12 education alongside (applied) math, science, etc. Also, yank pre-calculus and calculus (save it for physics majors in college, offer it as a math elective in high school) and offer statistics for students advanced enough to get that far. Statistical illiteracy is one of the main drivers behind our fake news problem.
Brian Krebs agrees with me, citing this as Why So Many Top Hackers Hail from Russia:
The hangup is on audience reaction? Pick a pseudonym. "Composed by Sound Tek featuring David Cope" would be sufficient. The audience would need to look it up in order to learn it's an algorithm written by Cope rather than a band.
It's really hard to determine that there is indeed no leak, especially when you have so many companies involved in editing the film. What if the stolen copy wasn't a final cut, e.g. before the final color corrections or whatever the last few tasks are? It could have been stolen from any of the firms Disney uses to do that.
Calling this a bluff is risky. Disney could get egg on their face for it. Or they could be right. Or they could have secretly paid and made this announcement anyway in some kind of effort to save face (... which could backfire even more drastically).
I find it hilarious that they misread kerning as keming ... likely due to bad kerning.
If DMARC were mandatory for all email, we'd still see plenty of spam. All snowshoe spam, for example, uses DMARC in order to look like a legitimate marketer and get the free passes that ... no anti-spam system awards.
All DMARC does is prevent spoofing of the From header's domain. You can still set up your own "marketing" domain and spew spam. You can still register bankofamerica-customersupport.com or create an account for "bank0famerca@yahoo.com" or hack into "anonymous_coward@gmail.com" and change the friendly-from to "Bank of America Customer Support" and not worry about the email address since software like Apple iOS's Mail app will only show the friendly-from. Solving that kind of forgery is much harder. Trust me, it's part of my job.
Here's the satellite view on Google maps:
https://www.google.com/maps/place/Mauritius/@-13.1797616,57.7735312,2289136m/data=!3m1!1e3!4m5!3m4!1s0x217c504df94474c9:0x4203d9c2116bd031!8m2!3d-20.348404!4d57.552152
It kind of looks like Japan.
Anybody could have found this by merely playing with any of the numerous views of the ocean floor we've had in the last few decades, though it is neat to see evidence of it having previously been above water with notable signs of life.
I hear you're moving on to work at Tesla as VP of Autopilot Software. Congratulations!
What three things excite you the most about Tesla?
From The Telegraph, Mark Zuckerberg reveals he is no longer an atheist:
The Facebook founder [...] said he believed religion was "very important". It comes after a year in which Zuckerberg, who was raised Jewish, met the pope and [...] praised the Buddhism of his wife Priscilla Chan, posting a photo of himself praying during a visit to a pagoda in Xi'an.
Last week, Zuckerberg posted a message on his own Facebook page wishing followers a Merry Christmas and Happy Hanukkah. In response to a comment asking if he was atheist, he said: "No. I was raised Jewish and then I went through a period where I questioned things, but now I believe religion is very important."
This makes perfect sense for a wannabe politician: A 2012 Gallup poll concluded that potential voters were more likely to refuse to vote for an atheist candidate (43%) than a candidate that was Muslim (40%), gay/lesbian (30%), Mormon (18%), or Jewish (6%). Similar results were found in a 2014 Pew survey that found 53% of those surveyed would reject an atheist presidential candidate, leading "never held office" (52%), age 70-80 (36%), adulterers (35%), and gay/lesbian (27%). Both polls concluded that being atheist was among the least positive aspects as well (Gallop had atheists at the bottom of the list with 54% positive, beating Muslims (58%) and gay/lesbians (68%), while Pew had atheists as tied with gays/lesbians at 5% positive, with the only less supported group being adulterers (2%).
The Gallup poll also tracks favorability of these traits over time, demonstrating that support for an atheist presidential candidate is very slowly improving from 1978's 40% to 1999's 49% to 2012's 54%. Contrast that to the support for a Jewish presidential candidate, which has grown from 82% to 92% to 91% in the same respective polls. They also break these figures down by political party: Republican voters care more about these sorts of things, and their atheist/Jew favorability gap (48% vs 95%) is far greater than the Dems' (58% vs 92%). The GOP's 95% willingness to vote for a Jew is even larger than their willingness to vote for a woman (92%).
Zuck may milk the Jew+Businessman stereotype for personal gain but he is also showing his diversity through the aforementioned visit with the pope. Expect to see similar press-friendly stories on his 50 state tour, whose primary objectives will probably be publicity and then research for where he wants to align his political platform.
