Maybe I should head to Chicago for a week.

According to Reuters, the Sheraton Chicago hotel's general manager, Rick Ueno, has devised a rather unique informal program for Crackberry addicts. Check in, hand your Blackberry over to Ueno, and detox for the rest of your time there.

Ueno... said the program which began Wednesday grew out of his own personal BlackBerry addiction. His one-step recovery was switching to a regular cell phone.

"I was really addicted to my BlackBerry. I had an obsession with e-mail," he told Reuters. "Morning and night. There came a time when I didn’t think it was healthy ... I quit cold turkey."

Ueno said he would take personal charge of any BlackBerrys or related devices guests want to surrender and place them in his office locked up until their return is requested. There is no charge.

"I run a hotel with over 900 employees and thousands of guests. I think I’m more effective. I feel better. I sleep better. My family likes it," he said of his post-BlackBerry life.

He might be onto something...

I've made three trips from Portland, Oregon (where I live) to Washington DC in the past month. I love DC, but that's enough for me for now. Especially when you add in all the other trips I've made in-between. Try expecting to fly from DC to Omaha, but getting to Chicago and finding out your flight to Omaha was cancelled, so you decide to fly to Kansas City and drive to Omaha. at 1 a.m., then five hours later you get back on a plane to fly to your next stop

Crazy. I have spent most of the past couple months on the road. Or in the air, as the case may be.

Anyhow, time for a couple days off, no matter how much I may be needed elsewhere, so I am heading up to Scranton, PA to catch back up with my friend, Mary Beth. Her brother's getting married at West Point this weekend so we'll be up that way for a couple of days. What a cool place to get married. He graduated there last year and is an officer in the U.S. Army in Arizona. It will be a fun weekend.

Then it's back home so my dogs and cat can stare at me in disdain again for a day or two. Heh.

http://www.zachbraff.com/

Sure, he's had the Garden State blog going with an occasional post here and there for a while, but Zach Braff - one of the few actors I can actually stand to listen to (actually I think he's a rather good, decent, funny cool person) for more than five minutes at a time - has started a new blog with video and text entries. Check it out.

Needs RSS though.

A coworker sent me a link to a news article today, yet another one about a data breach from - you guessed it - a stolen laptop. This one was an auditor working for Ernst & Young and doing an audit of Hotels.com, and apparently the auditor (and I can't believe this) left it in his or her car and it was broken into and stolen.

So now, thousands of Hotels.com customers' personal data - meaning names, addresses and credit card information of about 243,000 people - is potentially in the hands of someone who could use it improperly. Oh, and by the way, my name is certainly on that list.

Up until today I was frustrated to no end with these events.

Now it's personal. Now I'm angry.

And get this: The theft occurred in February and Ernst & Young didn't notify Hotels.com until the first week of May. What??? And on top of that, customers were not notified until a few days ago. You've got to be kidding me...

This post contains some useful information about data breaches, packaged with a bit of a rant by yours truly about information security - or the serious lack thereof - in US companies and institutions. As a reminder, what I post here is my own opinion and not that of my employer or anyone else. I work in information and cyber security, and I care - a lot - about these issues.

There's a major attitude problem - let's call it a lackadaisical mentality - out there and it's high time someone did something about it. Lazy security means lots of helpless victims, and we're so far behind the 8-ball as a country it's downright scary. There's a fundamental "people problem" at the root of this, and no matter how much technology we throw at it, the analog physical and human components need to be addressed before any of the technical issues can be resolved.

The Privacy Rights Clearinghouse maintains an online chronology of data breaches with descriptions of each event, outlining any known data breaches that have occurred since February, 2005.

All told, as of the time I write this, there are 84,797,096 individuals whose identities are known to have been included in these data breaches. Banks, universities, health care providers, insurance companies, corporations, credit card providers... Lord only knows about the ones that have not been reported. Ugh, it's depressing. It's also ridiculous.

What bothers me the most is how often the term "stolen laptop" shows up in the list. What in the world are people doing with sensitive information stored on computers that can walk out the doors of all of these heavily regulated companies and institutions? It's insane from a security management perspective.

