Stellarium is a free open source planetarium program for your computer. It shows a realistic sky in 3D, just like what you see with the naked eye, binoculars or a telescope.

It is being used in planetarium projectors. Just set your coordinates and go.

If you're at all into telescopes or the night sky, this one's for you.

in version 0.8.0:

sky

• over 120,000 stars from the Hipparcos catalogue with info
• asterisms and illustrations of the constellations
• images of nebulae
• realistic Milky Way
• very realistic atmosphere, sunrise and sunset
• the planets and their satellites

interface

• a powerful zoom
• time control
• multilingual interface
• scripting to record and play your own shows
• fisheye projection for planetarium domes
• spheric mirror projection for your own dome
• graphical interface and extensive keyboard control

visualisation

• equatorial and azimuthal grids
• star twinkling
• shooting stars
• eclipse simulation
• skinnable landscapes, now with spheric panorama projection

customisability

• add your own deep sky objects, landscapes, constellation images, scripts...

 

Click the image to view a full size screenshot:

What are you doing this July 4th? Well, if you're in the area (meaning the Pacific Northwest) and have a little "crazy" built up inside, here's your invitation to join me and a few of my pyro-friends as we spend the day setting up a big-ol' public fireworks display and firing it off for a community here in northwestern Oregon.

And I don't mean the fireworks you buy at the store or over on the reservation. I mean the real-meal-deal -- a commercial fireworks show bought and paid for by a town for the community.

Come on -- You know that hidden pyro deep down inside is clawing around in there, just trying to get out. You know you can't help it. You must give in. Say yes and experience the smoke, explosions and flames that go into getting those huge aerial displays off the ground and into the air. Or just help dig and bury equipment and then sit back and watch from the best seat in the house. Your choice.

In other words, come spend the 4th of July this year with us. It will be fun.

So - What exactly do you get/have to do?

Well first of all, you don't have to do anything you don't want to. Many people who come to help out are much more interested in setting up and watching the show than actually lighting it off, which is fine. Crew-members (yes, you'll get to truthfully tell people you're on the Pyro crew woohoo!) do everything: Install the mortars (4- and 5-inch mortar tubes for this show), load all the shells (hundreds of them), get trained on how this stuff works and - most importantly - how to be safe (training by yours truly), and finally we actually light the show and man the fire extinguishers - or whatever you are comfortable with. Then we clean it up and head out. By that time, it's been a long, fun day.

On the day of the show, after setup (read: manual labor involving shovels and dirt) is completed, we'll do some knowledge and safety training where you'll get to learn how the components work when you light them, and generally what to expect. It's fun. And fact is, not a lot of people get to do this kind of thing. So, this is my open invitation to the people who read this. Assuming you're 18 or older and you've not been convicted of a felony or are otherwise restricted from handling explosives (seriously, that's a hard-set rule from the feds and there's this piece of paper you'll sign saying you're cool), and assuming you don't show up drunk or anything (again, safety), it's a great time.

So, yeah... If you can talk the significant other into it (or bring him or her with ya), and you're up for it and not like completely freaked out by fire, explosions and lots of noise and smoke, let me know by sending me an email or giving me a call. Both the email link and the phone number are over there on the right side of the page (assuming you're viewing this on the web site).

Links from past shows to get you acclimated and prepared:

• Travis: Independence Day Warzone
• Gonna seriously blow some stuff up this weekend

So, if Travis' account of things doesn't completely scare you away, be sure to get in touch!

Coolio. See ya there.

I'm taking a quick break from my work-all-night-at-home mode, and I see that Chris says Gnomedex 6.0 is officially sold out in the main hall (you can still attend in the "cove" hall via video feed, though). It promises to be yet another good year for this Gnomedex show/conference/event (it will be my third). It's all happening June 29th through July 1st.

If you're attending this year, let me know (my email and mobile phone are over on the right side of the page) and let's catch up!

Also, the OPML of attendees' blogs is here.

Maybe I should head to Chicago for a week.

According to Reuters, the Sheraton Chicago hotel's general manager, Rick Ueno, has devised a rather unique informal program for Crackberry addicts. Check in, hand your Blackberry over to Ueno, and detox for the rest of your time there.

Ueno... said the program which began Wednesday grew out of his own personal BlackBerry addiction. His one-step recovery was switching to a regular cell phone.

