...in which I get corporate bullied

An unsolicited FedEx package was trying to find me on Friday. It finally did at work after they called me. It was addressed to:

Me
Cable Car Lane
Wellington

I think this is because FedEx don't take PO Boxes. Amazing that it arrive did really.

Anyway, back on topic, it turns out that a certain Terry A Overby filed a US patent application No. 11/465,086 on MEID serial number validation and conversion while working at CellStar. CellStar was then purchased by Brightpoint.

The nice little lawyer letter will be posted here in due course. It is actually a reasonably polite warning, but the basis for the pending patent must surely be bullshit. The online version is not available (it is optional to make it available pending approval) but I have part of it included in my, ahem, warning. It is a spreadsheet implementation of a standard, claiming (by my cursory reading) to cover any implementation of MEID to pESN conversion and associated LUHN check digit validation. FFS.

Never mind that this algorithm is trivial (take SHA-1 hash, lose most of it, prepend 0x80 prefix), and must be implemented by any CDMA backend system that needs to cope with MEIDs. It tries to be all encompassing by saying (more or less) "hey, if you do this in a web page, application, remotely over TCP/IP, embedded in your code, or in your dreams it is covered by this patent". Okay I added the dreams bit. It is based on a spreadsheet implementation (!). I say again, FFS!

What makes it worse is that the individual claims to have participated in the CDMA standards/reports process for MEID. I think the CDMA Telco community will take dim view of this.

Outrage aside, I've taken the damn page offline. It is not worth getting stressed over a simple page I created in less than half an hour two years ago. It still grates though, the less sensible part of me does want to poke this dog with a stick.

Grrr.

NZ Passports now the worlds most expensive?

Finally someone noticed and wrote in the MSM about the Kiwi passport ripoff.

I'm surprised that there are 14,000 fewer passport renewals this year since travel must be on the increase, although I'm not sure if they're considering people who beat the new system and thereby possibly caused a peak last year. I got my 10 year passport just in time, although my son has a nice new 5 year one. Getting a 10 year passport expiry date will be moot however if the US starts to mandate only RFID'd passports for entry though, as they did for machine-readable ones. Only a matter of time I suspect.

The bare fact is that the price of passports quadrupled, since they halved the lifetime of the password while doubling the price. No other country felt the need to quadruple the price to pay for this technology either.

I can actually agree with the concept of refreshing passport technology for security reasons but what they fail to realise is that a passport effectively has a lifetime less than it's expiry date -- most countries want at least 6 months, and thats 6 months past the length of your intended stay. So you're left with a passport that works for ~4 years, minus the time you get it in advance of your first trip on it. What a bloody hassle.

While I'm ranting about the price of these passports, I also have to add that they're rigid and don't feel like they'll take a lot of riding in back pockets. My old one has come out U-shaped on occasion from that. Considering this is one document you like to keep with you (in some countries) they've gone from something that is reasonably robust -- it attracts interest but still works if you soak it in water -- to something that feels like it will break quite easily. Apparently a working RFID chip isn't required for entry as faults are normal and expected; I would assume that you'll get more scrutiny if it does fail though otherwise certain people would just microwave theirs.

Holding people to account

I've recently been thinking of the concept of patronage and satire. The Romans had it right; we should have a crowd of satirists around that we can hire to make fun of individuals in cartoon, verse, or in some other form. It should be their job to make fun of people, they should compete to do it best. My old flatmate Stephen Jenkins introduced me to Catullus a long time ago, he certainly had a way with words. I'm sure a Web 2.0 version of this system would be a hit :-)

There has been a general culture of shirking of responsibility in New Zealand over the past years; "I didn't know", "I don't remember that conversation", and other weak responses are in use from the top of society to the bottom. They are not excuses.

Those at the bottom of society are pretty well held to account for their actions, except when excused on the grounds that society made them do it. I can never see this as an excuse; mitigation for small acts perhaps but we of free will and always make decisions and we should have to live with the consequence of those decisions.

I am more annoyed to see the lack of accountability at the top end of our society. Our figureheads should be more accountable than the average bean, but it seems our politicians (HC, DBP, Trev), bureaucrats (Mr Logan) and some of our business people (Fay/Richwhite) are getting away with a continuous series of responses that would be ignored or ridiculed if any person in the street said them.

