Exchanging keys over the longer-term communications medium makes it very easy to mount a man-in-the-middle attack. If you're concerned about such attacks, you need some trusted medium for key verification (or exchange) so that you and your communications partner know that each is using the same key as the other. Back in the 1990s, that medium was often key signing parties, where trust in someone's photo ID was backed up by using the social network (hey, Bob, is this really Charlie Doe?). Using a certificate authority is another way to do it... if you actually have good reason to trust both the particular CA and the chain of custody for what you think is the CA's public key.

Your response didn't highlight the bit that you claim you were rebutting, and it included a whole bunch of irrelevant (to that claim) cheerleading about the law that grossly misrepresented its size. Don't complain to me about stupidity when you don't have the brainpower to create a comment that clearly conveys your point.

In the US, police usually don't use subpoenas -- they use warrants instead, and a person has a Fifth Amendment right against being compelled to provide information in a criminal trial (which is where the police are usually involved). Subpoenas are an artifact of civil trials and regulatory actions that require someone to provide the requested evidence, and the Fifth Amendment still applies. Is there no way in the Netherlands for a regulator to compel (force) a company to turn over documents or other information that are relevant to the regulator's mission?

No, I wasn't one who bitched about Wall Street or the banks. Thanks for making an ass out of yourself by assuming, though!

... although I have to admit that New Yorkers pretty much keep asking for that level of government meddling in their lives.

Sorry, to correct my statement about the employer reporting mandates: They technically exist, but they were "delayed"/waived-for-2014 before the other provisions that have been recently "delayed". The Feds had roughly four years to set up a reporting system and failed, which I think goes a long way to illustrating how not-"light in comparison" Obamacare is, relative to a simple voter ID bill.

I have read quite a bit of the PPACA, although I admit that I have much better things to do with my time than read all ~2000 pages of it.

I did not mention all the government actions that are necessary to implement Obamacare -- those are irrelevant to my earlier point, which was that the text of the bill is only a small part of the rules and regulations that make up the law. If you think that the executive-branch costs to implement Obamacare are "light in comparison" to the NC voter ID bill, you are absolutely nutters.

Setting aside all the rest of the bill, the government-run health insurance exchanges are (arguably, but I believe) more costly and more invasive than that voter ID bill -- and there needs to be a different exchange for each state. Enforcement of the individual and employer mandates are also daunting tasks. For example, there is no legal mandate for employers to report which employees were offered a qualifying health care plan (and probably no authorization for HHS or any other government agency to require pro-active reporting), so deciding whether a person gets an insurance subsidy from the federal government requires some government drone to call the employer(s) in question and ask -- and some employee needs to get such a subsidy before the employer has to pay the employer mandate's penalty. (Did you ever wonder why the Obama administration wants to delay that particular provision even though the black letter of the law says it will take effect January 2014, or why it also wants to use the honor system to figure out who is eligible for those subsidies?)

If the NIMBYs won, why does the law still require the NRC to do what this court has ordered it to do?

If you said "because Harry Reid has a problem with the rule of law", you win one eCookie. But you probably said something stupid like "the court is endlessly appealing its earlier rulings", so no points for you.

Are you a moron, or just ridiculously gullible? The text of the PPACA may only be a bit longer than a state's biennial budget, but it requires dozens or hundreds of executive offices to add tens of thousands more pages of regulations and other rule-making on top of the legislative part of the law. It's stupid political spin to ignore those when they control an awful lot of the law's substance -- don't fall for that type of dishonest stupidity, or whatever. On top of that, the bill was written essentially in "patch" form; it modified a lot of other laws scattered across the United States Code, and you need to consult the rest of those titles to understand what it really means. (This is part of why it's so hard to resist making "we have to pass the bill to find out what's in it" japes.)

As a side note, the Internal Revenue Code is also impossible to apply -- either in the abstract, or in a way that the IRS will accept -- without reference to more decisions and regulations that the IRS and its courts have promulgated over the decades. It contains too many ambiguities and external references, and some of the agency interpretations run counter to what a layperson might understand as the natural or most obvious meaning of the text.

Many contractors have quite a bit of experience in managing project failures -- either succeeding just enough to encourage the customer to throw good money after bad, or highlighting the less disastrous results in order to explain why the next contract will succeed where the last one failed.

The same is true for most non-government contractors who work on large, one-of-a-kind contracts. The fundamental reason those projects are hard to predict, hard to manage, and hard to fix is that they tend to be very complicated and significantly different than what people have done before. Those differences from previous experience make it hard to figure out in advance where a given project will behave differently than previous jobs, and lend themselves to just-so stories when it comes to explaining the failures (no matter whether that explanation comes with positive or negative spin).

That approach works well if you're selling many, many copies of your software, or if the customer representative is intimately familiar with the customer's actual needs. For most more specialized development efforts, having a customer representative ends up adding a middleman, confusion and extra work.

What is the difference to actual development between "we have a launchable product after each sprint" versus "we launch our product after each sprint"? There are obvious differences to the users, but what makes the former superior to the latter when it comes to meeting the overall project goals?

Also, there are a lot of non-agile alternatives, many of which do (or can) incorporate periodic release-candidate checkpoints. It is simply not accurate to talk about "the" non-agile alternative.

While no process will reliably produce good software with a dysfunctional team, Agile seems to be much more sensitive to dysfunction than many other processes. If you have a team full of disciplined, skillful individuals led with integrity by focused managers, many well-documented software processes will let you deliver good software on schedule. In the real world, teams often fall short of that ideal, so it is important for a development method to be somewhat robust to imperfect use, but Agile seems to encourage frequent distractions and excessive back-and-forth.

Funnily enough, most (academic) software engineering researchers understand that "waterfall" was originally intended as an exaggerated -- strawman -- description of a methodology that nobody uses in practice. Most practitioners also understand that any non-trivial project involves some backtracking, and most involve some iteration on parts of the development lifecycle, and thus don't try to use a strict waterfall method. Most Agilistas didn't get either memo.

Your outline of running a software project applies equally well to a spiral method or a CMMI-compliant method or a lot of ad hoc methods without using any defined process. The practical problems with Agile are in the details that you glossed over that distinguish Agile from those alternative methods. Those other methods are not always better than Agile, but Agile is not always better -- and is frequently worse -- than them.

One of the hardest things for process designers to do is to fit their processes to the people who will use them.

Most hard-core proponents of Agile don't understand this. This shows up in the small number of places that do stand-up meetings right, that do automated *and* thorough testing right, that elicit useful input and direction from the customer, and so forth. Once you throw all the Agile processes together, few places can do most of it right, and that's one of the biggest reasons that Agile ends up being a poor fit so often.

When projects inevitably fail in those circumstances, it is just annoying human behavior that makes the Agilistas claim the failure is due to not doing Agile hard enough rather than doing Agile in the first place, and that's one of the biggest reasons that Agilistas end up being obnoxious blowhards so often.