"I was really addicted to my BlackBerry. I had an obsession with e-mail," he told Reuters. "Morning and night. There came a time when I didn’t think it was healthy ... I quit cold turkey."

Ueno said he would take personal charge of any BlackBerrys or related devices guests want to surrender and place them in his office locked up until their return is requested. There is no charge.

"I run a hotel with over 900 employees and thousands of guests. I think I’m more effective. I feel better. I sleep better. My family likes it," he said of his post-BlackBerry life.

He might be onto something...

I've made three trips from Portland, Oregon (where I live) to Washington DC in the past month. I love DC, but that's enough for me for now. Especially when you add in all the other trips I've made in-between. Try expecting to fly from DC to Omaha, but getting to Chicago and finding out your flight to Omaha was cancelled, so you decide to fly to Kansas City and drive to Omaha. at 1 a.m., then five hours later you get back on a plane to fly to your next stop

Crazy. I have spent most of the past couple months on the road. Or in the air, as the case may be.

Anyhow, time for a couple days off, no matter how much I may be needed elsewhere, so I am heading up to Scranton, PA to catch back up with my friend, Mary Beth. Her brother's getting married at West Point this weekend so we'll be up that way for a couple of days. What a cool place to get married. He graduated there last year and is an officer in the U.S. Army in Arizona. It will be a fun weekend.

Then it's back home so my dogs and cat can stare at me in disdain again for a day or two. Heh.

http://www.zachbraff.com/

Sure, he's had the Garden State blog going with an occasional post here and there for a while, but Zach Braff - one of the few actors I can actually stand to listen to (actually I think he's a rather good, decent, funny cool person) for more than five minutes at a time - has started a new blog with video and text entries. Check it out.

Needs RSS though.

A coworker sent me a link to a news article today, yet another one about a data breach from - you guessed it - a stolen laptop. This one was an auditor working for Ernst & Young and doing an audit of Hotels.com, and apparently the auditor (and I can't believe this) left it in his or her car and it was broken into and stolen.

So now, thousands of Hotels.com customers' personal data - meaning names, addresses and credit card information of about 243,000 people - is potentially in the hands of someone who could use it improperly. Oh, and by the way, my name is certainly on that list.

Up until today I was frustrated to no end with these events.

Now it's personal. Now I'm angry.

And get this: The theft occurred in February and Ernst & Young didn't notify Hotels.com until the first week of May. What??? And on top of that, customers were not notified until a few days ago. You've got to be kidding me...

This post contains some useful information about data breaches, packaged with a bit of a rant by yours truly about information security - or the serious lack thereof - in US companies and institutions. As a reminder, what I post here is my own opinion and not that of my employer or anyone else. I work in information and cyber security, and I care - a lot - about these issues.

There's a major attitude problem - let's call it a lackadaisical mentality - out there and it's high time someone did something about it. Lazy security means lots of helpless victims, and we're so far behind the 8-ball as a country it's downright scary. There's a fundamental "people problem" at the root of this, and no matter how much technology we throw at it, the analog physical and human components need to be addressed before any of the technical issues can be resolved.

The Privacy Rights Clearinghouse maintains an online chronology of data breaches with descriptions of each event, outlining any known data breaches that have occurred since February, 2005.

All told, as of the time I write this, there are 84,797,096 individuals whose identities are known to have been included in these data breaches. Banks, universities, health care providers, insurance companies, corporations, credit card providers... Lord only knows about the ones that have not been reported. Ugh, it's depressing. It's also ridiculous.

What bothers me the most is how often the term "stolen laptop" shows up in the list. What in the world are people doing with sensitive information stored on computers that can walk out the doors of all of these heavily regulated companies and institutions? It's insane from a security management perspective.

But then again, let's take a look at just how many US banks, universities, health care providers, insurance companies, corporations and credit card providers are certified under some kind of recognized information security management standard. Let's take the big standards - BS 7799-2 and ISO 27001 - for example.

BS 7799-2:2002 (in this case, the "BS" stands for "British Standards") has long been the recognized standard for overall security management, and the new ISO/IEC 27001:2005 international standard is basically BS 7799-2:2002 in an updated form. It's also related to ISO 17799, since we're throwing around fancy names. Ultimately it's all the same stuff, just renamed and reassigned. The 27001 standard represents a systematic approach to managing sensitive information so that it remains secure. It encompasses people, processes and IT systems.  It is used to determine and evaluate a company's security management framework and is internationally recognized as the gold standard for security.

