You forgot the other issue. Different products may be subject to different tax levels. For example, in one state, tea has sales tax. In another, tea has no sales tax. So you have to hold in your database not only all the varying rates, but the lists of what items are subject to what tax levels, and keep that database updated on probably a daily basis.

And yes, my tea vendor says Massachusetts has a tax on tea.

Ah, the old "only [criminals|rebels|rulebreakers] have skills" argument.

I had a long chat with one of their sales types a couple weeks ago. The sales person had to talk to backline engineering, but confirmed the next day that yes, the bypass I outlined in under two minutes to evade the tool completely would in fact work and their software was designed in precisely the way as to make support from OS and hardware vendors very difficult on Linux.

I tried to push them into the more useful area of logging what is done rather than trying to declare a known whitelist. Under their current scheme, a sysadmin couldn't write a custom shell script to their home dir and run it without going through twenty blessings first. Tweak that shell script? Won't run, even without privilege. I was not impressed.

When Java was first released, I was told what a security researcher called it after looking at the model.

"It's a very nice virus description language"

Every year, I remember that during the latest critical Java issue.

You forgot that you are stopped at #3. Your change request is denied because your apps say the update will never work with their code and they need a minimum of twelve months to fix, and it isn't at the top of their priority list right now. Senior management has mandated these other features be put in, and these bugs in their java based web page code be squashed, so they can't make their code compatible with the update right now. Maybe next year?

http://www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-and-debit-cards disagrees with you on the amount of fraud liability on debit cards. Most telling is this statement: "For unauthorized transactions involving only your debit card number (but not the loss of your card), you have 60 days after you get your statement to report the unauthorized transaction."

The credit card fraud protections are similar. I realize that debit cards used to have no legal fraud protection unless your bank offered such. It appears to be different now and has been I'm told for around fifteen years.

Well, yes. Telecom vendors are not exactly celebrated for their competence, especially in security.

A more accurate statement might be that if I see a product from any major telecom vendor, I go in assuming that it will be riddled with security holes that were well documented ten years ago. Usually I can't even meet those low expectations and am disappointed -- again.

I've seen this happen so many times it's not even funny. OpenOffice/LibreOffice weren't brought in for any part of it until people couldn't open it and in desperation they agreed to try the suggestion to try opening the file in LibreOffice. File opens fine, is saved in the MS format, and the result is openable in MS Word again.

Two other examples I can think of include SELinux and the hardening of what became DES against differential cryptanalysis, twenty years before the attack was widely known.

Scary implies I'm not numbed to the state of affairs by years of apathy by management.

My experience is that teachers tend to be the bullies, not the bullied. If teachers pointed out that many of them were carrying lethal weapons, it would create an atmosphere where many students were bullied just by being in the class. They may be much more afraid to disagree with a teacher (necessary when so many textbooks contain factual errors the teacher doesn't catch and teaches anyway).

I'm reminded of the Man-Kzin War saga and the ARM.

Got moved to the annex. I'm told it was too controversial in the main smithsonian, hence the move. That's been turned into a decent size museum on its own.

I want to *choose* my sort and list criteria. If I want to listen to Brahms, I shouldn't have to remember that the conductor of my most of my Brahms is Bernstein, but I have other Brahms conducted by someone else. Or they may choose to list the featured soloist as the artist, especially on concertos. I look for composer long before I look at performer.

In the new album view, I see no way to change the secondary criteria displayed from artist (confusing, useless to me) to a more useful field, such as composer.

The URL http://getsongbird.com/desktop/ disagrees with you. Download link for OS X.