Oddly, I replaced my main home server with a highly energy efficient model four years ago (mac mini). I was using a kill-a-watt meter to measure that I was spending > $100/year on the old server, and that was a significant factor on what to get as a replacement. All my other systems are energy efficient laptops at home. I use the kill-a-watt regularly to test devices suspected of burning excess power.

Are there things I don't do? Of course. But I hardly ignore energy efficiency. I also make sure I'm not getting a low energy number that I will never make up the cost of over the life of the equipment. So that hybrid car? No go. I don't drive enough miles to justify the surcharge.

What a strange universe you live in. Sounds nice.

Databases firewalled? No bad guys on your network? No direct DB connectivity?

Oddly, every time I went to a T-mobile storefront, I had a courteous person who was willing to tell me the right thing for me, even if it resulted in a lost sale. I was looking at a cheap replacement device for a five year old emergency phone. They told me to not buy it from them, because it would cost too much. They're one of the only places I can get cell service without them using my SSN as an account number.

The online rep I dealt with a couple months ago made me nearly reconsider my options for carrier. I decided finally to chalk it up to one bad apple and went on.

The summary I read restricted a "kinetic response" to cases where "kinetic damage" occurred. For those who do not read that language, that means no dropping bombs unless physical damage is done.

So Iran might have been justified under this doctrine in attacking the creators of Stuxnet, but South Korea would not be justified under this doctrine in launching a few artillery shells/missiles at the initiator of whoever attacked them, because while wiping hard drives is really annoying, it does not rise to the level of "kinetic damage". Note, taking power offline may not even rise to the level of kinetic damage, even though there is serious issues caused. That gets into the fine interpretations though.

Most authorized retaliations are purely online/computer under the doctrine.

In my most recent job change, I was astonished at how helpful HR is. This was punctuated by a call from a HR manager to me about a month or so after I started asking if there were any problems they could help me with. The HR department has been helpful, doing their best to take work off me and help me get to my primary job duties.

Yes, some HR departments are at best unpleasant to work with and should be treated as a hostile entity. Some IT departments earn their nickname of "Preventer of Information Services". Some computer security departments earn less polite nicknames and make HR look like amateurs. Some senior managers make you scramble to memorize everything you can so you can document it as soon as you get home and call (because you wouldn't dare call from your personal phone or worse, use a work phone to call) a lawyer, or district attorney.

Hating HR may be popular here, but two of my jobs over the past many years have actually had very positive experiences with HR, right down to the last day and beyond.

You forgot the other issue. Different products may be subject to different tax levels. For example, in one state, tea has sales tax. In another, tea has no sales tax. So you have to hold in your database not only all the varying rates, but the lists of what items are subject to what tax levels, and keep that database updated on probably a daily basis.

And yes, my tea vendor says Massachusetts has a tax on tea.

Ah, the old "only [criminals|rebels|rulebreakers] have skills" argument.

I had a long chat with one of their sales types a couple weeks ago. The sales person had to talk to backline engineering, but confirmed the next day that yes, the bypass I outlined in under two minutes to evade the tool completely would in fact work and their software was designed in precisely the way as to make support from OS and hardware vendors very difficult on Linux.

I tried to push them into the more useful area of logging what is done rather than trying to declare a known whitelist. Under their current scheme, a sysadmin couldn't write a custom shell script to their home dir and run it without going through twenty blessings first. Tweak that shell script? Won't run, even without privilege. I was not impressed.

When Java was first released, I was told what a security researcher called it after looking at the model.

"It's a very nice virus description language"

Every year, I remember that during the latest critical Java issue.

You forgot that you are stopped at #3. Your change request is denied because your apps say the update will never work with their code and they need a minimum of twelve months to fix, and it isn't at the top of their priority list right now. Senior management has mandated these other features be put in, and these bugs in their java based web page code be squashed, so they can't make their code compatible with the update right now. Maybe next year?

http://www.consumer.ftc.gov/articles/0213-lost-or-stolen-credit-atm-and-debit-cards disagrees with you on the amount of fraud liability on debit cards. Most telling is this statement: "For unauthorized transactions involving only your debit card number (but not the loss of your card), you have 60 days after you get your statement to report the unauthorized transaction."

The credit card fraud protections are similar. I realize that debit cards used to have no legal fraud protection unless your bank offered such. It appears to be different now and has been I'm told for around fifteen years.

Well, yes. Telecom vendors are not exactly celebrated for their competence, especially in security.

A more accurate statement might be that if I see a product from any major telecom vendor, I go in assuming that it will be riddled with security holes that were well documented ten years ago. Usually I can't even meet those low expectations and am disappointed -- again.

I've seen this happen so many times it's not even funny. OpenOffice/LibreOffice weren't brought in for any part of it until people couldn't open it and in desperation they agreed to try the suggestion to try opening the file in LibreOffice. File opens fine, is saved in the MS format, and the result is openable in MS Word again.

Two other examples I can think of include SELinux and the hardening of what became DES against differential cryptanalysis, twenty years before the attack was widely known.