If a company doesn't have a security management framework in place, not only is it unaware of what's happening in it's own walls, it doesn't really know whether or not it knows much of anything. Yeah, that's confusing. What you don't know is what will most likely kill you. Either way, it's negligent in this day and age not to be formally on top of information security, and that involves not just firewalls and technology, but risk assessments, people, processes, and an over-reaching management framework to ensure all the bases are covered.

Did he say "negligent?" Yes, negligent. And I mean it.

It's a lot of work to achieve and maintain the 7799/27001 certification and to hold up to ongoing audits, to be sure (just ask me or my coworkers about it some day, we live it), but it's not rocket science and for gosh sakes, IT'S IMPORTANT. And it's not about the actual certificate, it's about all the things that go into the process of getting the certificate and keeping it.

So, if you had to hazard a guess, how many agencies, institutions and companies in the United States do you think have this important and recognized certification?

Be prepared to be disappointed. Especially when compared to the number of certified organizations in other countries, like say Japan and India and Korea. Or pretty much any other developed country, for that matter. It's really quite pathetic.

Of the 2600+ organizations on the certificate register, there are only seven  (yes, that's "7") companies or organizations in the entire United States certified under ISO 27001, and only 39 have been certified in the US under BS 7799-2 and ISO 27001 combined. Keep in mind, there's overlap on the lists, as a number of companies (like ours) have converted from the British Standard cert to the ISO 27001 model, meaning we've been certified twice.

This table shows how many organizations are certified under either ISO 27001 or BS 7799-2 as of June 5, 2006. The term "organization" can mean any one of several things: companies, portions or divisions of companies, agencies, or various other other entities. I've left off most of the countries that have only one certified organization to save space.

Japan	1602	Brazil	9	Slovenia	2
UK	244	Sweden	8	South Africa	2
India	186	Spain	7	Armenia	1
Taiwan	92	Turkey	7	Bahrain	1
Germany	57	Iceland	6	Chile	1
Italy	42	Greece	5	Egypt	1
USA	39	Kuwait	4	Lebanon	1

And of the US companies, agencies and organizations on that list, only one of them is a bank (and even then it's only the information security team's component of the business). None of them are credit unions. None of them are insurance companies. None of them are health care providers. One of them is a university. A couple are government agencies - and not the same ones that have been in the news lately, that's for sure.

If you think about it (or search for it, for that matter), how often do you hear about information disclosure outside the United States? Sure, it happens, but seemingly not nearly as often. And why is it, I wonder, that in Japan there are so many certifications? ISO 9000 (the gold standard for manufacturing) is huge there, as well. 

The fact of the matter is that overall, companies and institutions in the US don't take security nearly seriously enough.

So - It's time to do something about this. Now, not tomorrow. It's already much too late, so we need to get moving. We're already in triage mode, friends.

What to do? To start, if you do business with any company that handles sensitive individual data, ask them about their security certifications. And don't accept just a SAS-70 certification as covering the bases - it only covers operations of the datacenter and has practically nothing to do with the rest of the company. Also, make sure you know specifically what any issued certifications actually cover - this is called the "scope" of the certification. Is it the entire company (usually it's not so you have to ask), or is it just a department or division? If the company is not formally certified, do they have a security management framework and a standard they follow?

Also, this is formal security management we're talking about. Don't accept lame responses like "we're covered under HIPPA" or "we get audited for Sarbanes-Oxley so that's all covered..." Sorry, that doesn't come close to cutting it. Neither of those auditing standards require a company to have a security management system in place, and neither come close to covering what's needed to ensure proper security standards are met outside of their narrowly focused scopes.

Get educated. Find out what needs to change. Demand change. Question systems that put the secrets in the hands of people who don't have a personal stake in the game. Do business wherever possible only with companies that are cognizant enough of security to formalize their program on a standard framework and which preferably have external certification of the results of that effort. I'm not kidding here. And yes - it can be done.

Unless you have a better idea (and feel free to share - comment away), that's what it will really take to create change - Market forces. We certainly can't count on the government to do anything about it - they'll just come up with vague, useless legal acts that almost always miss the mark and cost the business sector billions (take SARBOX for example). Individual action and demanding that companies get serious - and that they do so in a manner where they can be formally reviewed and held accountable - is the best real-world way to force change.

