Emails from the closet

I was pretty amazed, and then horrified, by the recent recovery of an Infocomm shared drive backup.

Very interesting reading, especially if you played any of the Infocoom games (Zork, HHGTTG etc). However I know I wouldn't want my corporate emails dug up and displayed nearly 20 years after the event. This is not because they are machiavellian and/or nasty, but just because what I said in private to one person 20 years ago was meant to stay, well, private and 20 years ago.

The original author's have turned up in the comments and are unimpressed.

This sort of stuff is far more dangerous than newsgroup ranting/posting, embarrassing facebook photos, or weird blog postings from your emo/goth/etc phase. That stuff you intended to be public, even if you didn't intend it to be public, backed up, and then displayed as a corporate screensaver 20 years later.

PS No, not that closet. The orange one on the left.
Edit: "not" added. FFS.

NZ Passports now the worlds most expensive?

Finally someone noticed and wrote in the MSM about the Kiwi passport ripoff.

I'm surprised that there are 14,000 fewer passport renewals this year since travel must be on the increase, although I'm not sure if they're considering people who beat the new system and thereby possibly caused a peak last year. I got my 10 year passport just in time, although my son has a nice new 5 year one. Getting a 10 year passport expiry date will be moot however if the US starts to mandate only RFID'd passports for entry though, as they did for machine-readable ones. Only a matter of time I suspect.

The bare fact is that the price of passports quadrupled, since they halved the lifetime of the password while doubling the price. No other country felt the need to quadruple the price to pay for this technology either.

I can actually agree with the concept of refreshing passport technology for security reasons but what they fail to realise is that a passport effectively has a lifetime less than it's expiry date -- most countries want at least 6 months, and thats 6 months past the length of your intended stay. So you're left with a passport that works for ~4 years, minus the time you get it in advance of your first trip on it. What a bloody hassle.

While I'm ranting about the price of these passports, I also have to add that they're rigid and don't feel like they'll take a lot of riding in back pockets. My old one has come out U-shaped on occasion from that. Considering this is one document you like to keep with you (in some countries) they've gone from something that is reasonably robust -- it attracts interest but still works if you soak it in water -- to something that feels like it will break quite easily. Apparently a working RFID chip isn't required for entry as faults are normal and expected; I would assume that you'll get more scrutiny if it does fail though otherwise certain people would just microwave theirs.

SaaS and trust: a NZ experience

(or Why I Should Have Used Xero/Cashboard)

I recently discovered 1place, via Ben or David. It was cool, AJAXy, NZ-based, cheap ($10 a month) and almost exactly what my wife needed for her business. The owners were receptive to changes and there was a good probability that changes required for a quote-and-invoice services business, as opposed to a sell-products or bill-by-the-hour business would be implemented. They had screenshots of the changes and everything. A virtuous cycle of suggestions and responses ensued.

They even did GST returns and a cashbook.

I was suitably enthused so I set everything up, trained my wife, and started creating invoices. It worked well even without the changes. It was promising to simplify our accounting and invoicing significantly without any of the internationalisation issues from other products.

Then one day they disappeared. Completely and without warning. We hadn't paid any money yet, but this was clearly in violation of their agreements. SaaS also means that your data is no longer available, and notably there was no easy extraction/backup mechanism from 1place.

They were gone from the internet for about a month (I checked periodically, so give or take a few weeks). We'd only done two invoices and we'd saved the PDFs, so it was a lucky escape. It could have been a lot worse.

1place have now reappeared. They did not respond to my contact form email asking them where they'd been and why I should continue to use them. I was polite but I guess they don't want to answer. I've not bothered calling them, if I didn't have the invoices already I'd be annoying them daily though. Their blog is noticeably silent.

Looking at the companies office details it looks like the guy I was talking to, Bevan, is now no longer a shareholder. That event and the website shutdown would appear to be related, but the lack of consistency, communication, and disclosure mean that I cannot trust them with our data ever again. Nor should you, IMO, without at least a way to get your data out at regular intervals.

I have waited a long time before writing this entry as I really wanted to give this product and company the benefit of the doubt and a chance to succeed; it fills the gap below Xero and is completely NZ focussed, and they were reacting to my requests. But this is a betrayal of trust, and this is something that I will look closely at before using any similar SaaS product (hey: it's a service that's a product) again.

Hopefully they will respond to this public review and you, dear reader, can make up your own mind. If nothing else this is a lesson to be learnt by SaaS providers and users. It can happen with off-the-shelf products too, but at least there is a lower probability that you'll be prevented from accessing your data on your own terms.

Bruce's new list of SaaS requirements:

1. Decent price
2. Decent service
3. Decent uptime
4. Decent way of getting the hell out of dodge (added).

I am disappointed to be in the position of chopping at a NZ poppy.

Simple stuff: usernames and passwords

(I can't find any reference to this on the web, but there must be something. Username aka display name aka login aka screen name [yurk])

I recently signed up for (yet another) web forum, went through the dance of getting the temporary password via email, and it noticed it didn't even tell me what my username should be. Very un-Web2.0.

I went back to the login page and it wants me email address; and so this rant begins.

Think of your users. Are they corporate users? Are they private, mostly ISP-based, users? So email address sounds like a reasonable key?

STOP THAT.

Email addresses are useful for sending email to people. Most of the time. Email addresses nominally have the following characteristics:

1. They uniquely identify a person
2. They don't change
3. They can be remembered by the user concerned

Let's pull these apart:
1. "They uniquely identify a person"
Well no they don't. It can be a mailing list, it can be for a family, it might identify a person most of the time but ask yourself if this is sufficient. Even if they do uniquely identify the person, that person might not want their activity to be identified; so you're going to need a username anway.

The other perspective (thanks Jonny) is that you provide your email address on email correspondence and this starts to give information away that provides others access to websites; the access quiz changes from needing to know the username and password to only requiring the password.

2. "They don't change"
Well, yes they do. People want to be able to change ISP. Mergers and acquisitions happen. Domain names get accidentally lost. Most of the people reading this will have a static email address probably because they own their domain, but this does not apply to most of your users.

You can try and mitigate this problem, but the single principle is that you cannot easily prevent a user from claiming to be scott@randomcompanya.com [aside: currently unregistered, I checked!] if randomcompanya.com refuses their email/doesn't exist. So that account is dead, along with all the things that ties that customer to you, and you've just asked them rescan the market to see if they want to reregister...

The inverse of this is when scott leaves randomcompanya and they hire another scott. Hurrah. Lets just leave the key under the mat too shall we?

3. "They can be remember by the person concerned"
This may in fact be true for most people, but I'm betting most sensible people keep their business and personal email separate. Sensible people may figure in the minority. If you have more than one email address, or you own your domain, you have a snowballs chance in hell of remembering which one you used. Better request a new password and check the email headers :-)

So what should you do?

I'm glad you asked. Let me rant a little more.

User-definable usernames
Let the user select their own username. The best websites already do this, and don't constrain people to 8 characters, 12 characters, or anything less than half a page of text.

• Do make it case insensitive but don't mash the case - InnOcenT should be permissible (think: Bobby is different from bobby? Do you really want that confusion) and not normalised otherwise they'll get offended that their StudlyCaps are lost.
  
• Don't allow embedded spaces without thinking it through.
  
• Do allow punctuation, at least to a point.
  
• Possibly allow Unicode, but be careful of unnoticeable collisions (a lot of characters end up looking the same, allowing impersonation). This is a key point of i18n, which could well be the difference between you or your competitor getting market share in Asia.

A user might choose to enter their email address as their username, which is fine. To be clear I'm not saying don't collect and use email addresses, especially for lost password/lost username issues.

I recognise that lost username recovery typically does involve emailing the user, but it doesn't have to if you collect sufficient identifying information from the user. You have the flexibility.

I'm also not against allowing the use of email address as a synonym for your username on login forms, although it has some security implications.

OpenID
"OpenID is a decentralized single sign-on system" according to Wikipedia. I'm of two minds on this one, and I'm still chewing on this post. OpenID does allow user-selected usernames, but beyond that it doesn't provide trust, or really authentication (due to all the holes, OpenID 2.0 is better but not necessarily fixed), and I'd debate that you can provide identity without these things.

Okay, I'm finished. I think there are more perspectives on this one and I'm interested in hearing them. Paypal, for example, use email addresses. I think this is because that is where they started from; eBay sensibly changed I think, TradeMe changed post implementation as well.

Just wait until I get to passwords. It will be heretical.

IEEE article with the details of the Greece GSM compromise

Wow. It is nice to see more of the background into the recently-publicised compromisation of an entire network in Greece, courtesy of the IEEE.

I've only seen the details provided by The Register before, so this will be good to digest.

Also thanks to Bruce Schneier -> Matt Blaze -> Security PR Bingo, I might try that one at work.