"Mistakes were made:" Less than 24 hours after releasing report claiming I lied, HPSCI is walking back its report. http://www.usnews.com/news/articles/2016-12-22/in-declassified-edward-snowden-report-committee-walks-back-claims-about-intentional-lying
From that link:
In Declassified Edward Snowden Report, Committee Walks Back Claims About 'Intentional Lying'
The House Intelligence Committee in September issued a three-page document alerting the public that information from its two-year investigation of former National Security Agency contractor Edward Snowden had turned up evidence that Snowden was a “serial exaggerator and fabricator” who exhibited a “pattern of intentional lying.”
This is merely a rebranded version of Hiya, which still requires surrendering your entire contact list and conversation metadata to a third party without any masking.
Then again, even if each phone number was stored as a PBKDF2 hash, since there are only 3-4 billion legal phone numbers in the NANPA numbering system (given 370 area codes). I estimate this would take under 45 minutes on a quad-GPU system (divide by the number of nodes in your cluster). I suppose this is a decent hurdle, but not quite good enough to make me happy. Maybe the solution would be to also include the victim's area code's primary state in the hash (which would then require 12-36 hours to break), but then you'd have limited utility when dealing with interstate regions like the DC Metro area or the Tri-State Area.
Security and privacy often butt heads, but I think that the right design can facilitate the right balance. The same goes with security vs freedom (we all know the Ben Franklin quote, right? "Those who sacrifice liberty for security deserve neither"). None of these are opposites.
I'd feel a lot better if Hiya had a regular transparency report, but I can't find such a thing.
The first capture the flag hacking event hosted by my college's volunteer systems team (which supplemented the IT staff) had this problem. Every system had the same SSH keys, so it was easy to man-in-the-middle your opponents, gain their credentials, then log into their actual systems. One of the teams that discovered this (and won the contest) went on to host the next year's event. (This was not recent.)
You can't whitelist everything you need to, and you can't trust end users to be able to do that all themselves (no matter how many dialogs you pop up). A/V is only capable of doing so much, so users still need educations.
The other option, as this Google engineer proposes, is to lock everything down and only allow vetted programs. This is called Trusted Computing (a.k.a. Treacherous Computing) for software and digital rights management (digital restrictions management) for media. These are very secure (so long as you trust the vetting agency), but they promote too much vendor lock-in and they directly combat Free Software.
As resilient as these toys are, I'm not sure a standard Rubik's Cube could stand up to that kind of violence...
SpamCop is not dead. It is still up and running and the free blocklist is a great part of your anti-spam arsenal. Compare RCVD_IN_BL_SPAMCOP_NET to the other free options using SpamAssassin rule vetting stats and you'll see it's among the top performers. ("S/O" is a measure of relative precision, "SPAM%" is recall.)
Unlike the other DNSBLs, SpamCop also reports spam back to the networks that sent it (with filters to deal with spammer-friendly and negligent network operators, either of which might ignore or even pass on the heads-up to spammers rather than disciplining them).
In particular, SpamCop did well against this Necurs attack but it does not fare as well against hailstorm/snowshoe spam attacks (which IP reputation doesn't help combat). IP-based DNSBLs aren't anywhere near as effective today as they were ten years ago, but they're still quite worthwhile. That said, you're right in that the best ones cost money.
I feel happy, oh so happy. I don't want to go on the cart.
This report looks at a lot of data, but (as noted in the Limitations section) it's only what was publicly available. Lots of breaches, especially w.r.t. ransomware, go unreported. Lots of breaches go undetected and/or aren't as easily measured as money (e.g. a rival company steals your un-patented trade secrets).
However, my biggest issue with this analysis is that its conclusion makes no sense. It says that the cost of cyber breaches is roughly equal to the cost of maintaining a defense. This paper fails to account for how money spent on cyber-defense reduces the money lost to cyber-attacks. If you're advocating for a radical reduction in InfoSec, this is the (only!) figure that matters.
Information Security is important, and there is good work being done here and more work needed. Cutting the InfoSec teams down will correlate to an increase in attacks that get through. This paper seems to be suggesting that reduced InfoSec budgets will somehow also limit the damage they combat. That makes no sense.
In June, Google announced that it would acquire Webpass, an urban ISP that delivers ethernet drops rather than requiring cable or DSL modems. WebPass has fiber connections throughout its various cities ("San Francisco, Oakland, Emeryville, Berkeley, San Diego, Miami, Miami Beach, Coral Gables, Chicago, and Boston") and connects the last mile with a wireless connection to the customer's rooftop using point-to-point radios.