But then again, let's take a look at just how many US banks, universities, health care providers, insurance companies, corporations and credit card providers are certified under some kind of recognized information security management standard. Let's take the big standards - BS 7799-2 and ISO 27001 - for example.

BS 7799-2:2002 (in this case, the "BS" stands for "British Standards") has long been the recognized standard for overall security management, and the new ISO/IEC 27001:2005 international standard is basically BS 7799-2:2002 in an updated form. It's also related to ISO 17799, since we're throwing around fancy names. Ultimately it's all the same stuff, just renamed and reassigned. The 27001 standard represents a systematic approach to managing sensitive information so that it remains secure. It encompasses people, processes and IT systems.  It is used to determine and evaluate a company's security management framework and is internationally recognized as the gold standard for security.

If a company doesn't have a security management framework in place, not only is it unaware of what's happening in it's own walls, it doesn't really know whether or not it knows much of anything. Yeah, that's confusing. What you don't know is what will most likely kill you. Either way, it's negligent in this day and age not to be formally on top of information security, and that involves not just firewalls and technology, but risk assessments, people, processes, and an over-reaching management framework to ensure all the bases are covered.

Did he say "negligent?" Yes, negligent. And I mean it.

It's a lot of work to achieve and maintain the 7799/27001 certification and to hold up to ongoing audits, to be sure (just ask me or my coworkers about it some day, we live it), but it's not rocket science and for gosh sakes, IT'S IMPORTANT. And it's not about the actual certificate, it's about all the things that go into the process of getting the certificate and keeping it.

So, if you had to hazard a guess, how many agencies, institutions and companies in the United States do you think have this important and recognized certification?

Be prepared to be disappointed. Especially when compared to the number of certified organizations in other countries, like say Japan and India and Korea. Or pretty much any other developed country, for that matter. It's really quite pathetic.

Of the 2600+ organizations on the certificate register, there are only seven  (yes, that's "7") companies or organizations in the entire United States certified under ISO 27001, and only 39 have been certified in the US under BS 7799-2 and ISO 27001 combined. Keep in mind, there's overlap on the lists, as a number of companies (like ours) have converted from the British Standard cert to the ISO 27001 model, meaning we've been certified twice.

This table shows how many organizations are certified under either ISO 27001 or BS 7799-2 as of June 5, 2006. The term "organization" can mean any one of several things: companies, portions or divisions of companies, agencies, or various other other entities. I've left off most of the countries that have only one certified organization to save space.

Japan	1602	Brazil	9	Slovenia	2
UK	244	Sweden	8	South Africa	2
India	186	Spain	7	Armenia	1
Taiwan	92	Turkey	7	Bahrain	1
Germany	57	Iceland	6	Chile	1
Italy	42	Greece	5	Egypt	1
USA	39	Kuwait	4	Lebanon	1

And of the US companies, agencies and organizations on that list, only one of them is a bank (and even then it's only the information security team's component of the business). None of them are credit unions. None of them are insurance companies. None of them are health care providers. One of them is a university. A couple are government agencies - and not the same ones that have been in the news lately, that's for sure.

If you think about it (or search for it, for that matter), how often do you hear about information disclosure outside the United States? Sure, it happens, but seemingly not nearly as often. And why is it, I wonder, that in Japan there are so many certifications? ISO 9000 (the gold standard for manufacturing) is huge there, as well. 

The fact of the matter is that overall, companies and institutions in the US don't take security nearly seriously enough.

So - It's time to do something about this. Now, not tomorrow. It's already much too late, so we need to get moving. We're already in triage mode, friends.

What to do? To start, if you do business with any company that handles sensitive individual data, ask them about their security certifications. And don't accept just a SAS-70 certification as covering the bases - it only covers operations of the datacenter and has practically nothing to do with the rest of the company. Also, make sure you know specifically what any issued certifications actually cover - this is called the "scope" of the certification. Is it the entire company (usually it's not so you have to ask), or is it just a department or division? If the company is not formally certified, do they have a security management framework and a standard they follow?

