Phone service does not fit that model. There are just too many occasions for “no support” to be unacceptable.

Today’s example: Porting a phone number from Verizon to Google Voice: Just $20, it works great, except when it doesn’t. In my case, SMS never successfully ported. The only support mechanism is a help page that states that it takes up to five business days for text messaging to resume after a port, and after that time, you can visit a web page to fill out a form that causes no observable action.

This could have been mitigated by supplying information instead of support. Expose the internal states of the porting process, so a customer can see progress or can know who to blame. Track the tickets on the problem reports.

But Google Voice as it stands offers no information and no support (and all attempts to “get a human” fail). So it gets the blame for failure to deliver, even if it’s somebody else’s fault. (Who knows, perhaps carriers and SMS gateway providers drag their feet on number porting. But with no information offered, all I know for sure is that Google Voice couldn’t get it done after weeks of waiting.)

In summary: For some businesses the appropriate level of offered support ought to be greater than zero. More status information can mean less customer support.

Low-quality social network sites grow by finding ways to extract contacts from people so the system can spam them, or trick users into acting as individual spam drones. (A worst-case example are those worm-like provocative wall postings that, once clicked, cause your friends to seem to post them also. Just up from that on the low rungs are the game sites that post frequent progress updates to all your friends.)

I’m a joiner and early adopter, but I rarely invite people to use a service they’re not already using. That’s my way of treating my contacts respectfully, and protecting my own reputation as a source of wanted communication, not piles of unsolicited invitations.

Google Plus has recently taken a step toward lower quality by changing their ‘Find People’ feature. Previously it identified/suggested Google Plus users separately (good). Now it identifies and suggests everyone on your contact list and beyond, without identifying whether they are already a Google Plus user. Really they are nudging me toward being an invite machine for them.

As a result, Google Plus will get less high-quality social-network building (among people who respect their contacts and take care with their communication), and more low-quality social-network building (piles of invites from people I barely know). If it goes too far downhill, Google will endanger the willingness of high-quality users to let Google know anything about their contacts or touch their email.

Oh, and www.airpush.com/optout doesn’t cut it.

The PDF file it published was produced by some process that included image enhancement of most of the text. As a result, instead of containing a single simple color scan of the document, the PDF file contains a large color JFIF (JPEG) scan with text deemphasized, plus several separate monochrome bitmaps to fill in the text. That maximizes contrast and enhances readability, but it does raise questions about how much the file might have been edited.

The whitened areas in the color image still show some remnants of what was there previously.

It is left as an exercise for the reader what software would perform text enhancement by creating separate layers or subimages from the original scan. I certainly am curious. The PDF file’s properties state that it was produced on a Macintosh (probably “Print to PDF” from some scanning or editing program).

[I have been surprised to find little commentary on this problem with the image file. I thought I was to be the first, but I see that there is a less technical mention of this at hotair.com now.]

If the White House really wants to competently put the controversy to rest, it should walk the piece of paper over to a scanner again, set to maximum resolution, minimum enhancement, select TIFF or PNG (both are lossless) as the output format, and publish that. Please!

See below for the subimages in the White House PDF.

More than 10 million Americans moved from one county to another during 2008. The map below visualizes those moves. [Click on the image to go to the interactive map at Forbes.com, then: ] Click on any county to see comings and goings: black lines indicate net inward movement, red lines net outward movement.

Source: Internal Revenue Service data. The IRS only reports inter-county moves for more than 10 people, so some moves are not shown on this map.

APNIC received the following IPv4 address blocks from IANA in February 2011 and will be making allocations from these ranges in the near future: 39/8 106/8
…
Please be aware, this will be the final allocation made by IANA under the current framework and will trigger the final distribution of five /8 blocks, one to each RIR under the agreed “Global policy for the allocation of the remaining IPv4 address space“.

After these final allocations, each RIR will continue to make allocations according to their own established policies.

Now, Diigo is taking over Furl. It was announced a week ago, Furl is no longer taking new bookmarks, and my old data is now migrating into Diigo (probably without cached content, but we’ll see).

I’m hopeful about its personal usefulness: Diigo goes support cached pages, and seems to be pretty flexible in its other connections to the world. There’s yet-another superfluous social networking database that I’ll be ignoring.

MD5 considered harmful today

Creating a rogue CA certificate

Alexander Sotirov, Marc Stevens,
Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger

We have identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As a proof of concept we executed a practical attack scenario and successfully created a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows us to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.

Our attack takes advantage of a weakness in the MD5 cryptographic hash function that allows the construction of different messages with the same MD5 hash. This is known as an MD5 “collision”. Previous work on MD5 collisions between 2004 and 2007 showed that the use of this hash function in digital signatures can lead to theoretical attack scenarios. Our current work proves that at least one attack scenario can be exploited in practice, thus exposing the security infrastructure of the web to realistic threats.

Now that it’s been demonstrated once, it won’t be long before someone malevolent does it too. One hopes that, by then, software desupporting MD5-based signatures will have been widely distributed, and certificates containing them will have been retired.

Update: Of course, the day of doom can be postponed by getting every MD5-cert-issuing CA to immediately update their software to: (a) stop issuing MD5-based hashes, or, at least, (b) make their certificate serial numbers less predictable. The latter is a fairly small change. Is it too much to hope for?