There are several pointed questions I'd like to see people ask our presidential candidates. I'm going to start a list below, if anyone goes to an event, and can get one of these off before being tossed out, I'll buy you a coke. If it gets a reasonable answer, I'll buy you two cokes. If anyone has anything to add, tell me and I'll add it.

I'm going to do them by issue type and candidate, I guess. Most of them are probably pretty interchangeable. I started thinking of these in the context of "questions I would want to ask Rick Santorum", so I'm starting with him.

Civil Rights / Social issues

Rick Santorum

Note: Dogs cannot enter into contracts. Neither can minors. Don't let him pull that pedo/bestial nonsense. No state with legal same sex marriage has 4 partners getting married, or people marrying dogs or children

Fiscal Issues / Debt & Deficit Reduction

Newt Gingrich

National Security /

Barack Obama

Ron Paul

Why can't we pay attention to FB hacking warnings?

People do hack FB profiles, it happens every day. They often do it by inducing the target user into clicking a link that can steal their login information in any number of ways. This happens. It's a Big, Bad Internet, and in all likelihood at some point you will:

This sort of thing happens every day, to all of us. There are people deeply involved in network security who accidentally click some link and their profile gets hacked.

Occasionally, you see status updates like this:

BEWARE ATTENTION: THE HACKERS ARE PUTTING SEXUAL VIDEOS TO YOUR NAME IN THE WALLS / PROFILES OF YOUR FRIENDS WITHOUT YOU KNOWING IT. YOU DONT SEE IT, BUT OTHER PEOPLE CAN SEE IT, AS IF THESE WERE A PUBLICATION THAT YOU MADE! ALSO, THEY'RE SENDING INBOX MSGS TO YOUR FRIENDS ASKING YOU TO CLICK A LINK. DON'T DO IT!! SO IF YOU RECEIVE SOMETHING FROM ME ABOUT A VIDEO OR A STRANGE INBOX MESSAGE, IT'S NOT ME! copy this in your wall. It is for the security of YOUR OWN IMAGE!!! And REPORT IT!!!!! ALSO IF U ARE ASKED TO VOTE ON A PICTURE. DO NOT GO & VOTE: IT'S A HACKER!! POST THIS TO YOUR WALL FOR YOUR FRIENDS

There are so many problems with this they're hard to count. It's no different from a chain email warning of some vague threat from some somewhat familiar antagonist, like FEMA camp emails. It's so vague as to be meaningless, and just screams BE AFRAID literally as loudly as possible. ZOMGFEMAGONNATAKEAWAYMYGUNSANDLOCKUPOURFAMILIES.

ZOMGHACKERZONTHEINTERNETSWTFBBQ.

There are legitimate people doing hard work daily to make web browsing safer for everyone. These sorts of ridiculous "warnings" do a serious disservice to everyone in the community and lowers awareness among those people we should all be trying to reach. The more people keep re-forwarding this stuff, the more it becomes just "noise", and people start paying even less attention to their security than ever. People see this stuff as 2012 Mayan calendar doomsday predictions, as urban legends, and as plain SPAM, and tune it out, and they're not wrong to do so.

Real threat alerts look much more like this (from the NIST CVE database for CVE-2011-2383):

Vulnerability Summary for CVE-2011-2383
Original release date:06/03/2011
Last revised:09/27/2011
Source: US-CERT/NIST

Overview:
Microsoft Internet Explorer 9 and earlier does not properly restrict cross-zone drag-and-drop actions, which allows user-assisted remote attackers to read cookie files via vectors involving an IFRAME element with a SRC attribute containing an http: URL that redirects to a file: URL, as demonstrated by a Facebook game, related to a "cookiejacking" issue, aka "Drag and Drop Information Disclosure Vulnerability." NOTE: this vulnerability exists because of an incomplete fix in the Internet Explorer 9 release.

Impact:
CVSS Severity (version 2.0):
CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type:Allows unauthorized disclosure of information

What that means is "Someone can steal your cookies, and can gain lots of information about you, including usernames, passwords, session IDs".

You'll see that the CVE ticket is pretty dry, considering the potential impact, but they have lots of corroborating evidence, even videos to show you how easy it is to accomplish. And all they have to do is get you to click on a link.

The point is to always be aware before clicking on anything. If something is unusual, or sent by someone you almost never hear from, don't click it. If it's misspelled, has bad grammar, ALLCAPSALLTHETIME, don't click it. If you really, really just need to see what some near-stranger who can't spell needs you to click on so badly, then you should be aware of the risk you're taking.

For what it's worth folks; I'm unlikely to send you a link to porn, unless I'm really, really drunk. If I do, you I'll just go ahead and apologize now.