Also, this is formal security management we're talking about. Don't accept lame responses like "we're covered under HIPPA" or "we get audited for Sarbanes-Oxley so that's all covered..." Sorry, that doesn't come close to cutting it. Neither of those auditing standards require a company to have a security management system in place, and neither come close to covering what's needed to ensure proper security standards are met outside of their narrowly focused scopes.

Get educated. Find out what needs to change. Demand change. Question systems that put the secrets in the hands of people who don't have a personal stake in the game. Do business wherever possible only with companies that are cognizant enough of security to formalize their program on a standard framework and which preferably have external certification of the results of that effort. I'm not kidding here. And yes - it can be done.

Unless you have a better idea (and feel free to share - comment away), that's what it will really take to create change - Market forces. We certainly can't count on the government to do anything about it - they'll just come up with vague, useless legal acts that almost always miss the mark and cost the business sector billions (take SARBOX for example). Individual action and demanding that companies get serious - and that they do so in a manner where they can be formally reviewed and held accountable - is the best real-world way to force change.

Is it just me, or is it kinda strange (and maybe a little ironic) that "anti-freeze" and "coolant" are the same thing?

JK posted a cool picture that turns out to be a visual representation of his weblog. So, I went to the site that creates them and made one of my own (click the image below to view full-size):

Color Legend:

blue: for links (the A tag)
red: for tables (TABLE, TR and TD tags)
green: for the DIV tag
violet: for images (the IMG tag)
yellow: for forms (FORM, INPUT, TEXTAREA, SELECT and OPTION tags)
orange: for linebreaks and blockquotes (BR, P, and BLOCKQUOTE tags)
black: the HTML tag, the root node
gray: all other tags

If you ever need to find an old version of pretty much any web browser that ever existed, just go here. Anyone need a copy of IE v1.0?

Wow, a lot of the browser names on that list bring back memories, heh...

I know, I know - it's sooo lame to link to Internet videos, blah blah, but seriously I only link to the ones that make me go WOW... This one certainly got me to play it more than just once.

The Extreme Diet Coke & Mentos Experiments:

What happens when you combine 200 liters of Diet Coke and over 500 Mentos mints? It's amazing and completely insane.

This has to be one of the better orchestrated Intarweb videos I have seen in awhile. Two guys take 200 bottles of Diet Coke, drop a bunch of mentos in the bottles, and end up with a terrific - albeit kinda messy - display. It does cause one to wonder, though:

If I eat Mentos and drink Diet Coke will I blow up????

Watch it here. Some of the earlier tests are also viewable online. Heh.

Not able to register and sign up for college classes and hike on down there to learn some useful crypto skills? No problem. The University of Washington's crypto course is available online for anyone to access. And this is some truly decent content.

Practical Aspects of Modern Cryptography - course description

The full semester of class content is available online - slides, video of each class session, audio in MP3 format (there's even a podcast link) - great stuff. You'll spend some real time working through the class presentation, which means you'll be spending the time it takes to actually learn the content.

By far the best way to view the content online is with a special app you can download from the UofW web site for free. If you install their WebViewer application you can get the video and slides and instructor annotations playing all together in one nifty package. Quite excellent since they teach with - get this - a Tablet PC in real time. It's kind of like Monday Night Football for geeks. Heh.

There's a whole slew of math and number crunching stuff in the first class sessions, but it's information that is fundamental to a complete understanding. Then the instructors move into protocols and more practical, real-world applications.

There's a TON of presentation content here. Anyone who wants to learn about cryptography for real will likely find this worthwhile. Kudos to the instructors and the University of Washington for providing this online class content. We need more complete educational stuff like this on the web. Like MIT's OpenCourseWare. Excellent.

(via Digg)

Steve Knopper took a new Dell computer and spent 18 days infecting it with all the malware and viruses he could get his hands on. His account if the whole thing is published at Wired.

"What kind of idiot buys a computer and willingly – even eagerly – exposes it to all the malware and viruses he can? Me. I bought a Dell Dimension B110 ($468! Cheap!) and tried to kill it for more than two weeks. I clicked on every pop-up and downloaded the gnarliest porn, gambling, and hacker files I could find."

And then he returned it to Best Buy on the 18th day. Classic. Read Steve's account here.

If there is one thing I have learned lately, it's that I have been wrong all along about how to solve problems between businesses. It's become very clear to me over the past few days of industry observation that the only way way to solve a problem is to serve some form of aggressive legal notice just as soon as humanly possible. So, as part of my top-secret role as a representative of an organization I am not actually allowed to tell you about, the following notice has been formally served on America Company and its CEO.

Background: America Company has infringed on the property rights of the organization I represent, and it's obvious they have done so intentionally and without even asking or offering to cook dinner or anything. That phone call back in February where they asked if it "would be cool" to use the trademark doesn't really count - it was purely a discussion of hypotheticals and whatever was said was certainly not really meant.

So, I regret even having to go this far. It is a very difficult thing to have to do. Unfortunately, it's now officially the only acceptable way left to solve real problems...

Dear AMERICA COMPANY and RORY BLYTHE, CEO:

I am counsel to AMERICA THE OTHER COUNTRY LLC (herein referred to as "SHADOW AMERICA"). Working closely with THE UNITED STATES OF AMERICA (and its predecessor, THE COMMONWEALTH OF SALEM) as well as its various divisions and entities, SHADOW AMERICA is the creator and producer of of the ATM/NIGERIAN SCAM MACHINE and ATM/NIGERIAN SCAM CONFERENCE, and has been constructing and distributing these machines, and conducting these conferences, since 2004. As a result of our investment of time, energy and resources in the production of the ATM/NIGERIAN SCAM MACHINE and related conferences, and the associated ATM/NIGERIAN SCAM MACHINE service-marks and product trademarks, members of the industry and interested members of the public have come to associate the mark "ATM/NIGERIAN SCAM MACHINE" and the ATM/NIGERIAN SCAM MACHINE conferences with SHADOW AMERICA and THE COMMONWEALTH OF SALEM.

It has come to my attention that you have marketed a service and/or device entitled in whole or part ATM/NIGERIAN SCAM MACHINE. Through this title, you are misinterpreting and misrepresenting, and recipients are given the direct and false impression that you are providing them with SHADOW AMERICA'S ATM/NIGERIAN SCAM MACHINE device. We have received numerous complaints related to confusion among our highly confidential and sensitive list of customers surrounding your marketing materials published on or about June 3, 2006, and other similar items.

SHADOW AMERICA has a pending application for the registration of ATM/NIGERIAN SCAM MACHINE as a service mark for the production, marketing and sale of devices, namely combination ATM-scam machines, associated devices and services related thereto in various fields of technology and services. You use of the ATM/NIGERIAN SCAM MACHINE mark without our authorization or consent directly violates our exclusive rights. Selecting this title can only been seen as a deliberate attempt to trade off the good will of SHADOW AMERICA and causes confusion in the market. You mis-use, ironically, is exacerbated by your use of the term "AMERICA COMPANY" in your marketing material, which is close in language and terminology to SHADOW AMERICA, and due to the little-understood yet existing connection between SHADOW AMERICA and THE UNITED STATES OF AMERICA, your company's name further complicates matters for consumers. Moreover, such actions contribute to unfair trade practices, unfair competition and are a flagrant violation of SHADOW AMERICA'S trademark rights.

SHADOW AMERICA hereby demands that you immediately cease and desist from utilizing ATM/NIGERIAN SCAM MACHINE at the name or title of your products and/or services, and from making any further use of our mark, or any mark that is confusingly similar to it. SHADOW AMERICA further demands that you provide us written assurance within ten days that you have ceased to use such name and title and that you will refrain from using and SHADOW AMERICA marks in the future.