JK posted a cool picture that turns out to be a visual representation of his weblog. So, I went to the site that creates them and made one of my own (click the image below to view full-size):

Color Legend:

blue: for links (the A tag)
red: for tables (TABLE, TR and TD tags)
green: for the DIV tag
violet: for images (the IMG tag)
yellow: for forms (FORM, INPUT, TEXTAREA, SELECT and OPTION tags)
orange: for linebreaks and blockquotes (BR, P, and BLOCKQUOTE tags)
black: the HTML tag, the root node
gray: all other tags

If you ever need to find an old version of pretty much any web browser that ever existed, just go here. Anyone need a copy of IE v1.0?

Wow, a lot of the browser names on that list bring back memories, heh...

I know, I know - it's sooo lame to link to Internet videos, blah blah, but seriously I only link to the ones that make me go WOW... This one certainly got me to play it more than just once.

The Extreme Diet Coke & Mentos Experiments:

What happens when you combine 200 liters of Diet Coke and over 500 Mentos mints? It's amazing and completely insane.

This has to be one of the better orchestrated Intarweb videos I have seen in awhile. Two guys take 200 bottles of Diet Coke, drop a bunch of mentos in the bottles, and end up with a terrific - albeit kinda messy - display. It does cause one to wonder, though:

Watch it here. Some of the earlier tests are also viewable online. Heh.

Not able to register and sign up for college classes and hike on down there to learn some useful crypto skills? No problem. The University of Washington's crypto course is available online for anyone to access. And this is some truly decent content.

Practical Aspects of Modern Cryptography - course description

The full semester of class content is available online - slides, video of each class session, audio in MP3 format (there's even a podcast link) - great stuff. You'll spend some real time working through the class presentation, which means you'll be spending the time it takes to actually learn the content.

By far the best way to view the content online is with a special app you can download from the UofW web site for free. If you install their WebViewer application you can get the video and slides and instructor annotations playing all together in one nifty package. Quite excellent since they teach with - get this - a Tablet PC in real time. It's kind of like Monday Night Football for geeks. Heh.

There's a whole slew of math and number crunching stuff in the first class sessions, but it's information that is fundamental to a complete understanding. Then the instructors move into protocols and more practical, real-world applications.

There's a TON of presentation content here. Anyone who wants to learn about cryptography for real will likely find this worthwhile. Kudos to the instructors and the University of Washington for providing this online class content. We need more complete educational stuff like this on the web. Like MIT's OpenCourseWare. Excellent.

(via Digg)

Steve Knopper took a new Dell computer and spent 18 days infecting it with all the malware and viruses he could get his hands on. His account if the whole thing is published at Wired.

"What kind of idiot buys a computer and willingly – even eagerly – exposes it to all the malware and viruses he can? Me. I bought a Dell Dimension B110 ($468! Cheap!) and tried to kill it for more than two weeks. I clicked on every pop-up and downloaded the gnarliest porn, gambling, and hacker files I could find."

And then he returned it to Best Buy on the 18th day. Classic. Read Steve's account here.

If there is one thing I have learned lately, it's that I have been wrong all along about how to solve problems between businesses. It's become very clear to me over the past few days of industry observation that the only way way to solve a problem is to serve some form of aggressive legal notice just as soon as humanly possible. So, as part of my top-secret role as a representative of an organization I am not actually allowed to tell you about, the following notice has been formally served on America Company and its CEO.

Background: America Company has infringed on the property rights of the organization I represent, and it's obvious they have done so intentionally and without even asking or offering to cook dinner or anything. That phone call back in February where they asked if it "would be cool" to use the trademark doesn't really count - it was purely a discussion of hypotheticals and whatever was said was certainly not really meant.

So, I regret even having to go this far. It is a very difficult thing to have to do. Unfortunately, it's now officially the only acceptable way left to solve real problems...