[music | Misfits - Hollywood Babylon]

[Also-music | Elvis Presley - Blue Suede Shoes]

Before even getting into the show, the best part of my day was hounding the friend I recruited at the last minute that his car was "definitely" going to be towed. I made him paranoid to the point that he went to check, and the tow truck guy had actually HOOKED HIS CAR UP when he ran up and paid the guy off and moved it to street parking. This is why Boston requires that you own either a shitty car in general or have a beater so you're not leaving your precious princess A7 on the street in Allston until after midnight :-)

The show was amazing. I hadn't been to the Brighton Music Hall since they took it over from Harpers Ferry. The venue hasn't really changed much, if at all. I think they have new floors, and I think they opened up another door, since there seems to be a lot more space to get in and out.

The lighting wasn't that bright for Jittery Jack, who is local and great. I think he said he found out he'd be opening like two weeks before the show and got a band together. They did a great job, Natalie thought he was like Jumpin' Bill Carlisle. Put on a great fun set, he got money from my wife, buy his CD.

It was good to see Imelda May on her solo tour, we'd seen her with Jeff Beck on the Les Paul tribute tour, which was just ludicrously good, and the band was likewise great on a smaller stage with a sweating dancing crowd. She was all over the place and the band was lots of fun. They played plenty of covers with their original songs, including Tainted Love and That's All Right.

As I clicked around to get some more info tonight, I find there are two shows I wish I'd attended, and am quite sad I didn't. There was one at Somerset House in London, which is directly across the street from the hotel we stayed at only a couple of months ago. That would have just been awesomely convenient. I also found that two days ago there was a show in Philly with Imelda May and Wanda Jackson, who we just love, and have seen 1 1/2 times.

Here are some pictures, more like them on Flickr (and for Jittery Jack):

Jittery Jack:

Jittery Jack, being Jittery:

BLOW!

People noticed I seemed kind of testy for on-vacation-guy last week, here's why.

We got to the hotel at 10:30am, so effectively 5:30 EST. Our room wasn't done,so we walked around and waited for my mom's plane to land. We didn't want to get too far from the hotel in case my mom showed up, which she kept not doing, so we started to get kind of worried. Around 1 we decided to just hang out in the lobby and wait for the room. I slept, Natalie walked around some more.

Our room was ready at 3 and we went upstairs. I went to plug in my laptop and stuff and get set up and realized I'd forgotten our power outlet converter, so we took the one from the minibar for the low-low price of £11.50. Plugged my power strip into that, plugged the converter into the wall, and all the electicity fell out all at once. My power strip was on fire and smoke coming from the receptacles. I guess "surge protector" isn't all that accurate, since it didn't just flip. Then we noticed that as we would turn off lights, they stopped coming back on again, so not only did I flip the circuit breaker for the outlet I was using, all the rest of them started popping too.

So we went to the desk and they sent maintenance up. It was right around this point that I noticed the very fine print on the converter that said "this is not a transformer, you still need that".

Also, we found a regular 110v outlet, not located where the UK and Euro ones were, but under the desk, behind the bed. Unfortunately it didn't work. Maintenance came and just reset breakers and got the UK power back, though the 110 didn't work, and stayed not-working the rest of the trip. Luckily both my laptop and camera battery chargers will do 220v, unluckily, Natalie's camera battery charger does not. We were told we could have a knock down transformer for the duration of the stay, but it never showed and the reception desk staff seemed to have all the engineering acumen of a 6 year old blonde girl, so we didn't push the issue.

It was around this time that my mom finally showed up. We knew her flight had been pushed 3 hours, they called her at home before she ewnt to the airport. What we didn't know was that when they finally boarded, they sat at the gate for 7 hours in Charlotte before finally taking off at ~4am EST.

At least her room had partially-working 110 that we could use to charge Natalie's batteries.

Dinner was shitty chain Italian, I had a pretty inexcusable steak, and left my hat, never to be retrieved because I didn't want to go in that building ever again for fear that I might demonstrate to the cook how to make a rare steak. Grab him by the neck, put his face by the grille and say "SO DO YOU WANT TO BE 'RARE'? OR DO YOU WANT TO BE WHAT YOU DID TO MY STEAK"?

Power was a running joke through our stay. Days 2 and 3 we also lost power to the room. There is no way that was all my doing.

The key point I took away from RSA's communications today is that all implications are that it's likely their token seed database was taken and that token codes are predictable, and may be able to be matched to customers.

They didn't say this, clearly, but every action they suggest to mitigate risk points to the fact. The mitigation steps they give are: