I have been building my home automation system since the first iteration of Vera came out (still using my original Vera controller, which is woefully underpowered.) I initially bought it to control the plant lights by having the duration of supplemental lighting follow the duration of the actual day, providing seasonally appropriate lighting which causes the plants to bloom on schedule. It has been much more reliable at keeping track of the time than I ever was, and our plant growth has been much improved as a result. That was the initial outlay; further additions included automating lights, coordinating indoor and outdoor lighting without having to rewire the house, and the additions of temperature and water sensors. In terms of money, though, I don't know that any of those qualify as a "savings". At best, they've been a cost avoidance (one of the sensors alerted me to a water leak before the basement flooded.)

In terms of my time spent, like you, it's a hobby for me. I'm learning what works, what doesn't, and playing with various things to see if I get interesting or valuable results. Home automation has long claimed to have potential, but it's going to take a lot of real world examples to prove it.

People are all panicky about smart meters, and they imagine they're some kind of Big Brother device that reports on their TV watching habits, or know exactly what kinds of subversive web sites they visit based on their power usage, and report their pr0n habits to the gubbamint. But "smart meters" are not "omniscient meters". They just measure your home's overall consumption of electricity, same as your current meter.

Smart meters essentially work like what you're talking about. The difference is they are in near constant communication with the utility, so they broadcast a rate schedule to your home's appliances that advertise the current and near future electric rates, and they can report overall house consumption on a near-real-time basis. And that's about it.

The utility can predict "At 4:00 today it will be very hot, so we will be bringing on supplemental generators at that time to meet all the extra A/C demand." They also know that regular electricity normally goes for $0.08/kWh, but supplemental generators cost them $3.00/kWh. They then tell the meters the rate schedule for today is $0.50/kWh from 12:00 to 3:00; $0.60/kWh for the first 2kW from 3:01 to 8:00, but $5.00/kWh for everything above 2kW; and $0.20/kWh from 8:01 to 12:00. The meter then announces the price schedule to your home appliances. You may choose to have your washing machine configured to run only if the cost of your electricity is less than $0.25/kWh; you may have your thermostat set to reduce air conditioner use when the cost is greater than $0.75/kWh; and you may set your electric water heater and pool pump to switch completely off if the cost is greater than $1.00/kWh. It's all your choice, how you want to manage your consumption remains up to you. You simply have to know you'll pay more when overall demand is greater.

Your electricity usage today is not a secret. Your meter already reports usage to your utility company so you can pay for what you use. But today, your dumb meter can't tell what time of day the electricity was consumed, and it doesn't know the rate in effect when you consume it, so your utility company has to front-load everyone's rates with the predicted cost of supplemental generation, the future cost of fuel, etc, and they only change the rate on a monthly or annual basis. What will change with smart meters is the rate you pay will depend on the rate in effect when you consume it; the meter will know the current rate and you will be charged accordingly. Even after smart meters roll out, how you choose to use the energy your house consumes is still up to you, and whether or not you're spending it on a dishwasher or indoor pot-growing farm is still not the utility company's business.

I look at it as a methodology to spread the risk.

We've had a few packages dominate the landscape, and each of them has had some of the best and the brightest people looking at it, reviewing it, analyzing it, looking for flaws, running code analysis, fuzzers, everything. We've done exactly what you've said: we dedicated resources to develop a single (or few) libraries. Yet they still have flaws.

I don't believe the perfection-alone-model works, because there is no evidence that it does. So far we have evidence that every commercial-grade protocol and implementation has had some kind of security flaw. Therefore we need to stop believing that we can engineer our way out of the situation, because we haven't. We need a completely different and complementary approach. We need to better manage the risk of failure.

To me it doesn't matter why someone would choose a particular library over another, only that we don't all put our eggs in the one basket. The evidence suggests they're all going to fail at some point; it's only a matter of when.

Yes, and demand for them. But the big problem you're correctly implying is there's no economic justification that will drive this behavior. Maybe it will take a dozen big companies and foundations to drive this. Imagine if IBM, Microsoft, Google, RedHat, Yahoo, HP, Dell, Apache, Wikimedia, Mozilla, FSF, Apple, Intel, AMD, nVidia, Bungiesoft, and others each contributed their own versions of openSSL; each written in their own choice of language, using their own code, and building their own implementations of everything from the crypto through the command line interpreter logic. My company may decide we do more business with Intel, so we choose theirs. Or your company may be more Apple focused, so you'd choose theirs. In every case, we'd all nervously watch each other looking for signs of intrusions, hoping we won't be the victims, but knowing that alternatives exist if we are.

While a 1/12th scale incident of Heartbleed is still a huge problem for a lot of companies, it's no longer the catastrophe-sized disaster that Heartbleed actually was.