Dear AMERICA COMPANY and RORY BLYTHE, CEO:

I am counsel to AMERICA THE OTHER COUNTRY LLC (herein referred to as "SHADOW AMERICA"). Working closely with THE UNITED STATES OF AMERICA (and its predecessor, THE COMMONWEALTH OF SALEM) as well as its various divisions and entities, SHADOW AMERICA is the creator and producer of of the ATM/NIGERIAN SCAM MACHINE and ATM/NIGERIAN SCAM CONFERENCE, and has been constructing and distributing these machines, and conducting these conferences, since 2004. As a result of our investment of time, energy and resources in the production of the ATM/NIGERIAN SCAM MACHINE and related conferences, and the associated ATM/NIGERIAN SCAM MACHINE service-marks and product trademarks, members of the industry and interested members of the public have come to associate the mark "ATM/NIGERIAN SCAM MACHINE" and the ATM/NIGERIAN SCAM MACHINE conferences with SHADOW AMERICA and THE COMMONWEALTH OF SALEM.

It has come to my attention that you have marketed a service and/or device entitled in whole or part ATM/NIGERIAN SCAM MACHINE. Through this title, you are misinterpreting and misrepresenting, and recipients are given the direct and false impression that you are providing them with SHADOW AMERICA'S ATM/NIGERIAN SCAM MACHINE device. We have received numerous complaints related to confusion among our highly confidential and sensitive list of customers surrounding your marketing materials published on or about June 3, 2006, and other similar items.

SHADOW AMERICA has a pending application for the registration of ATM/NIGERIAN SCAM MACHINE as a service mark for the production, marketing and sale of devices, namely combination ATM-scam machines, associated devices and services related thereto in various fields of technology and services. You use of the ATM/NIGERIAN SCAM MACHINE mark without our authorization or consent directly violates our exclusive rights. Selecting this title can only been seen as a deliberate attempt to trade off the good will of SHADOW AMERICA and causes confusion in the market. You mis-use, ironically, is exacerbated by your use of the term "AMERICA COMPANY" in your marketing material, which is close in language and terminology to SHADOW AMERICA, and due to the little-understood yet existing connection between SHADOW AMERICA and THE UNITED STATES OF AMERICA, your company's name further complicates matters for consumers. Moreover, such actions contribute to unfair trade practices, unfair competition and are a flagrant violation of SHADOW AMERICA'S trademark rights.

SHADOW AMERICA hereby demands that you immediately cease and desist from utilizing ATM/NIGERIAN SCAM MACHINE at the name or title of your products and/or services, and from making any further use of our mark, or any mark that is confusingly similar to it. SHADOW AMERICA further demands that you provide us written assurance within ten days that you have ceased to use such name and title and that you will refrain from using and SHADOW AMERICA marks in the future.

Any further actions by SHADOW AMERICA will depend on the nature and promptness of your response. SHADOW AMERICA will retain and reserve all of its rights with respect to your actions to date.

Very Truly Yours,

Sosu Mie
SHADOW AMERICA
(AMERICA THE OTHER COUNTRY LLC)

Rory, you've been served. Again, I blame you.

Ok. Now back to our regularly scheduled programming...

Adobe, which released it's PDF format as an open format a while back, has apparently shoved Microsoft with a heck of a legal mess regarding Microsoft's plan to include PDF output support directly in the Office 2007 programs.

Brian Jones, a program manager in the Office team at Microsoft, explains that they're going to have to pull PDF output support out of Office 2007.

Let me see if I have this right. Adobe opens up the PDF format and establishes a standard that needs to be adhered to. Other companies and organizations, commercial and otherwise, pick up on that and add PDF creation support to their programs, with no hassle or complaint or legal action from Adobe. Then Microsoft adds it as an output format option to the next-gen Office programs, and Adobe complains and calls out the lawyers.

That stinks. No more Adobe for me. Don't try to convince me that it's different when it's Microsoft that's involved. Adobe's been spiraling toward an almost certain death for some time and this is just another example of that. The ISO:19005-1 standard pretty much spelled out PDF as a standard, it was opened, and now the lawyers are lining up. It's too bad. I guess Adobe didn't think through the definition of "open" when they "opened" the format standard. the only things that's clear is that some portion of Adobe's team of attorneys doesn't have a clue.

So, for people who want to do PDF in Office 2007 directly, it looks like it mean a separate download and installation. At least it won't mean being forced to use Adobe Acrobat, which is and has always been a buggy, bloated piece of junk in my experience. It fails more often than it works. I was rather looking forward to native support in Office right when I installed it...

Brian Jones' blog posts on the subject are here:

• Legal issues around PDF support
• Follow-up on PDF legal issues