Any further actions by SHADOW AMERICA will depend on the nature and promptness of your response. SHADOW AMERICA will retain and reserve all of its rights with respect to your actions to date.

Very Truly Yours,

Sosu Mie
SHADOW AMERICA
(AMERICA THE OTHER COUNTRY LLC)

Rory, you've been served. Again, I blame you.

Ok. Now back to our regularly scheduled programming...

Adobe, which released it's PDF format as an open format a while back, has apparently shoved Microsoft with a heck of a legal mess regarding Microsoft's plan to include PDF output support directly in the Office 2007 programs.

Brian Jones, a program manager in the Office team at Microsoft, explains that they're going to have to pull PDF output support out of Office 2007.

Let me see if I have this right. Adobe opens up the PDF format and establishes a standard that needs to be adhered to. Other companies and organizations, commercial and otherwise, pick up on that and add PDF creation support to their programs, with no hassle or complaint or legal action from Adobe. Then Microsoft adds it as an output format option to the next-gen Office programs, and Adobe complains and calls out the lawyers.

That stinks. No more Adobe for me. Don't try to convince me that it's different when it's Microsoft that's involved. Adobe's been spiraling toward an almost certain death for some time and this is just another example of that. The ISO:19005-1 standard pretty much spelled out PDF as a standard, it was opened, and now the lawyers are lining up. It's too bad. I guess Adobe didn't think through the definition of "open" when they "opened" the format standard. the only things that's clear is that some portion of Adobe's team of attorneys doesn't have a clue.

So, for people who want to do PDF in Office 2007 directly, it looks like it mean a separate download and installation. At least it won't mean being forced to use Adobe Acrobat, which is and has always been a buggy, bloated piece of junk in my experience. It fails more often than it works. I was rather looking forward to native support in Office right when I installed it...

Brian Jones' blog posts on the subject are here:

• Legal issues around PDF support
• Follow-up on PDF legal issues

I was in Washington DC today (in fact I still am - our flight through Chicago is delayed by a few hours) for a business meeting at the OCC. After the meeting ended we had some time to spare , so my coworker Milind and I spent an hour or so checking out a few spots around the city.

Our last stop before heading for the airport was Arlington National Cemetery. Milind had not been there before, and it had been more than a year for me. The last time I went, they were just closing for the evening, and also at the time I did not get a chance on that trip to find out where my grandpop and grandmom are buried.

But today we had plenty of time, so I went to the location office and the nice people there pulled out the old rolls of microfilm (seriously - someone should digitize all that for the cemetery, for free, as a donation. It's sad that they have to use Microfilm for anything before 1999) and found my grandpop's burial location.

I'd hoped our flight in on Monday would arrive in time to let me go there on Memorial Day, but no such luck, so today - Memorial Day +1, so to speak - was a good day to go.

He served in the U.S. Army - including service during World War Two and Korea. My grandmom and their three kids - my mom and her two younger sisters - traveled to Germany when he was stationed there. I'm told they moved around a lot. Probably typical army family style.

At any rate, what I remember of Grandpop was bouncing on his knee when I was very small. That and him singing "Little David Play on your Harp" to my little brother (David, of course). Of my Grandmom I remember much more. She was a very nice lady and a good person.

Anyhow, it was good to go there and spend a few minutes. Their marker (it's a shared one, because they intern couples together at Arlington) is under a big tree, and it's just a beautiful place. I snapped a few pictures before I left. I'm sure I will go back again, hopefully soon.

Arlington National Cemetery is simply an amazing, thought provoking, emotional place.

Milind and I went to the U.S. Capital building earlier in our trek, and walked in the east-coast summer heat for a while and took some pictures. The capital city has moved into that hot and muggy phase of the early summer, and today was a perfect example. We just don't get that kind of humidity in Oregon. Thank goodness.

   The Capital Building

   Milind's presentation style pose

Take the time this Memorial Day to remember. Put the memories of those who have sacrificed or gone before you at the front of your thoughts, and their families and friends in your prayers.