This is mentioned in TFA as well:
Webpass already offers 100+mbps (up and down!) for $46/mo ($550/y or $60/mo) at the residential level, and I'm under the impression the speed is actually bottlenecked by the ethernet switching and cabling within each participating building rather than the wireless signal; they support up to 1Gbps using this model.
I've thought about this a bit. Consider a consortium of like-minded privacy-concerned people that has a pool of virtual SIM cards (exceeding the user base by perhaps 2x or more). The group pays for the whole pool of SIM cards (end users pay the group, perhaps through bitcoin). Participating phones check out random virtual SIM cards (using some kind of cryptographic signature perhaps similar to blockchains to assure anonymity) periodically in order to ensure apparently random distribution. All transactions flow over a VPN to a common network and the phone itself is disabled (use VoIP). Web access runs through Privoxy or similar filtering to ensure there are no traceable bits. This should be fine until you start installing other apps.
This probably requires special hardware in order to "spoof" the consortium's SIM cards and swap between them with minimal downtime.
I'm not sure I follow; just because a piece of malware comes from the internet doesn't mean your only diligence must be in your web browser (... and email client, torrent client, ...). Nowadays, we're more plagued than ever when it comes to zero-day malware, meaning that A/V misses it the first time around. You need a local A/V scanner that regularly evaluates potential threats, ideally upon each execution.
Ad blockers only protect you from malvertising, not straight-up malicious web sites. These days, they're as important as A/V (and often more effective), but you really want both. Microsoft has in the past caught fewer viruses than even ClamAV (Windows Defender is lauded as "better than nothing, but it’s not a whole lot better. Most of the popular antivirus [solutions] can do better." I'd happily take the free solutions from Avira, Avast, AVG, or Panda over it. I currently suggest Avira to my friends and family, though I don't run Windows.
See also this security question on Stack Exchange, which shows how a similar misconception (protecting only filesystem edits) is similarly risky.
I couldn't see notes about how the thing is powered, but a third major benefit from this sort of thing may be that its battery usage is negligible. That means you can do so much more than an ambient light sensor. Consider a wearable that scans QR codes automatically, so it's already available when you want it (you never miss the opportunity to get it, nor do you have to fumble around with lining it up or getting it in focus). Now consider the same for facial recognition. This clearly has privacy implications even without being ~invisible.
If it's also cheap enough, you could even knit it into clothing (just encase it so it's water-safe and able to handle temperatures from -40 to 200F). Sensors everywhere, knowing everything you've been in contact with, helping track the spread of diseases ... or just your lost keys.
Also, a big thank you to the submitter, who actually linked the original academic paper in the main Slashdot story. We need more of that.
At my last job, I walked a coworker through setting up a LinkedIn account. As soon as he had created the account, but before he had entered any information (beyond an email that had never been shared with coworkers), he was getting suggestions from lots of coworkers, not including me. Why? Presumably because our network was behind a NAT, so these people had all connected from the same IP address. (I wasn't suggested because I used a proxy to surf the web.)
IP addresses are decently telling. If I were Facebook or LinkedIn, I'd certainly leverage IP CIDRs (or else ASN + GeoIP) as a part of the friend suggestion algorithm, and if it was the only data available, it'd end up being decently obvious to anybody thinking about where their suggestions come from. Of course, I'd also filter that list of suggestions by perceived "social hubs," people who tend to be well connected, as that's the best way to grow a social network.
Phones' locations may be too specific for this sort of thing – unless they're kept in a database to note the places you frequent (are you at the festival, or are you passing by it to go to the store? are you regularly at auto parts stores, or do you just need new tires?). There's enough information from photo geotagging, check-ins, likes, and IP CIDR/ASN/geolocation to sufficiently boost the more informative social network itself.
I'm not sure how knowing your LAN IP is 192.168.0.101 is going to identify you. The only way to make that a viable attack would be to pwn another system on the LAN (such as the router) and phone home through it. At that point, you don't even need WebRTC, just a JS-based port scanner.
Expiration dates are indeed predictable. One common trick used by subscription services is to merely bump it the appropriate number of years during their auto-renew phase rather than complaining to the user (and therefore offering a reminder that it exists, thus possibly getting the service canceled, and that's lost revenue!).
Giving a random range of -1 to +4 months from the standard shouldn't harm anything (except the aforementioned squirrelly services?) and would offer a lot more protection. Consider googling 4147 visa for example; you'll find a few expired credit cards. Now bump the expiration dates by 2 or 4 years. (Slashdot covered this two years ago.)