The security of the open source model isn't really the problem or the answer here. The problem is homogeneity. A million different sites and applications rely on just a few libraries, so that when a bug hits one, it has massive impact on the entire internet.

We also know that the answer isn't in rolling your own security. Very few people or organizations are likely to be able to securely implement their own version of TLS. Even the best packages of today didn't start out perfect, they had to iterate through several flaws to get to where they are today.

So perhaps the better answer is in having more packages to choose from? Instead of picking just openssl by default, it would be better to have a broad array of choices. With a dozen packages on the market, that might mean 11 times out of 12 the bad guys wouldn't exploit our site. If the packages are interchangeable, we'd be better positioned to switch them quickly in case of emergency.

There is always some demand for lone-wolf revenge movies. Remember all the Charles Bronson "Death Wish" movies from the 1970s? He also looked like an ordinary guy, living an ordinary life; not at all dissimilar from Liam Neeson.

Many people enjoy seeing vigilante justice, and for some reason they especially enjoy seeing a guy who has been wronged taking out an entire gang of deserving villains (with just a little help from his friends.) They also get to overlook the fact that in normal circumstances we'd label such a person a "mass murderer".

I wouldn't. Remember "dollar theaters" from the 1990s? They were built on that exact premise. It turned out the audience was primarily a bunch of noisy kids who could afford to go at that rate, so they went to the theater to socialize instead of watching the movie. They had all the manners and polish of a herd of goats.

Even though the dollar theaters had much higher attendance numbers than the first-run theaters, the local ones went out of business. I think it's due to the amount of cleaning staff they had to run through the auditorium after each show, mopping up spilled drinks, clearing pathways paved with popcorn and litter, and chiseling used chewing gum off of every surface. We tried the dollar theater a few times, but it was so disgusting we chose to continue to pay full price for the few movies we did attend. The higher prices set a bar where the people in the theater actually want to see the show.

Something else that the dollar theaters can't compete with is cable. When we are in a theater watching the previews, my wife and I will critique each: "that looks good, we'll have to go see it"; "that looks like your kind of movie"; "let's wait for it to come out on cable"; or it looks so ridiculously awful or inappropriate that all we can do is laugh or cringe. But "wait for cable" is pretty much the stock answer for everything of interest. When we were at the theater yesterday, I don't recall seeing a single preview for any movie we really wanted to catch in the theater.

The point is not that the messages are being intercepted by the stingrays, the point is that the individual phones are being identified. If they have a stingray in downtown Ferguson when the protesters are marching, they can add you to that list of "troublemakers".

Unfortunately, that will primarily give false positives. Cell companies bring in COWs to serve in temporary situations, such as county fairs, sporting events, concerts, and disasters. A COW is indistinguishable from a StingRay.

Hardly.

Attacker: It's Christmastime, so just install this greeting card program that has dancing cats!
Above Average Victim: Might this be a virus?
A: But dancing cats!
AAV: OK! *click*

Attacker: It's Christmastime, so just install this greeting card *click* program that has dancing cats!
Average Victim: You had me at greeting card! Oh, look! Dancing cats!

If you are going to allow people to own their own computers, and make their own decisions about what software they're going to run on them, they will always be a security vulnerability. Either they have to outsource their trust (digital signatures on programs, antivirus programs, etc) or there needs to be a new way to compartmentalize and isolate authentication and authorization.

Let's see how that plays out in the Open Source world:
Step 0: discover exploitable vulnerability in Linux kernel random number generator.
Step 1: send a private message to Linus Torvalds saying you've found a vulnerability
Step 2: endure a private tirade of racist and misogynistic abuse about how stupid you are in not recognizing this as not-a-bug
Step 3: publicly post details of exploit
Step 4: endure a public tirade of racist and misogynistic abuse about how irresponsible you are for not disclosing this privately
Step 5: wait for it ...
Step 6: enjoy your now-patched system.

I'm sure I missed an unpleasant step somewhere in the above, but it should be enough to acknowledge that Open Source isn't always the perfect solution we imagine it to be.

There needs to be enough chance so that you have to apply new strategies and skills to overcome the luck of the draw. Chance that simply promotes or demotes you without any recourse is pointless. Chance that puts you in situation A or situation B is slightly more interesting. Chance that puts you in situation(n!) is where you have to exercise your brain to map out a new strategy, and it's where games get fun.

It's no big deal. I'm posting this from my Windows 8.1 box, and nothing bad has happened. ... @LizardMafia RULEZ!1! d0wn with S0NY!!11!

I hear sunshine takes care of trolls, if you can get them to come out of their mothers' basements during the day.

At least the sword glows blue when the MAC address begins with 4f:52:43.

I'd ask someone why we should care about him at all, but I'm afraid I'd get an actual answer from someone who takes this stuff seriously.