This day I remember many who have gone before me: My grandfather, who served in two wars and rests in Arlington National Cemetery and whose grave I hope to visit in the next couple weeks when I am there. My son. Family. Friends. And many people I never knew, who made a decision to sacrifice their lives to make ours better and - in their own very individual ways - to do the right thing.

Dear Madam,

I have been shown in the files of the War Department a statement of the Adjutant General from Massachusetts that you are the mother of five sons who have died gloriously on the field of battle. I feel how weak and fruitless must be any words of mine which should attempt to beguile you from the grief of a loss so overwhelming. But I cannot refrain from tendering to you the consolation that may be found in the thanks of the Republic they died to save. I pray that our Heavenly Father may assuage the anguish of your bereavement, and leave you only the cherished memory of the loved and lost, and the solemn pride that must be yours to have laid so costly a sacrifice upon the altar of freedom.

Yours very sincerely and respectfully,
A. Lincoln, Nov. 21, 1864

Do not stand by my grave and weep ... I am not there;
I do not sleep.
When you awaken in the morning's hush,
I am the swift uplifting rush of quiet birds
circling in flight.
Do not stand by my grave and cry ...
I am not there. I did not die.

-- Royster

It's slightly out of character for me to go to a live theater performance, but I'm glad I bought a couple tickets in early April to the stage production of Peter Pan, starring Cathy Rigby, for the second to last night of the show's farewell tour. The show was performed last night in downtown Portland at the Keller Auditorium, and I can tell you this: It was a lot of fun and an amazing show, both technically and for it's entertainment value.

First of all, no matter who you are, Peter Pan is just a great story. It speaks directly to the kid hiding within each of us and reminds us that youth is something that passes, but growing up is something that happens in its own time and in accordance with our individual wills. Few stories can make you think about what's possible like Peter Pan does, and for that it's a timeless classic story. It was actually written a hundred years ago.

This show was very well done all the way around. The set was terrific and the lighting made it all work. Of course, one of the most amazing aspects of this show - and the thing that truly sets it apart from most others - is the fact that Peter quite literally flies in the window and all around the stage. At one point, Cathy Rigby, who plays Peter and has done so for years, even flies out into the audience, over your head while the orghestra plays loudly and the crowd cheers (see some back-stage footage here). And when she flies, the former gymnast in her shows through, as she twists and turns and somersaults and spins through the air. Let's just say it's a fantastic flying effect. There's something about the Peter character, one of a young boy who is determined never to grow up, a desire many of us probably share in our own individual ways - and who can fly because he believes, something we all wish secretly we could do. If only wishing and believing could make magical dreams come true and keep us young forever... It's a universal appeal that the story of Peter Pan carries.

When Rigby and the other actors fly across and around the stage, one can't help but wish there was some way to give it a try yourself. It's powerful enough to invoke a wish to actually be able to fly, the same feeling I had when I was a kid lying on the grass and getting dizzy watching birds circle around overhead in the summer. I always wondered what it would be like to be a bird. Tonight I wondered what it would be like to be Peter Pan.

From what I've read, it seems this is Cathy Rigby's farewell tour and therefore the final weekend for this show - it will be no more after Sunday. She flies out in true style, as incredibly athletic as ever (this is an amazingly energetic and athletic production). Sunday evening is the last performance on their schedule during this "farewell tour," which is a sad moment because the filled auditorium tonight was quite pleased and into the performance. Certainly there's more opportunity for the next Peter to take on the role of a boy who woudl not grow up, to please future crowds of both young and old. I am glad and feel quite fortunate to have seen this show before it closed. Magic and pixie dust can really make a lasting impression.

A few press links from the Portland final run of Peter Pan:

• First Impressions
• Rigby set to say goodbye to Neverland
• Farewell to Neverland
• Rigby makes final pass as Pan
• It's time to leave Neverland

It looks like a few Sunday tickets are still available, and if you like the story and can swing it, you should check it out. There's an afternoon show plus one final evening performance. Here's the link for tickets, which will be good only on Sunday - After that, this particular Peter Pan will have grown up, and will be gone.