I'm thinking that the best way to hold these powerful and sometimes untouchable people to account is to make fun of them. It holds them in the public eye where they feel most uncomfortable, shows our contempt, and is amusing to boot. I still remember the foldup Muldoon poster my brother had from the Christchurch Magic Shop; I don't see anything of that ilk any more. Except perhaps the self-produced Helen Clark poster...

Anyway, who's with me on increasing the satirical content in New Zealand? It should be a NCEA-endorsed career choice...

Queueing and New Zealand Banks

I am frustrated at the lack of expectation placed on New Zealand banks by their customers. In these days of ubiqituious EFT-POS (NZ's point of sale debit card system) and TradeMe deals causing spikes in NZ Post demands, the one area that is not getting any good attention is the speed of bank transfers.

All of the NZ trading banks only allow transfers overnight (inter-day). And when I say day I mean business, err, banking days. And only before a certain time, 8pm for some banks. The funds don't appear in the account until some point in the morning, and you're typically not awake anyway. I'm using 6am although it can be earlier, shout if you think I'm being unfair.

The batching limitations means that a bank transfer will have an average delay of 7/5 = 1.4 days if entered at the cutoff point. Add to this a half day to account for the entry delay when it is not being actioned, and the average delay is nearly 46 hours. This is only half the story though, the minimum delay is 8pm-6am (10 hours) and the maximum a whopping 8pm Thursday - 6am Tuesday (106 hours = 4 days, 10 hours). It gets a lot worse around long weekends too...

This is classic financial friction. It means businesses need more working capital, and that everything moves m-o-r-e s-l-o-w-l-y than it otherwise could.

I'm annoyed that batch processing is perceived to be good enough, after all if telco's can do real-time billing of millions of transactions a day, then can someone tell the banks that it can be done? This can't be good for their systems; they must be encountering a massive peak of pent up transactions every Monday night. It makes me wonder if this is why the National Bank moved it's cutoff point back to 8pm.

ASB is often held up as a shining example for allowing instant transfers. They are better in that intra-bank transfers are immediate but this is anything but perfect. I think their reputation as the bank of innovation must be slightly tarnished by now -- I've seen nothing of great importance on that front for ages, and Westpac launched the first NZ debit Visa this year.

Kiwibank, who I'd expect to have shiny new systems given their age, does allow instant intra-bank transfers. A good step forward. Their other systems are, to be frank, a bit weird though. I was a foundation customer but due to their rather "secure" password rules I managed to constantly forget mine, and they have quite draconian unused/overdrawn account rules. Ciao Kiwibank. I wonder if the Flight of the Conchords were talking about them.

All of this on top of our banking services being very expensive. I'm not sure what we can do about this, I would have thought that one of the existing transfer mechanisms would be able to fake this (think every transaction done as 2x EFT-POS transactions, one debit and one credit) but I think the banks need to authorise this mode of working. I've not looked at some of the layered systems, but they all seem a bit too complex and typically transferring money in from my bank which doesn't solve this problem. Lance lamented the same thing a while ago.

It would be nice to see the telco's offering a banking service; person to person transfers using prepaid balances would be quite sexy and I believe this is quite common overseas. I must dig out some details.

Simple stuff: usernames and passwords

(I can't find any reference to this on the web, but there must be something. Username aka display name aka login aka screen name [yurk])

I recently signed up for (yet another) web forum, went through the dance of getting the temporary password via email, and it noticed it didn't even tell me what my username should be. Very un-Web2.0.

I went back to the login page and it wants me email address; and so this rant begins.

Think of your users. Are they corporate users? Are they private, mostly ISP-based, users? So email address sounds like a reasonable key?

STOP THAT.

Email addresses are useful for sending email to people. Most of the time. Email addresses nominally have the following characteristics:

1. They uniquely identify a person
2. They don't change
3. They can be remembered by the user concerned

Let's pull these apart:
1. "They uniquely identify a person"
Well no they don't. It can be a mailing list, it can be for a family, it might identify a person most of the time but ask yourself if this is sufficient. Even if they do uniquely identify the person, that person might not want their activity to be identified; so you're going to need a username anway.

The other perspective (thanks Jonny) is that you provide your email address on email correspondence and this starts to give information away that provides others access to websites; the access quiz changes from needing to know the username and password to only requiring the password.

2. "They don't change"
Well, yes they do. People want to be able to change ISP. Mergers and acquisitions happen. Domain names get accidentally lost. Most of the people reading this will have a static email address probably because they own their domain, but this does not apply to most of your users.

You can try and mitigate this problem, but the single principle is that you cannot easily prevent a user from claiming to be scott@randomcompanya.com [aside: currently unregistered, I checked!] if randomcompanya.com refuses their email/doesn't exist. So that account is dead, along with all the things that ties that customer to you, and you've just asked them rescan the market to see if they want to reregister...

The inverse of this is when scott leaves randomcompanya and they hire another scott. Hurrah. Lets just leave the key under the mat too shall we?

3. "They can be remember by the person concerned"
This may in fact be true for most people, but I'm betting most sensible people keep their business and personal email separate. Sensible people may figure in the minority. If you have more than one email address, or you own your domain, you have a snowballs chance in hell of remembering which one you used. Better request a new password and check the email headers :-)

So what should you do?

I'm glad you asked. Let me rant a little more.

User-definable usernames
Let the user select their own username. The best websites already do this, and don't constrain people to 8 characters, 12 characters, or anything less than half a page of text.

• Do make it case insensitive but don't mash the case - InnOcenT should be permissible (think: Bobby is different from bobby? Do you really want that confusion) and not normalised otherwise they'll get offended that their StudlyCaps are lost.
  
• Don't allow embedded spaces without thinking it through.
  
• Do allow punctuation, at least to a point.
  
• Possibly allow Unicode, but be careful of unnoticeable collisions (a lot of characters end up looking the same, allowing impersonation). This is a key point of i18n, which could well be the difference between you or your competitor getting market share in Asia.

A user might choose to enter their email address as their username, which is fine. To be clear I'm not saying don't collect and use email addresses, especially for lost password/lost username issues.

I recognise that lost username recovery typically does involve emailing the user, but it doesn't have to if you collect sufficient identifying information from the user. You have the flexibility.

I'm also not against allowing the use of email address as a synonym for your username on login forms, although it has some security implications.

OpenID
"OpenID is a decentralized single sign-on system" according to Wikipedia. I'm of two minds on this one, and I'm still chewing on this post. OpenID does allow user-selected usernames, but beyond that it doesn't provide trust, or really authentication (due to all the holes, OpenID 2.0 is better but not necessarily fixed), and I'd debate that you can provide identity without these things.

Okay, I'm finished. I think there are more perspectives on this one and I'm interested in hearing them. Paypal, for example, use email addresses. I think this is because that is where they started from; eBay sensibly changed I think, TradeMe changed post implementation as well.

Just wait until I get to passwords. It will be heretical.

NZ Broadband sufficient for videoconferencing already!

Michael Sampson's experience with video-conferencing to the East coast of the USA from NZ.

I'm not going to say it couldn't be better, but I think this kills the "can't do business properly with the current ADSL infrastructure in NZ" argument.

I'm still not sure what Rod wants, but I say:
1. If you want to host some content that is of global focus then don't host it in NZ. You're writing a blank cheque for your bandwidth otherwise, and giving a higher-latency experience to the rest of the world. By all means choose a decent NZ hosting company but they'll host it in other countries for you. I chose these guys.
2. If you want to host something for NZers then still consider hosting it somewhere else. See point 1. Ask yourself what you gain by hosting locally; the latency differences are not going to be noticable for the average Kiwi surfer.
3. If you want to build a business that requires vast amounts of data transfer, go into a major city centre. Don't complain you can't run it from your house in NZ; even in Sweden, Korea, or FTTH territory you would have business continuity concerns doing this.
4. Yes I know not everyone has ADSL. Not everyone has reticulated water or sewerage either. I've compared Internet access to reticulated gas before and I think the analogy still holds; if your business wants it then it can get it put in for a price. Don't expect everyone else to subsidise your business though. If you can't get gas/internet where you are then perhaps the business you want to build needs to relocate -- this is something every business faces.

I do want cheaper bandwidth rates for international traffic, but I also accept that we're quite a long way away from anywhere. Bytes are still cheaper that physical bits (pun intended) to transport, so we're still minimising that aspect of our geo-disadvantage by moving online.