On the left is Pindar Wong, one of the pioneer of Internet in Hong Kong in the late 80s. When I first met Pindar in 1992, I was still merely a student whereas Pindar just sold his company, HKNet. Anyway had lunch with him two days ago. I couldn’t believe my eye when he hold up his mobile phone, an ancient Nokia phone (Nokia 3310) which does nothing else but just makes phone calls and maybe SMS.

And he is extremely proud of it :-) “It works!”, said Pindar, “it is the best phone made by Nokia”.

Which brings me to one of the latest Nokia, Nokia N810. The PR guys for Nokia offered a set for me to play with 2 months ago just before my crazy trip. Half way through the trip, my macbook dead which force me to really use the N810.

N810 isn’t really a phone. It is more an ultra-portable Internet tablet (Linux). It makes phone calls, yes, but via Skype but it is mostly a browser, IM and email device.

What I likes about the N810,

1. The form factor is perfect. It is a tablet and it has a slide out full keyboard. It is big enough to type with thumb yet small enough to fit into my pocket.

2. The concept, of browser, IM, email and skype all in one small device. If I don’t have a laptop (which I don’t have half way through my trip), those are the stuff I cannot live without.

3. There is an eco-system of developers porting other Linux applications onto N810.

But these are nothing new. I had it 3 years ago on my Zaurus, except N810 has a bigger screen.

Onto the bad stuff about N810,

1. The touch screen is horrible. I don’t need multi-touch but when I click on something, I expect it to click, and I expect the UI to indicate I click. Very often, I find myself tap…tap tap…tap tap tap…and still no respond.

There is a reason interface designers allocate the highest CPU priority to interface since the beginning of computing.

2. Installation of apps is complicated. There are probably like 3-4 ways I can get apps onto the device. Each of them involve multiple steps like, visit a website, click on the download, which will fire up installer, which would ask me if I want to install a repository, which would take a while, and then a confirmation of the application I wanted, which is likely to promote another warning that it is unsigned, and finally I get to download it…and no, one more click to install.

I just want an app onto the device. I want to click that app, please do the rest.

3. The touch screen is horrible (did I mention that?). It is a small screen so the the icons are already very small. If I click one icon, i get the one next to it. argh. back/cancel, reload, click, wrong again. arghh.

You either figure out a way to make the button bigger or you make a more fine-resolution touch screen. You don’t make a device which has small button and lousy resolution touch screen, without providing alternative.

iPhone touch screen is also at the bad resolution level but it works. It works because very often it makes the button big, or it allows you to zoom it to be big, and if it is not zoomable, you can hold it down, move it a bit until you get the right one.

I could go on more (out of memory, slow apps respond, the keyboard layout, camera for video conferencing that skype don’t support etc) but here is the one and one reason that I leave N810 at home these days.

4. The web browser do not work with Gmail.

“Wait, it works”, you said. Yes, go to gmail.com, and it load up fine. It even render gmail as you expected. Now, try using it.

Not the UAT of “does the browser render gmail.com?” but really use it for your daily use. Try using it for an hour. I did. Within 5 mins, the browser slow down. Any clicks would take ages to register. Even scrolling up and down is retarded.

But no, thats not the worst; wait till you try to compose/reply. As you type your email, the letters you type appears 30-60sec after you press it. So yep, you could either press a letter, wait 60 sec, and then type another. Or you could just type it blindly and …. until you made a typo then god help you.

Yes, it renders fine but no, it does not work. Any Internet tablet that does not work with one of the most popular web email today is not acceptable. Asking me to use the native Email application is not an option. You are out of your mind when you ask me if I would switch to another web email. I like gmail and I had everything setup there. I am not going to switch web email just to use N810. If N810 don’t work with Gmail, it stays at home with the pile of other gadgets I had but no longer use.

I feel really sad for the problems I have with N810. Nokia is famous for its UI engineering. People like Pindar and myself like buy those early Nokia phones because “it works!”. I was a loyal Nokia phone users for nearly 8 years, including the failed N-Gage. These UI problems I have with N810 is not something I expected from Nokia.

Maybe Pindar is right. The best Nokia phone is the Nokia 3650. My favorite Nokia phone is still the 88X0 (I bought at least 5×8850 and 2×8890). It is downhill since then.

Planning for a short trip to Hong Kong tomorrow reminded me of Jonathan Shea, something I want to blog about but was waiting for the hype around the new generic TLDs to cool down. Jonathan Shea is an old friend who is in-charge of “.hk”. I have the pleasure to catch up with him in Paris ICANN meeting.

Before Jonathan, let me talk about something related that happened in Paris. At the Cross Constituency Meeting, there is a presentation by the Anti-Phishing Working Group (APWG). In summary, they were proposing working with registries to take down domain names that is suspected to be involved in phishing.

Now, I am as anti-phishing as any other reasonable person, that we should do our best to combat the scamming on the Internet. But what they are proposing raised scare the hell out of me: Take down domain names for suspected of phishing?

What happened to the legal maxim, “Innocent Until Proven Guilty”.

Now, I could hear some objections; these phishers are sneaky bastards who adopted the “hit-and-run” tactics. The entire phishing attack could be done within 24 hours or less and thus we need to react before they got more innocents victims.

That’s true but this is not an excuse to override the basic principle of legal enforcement. Just because a thief could commit their crime within less than 5min does not mean we don’t treat the suspect as innocent until proven guilty. Neither do we lock down the house or the store while we investigate, which is in a way, what was proposed.

After Wendy Seltzer raised some concerns, I stood up and asked two questions:

(1) how does APWG determine if one is a phishing domain for take down?

All I got is a a hand-waving answer that it is complicated and there is no time to go into details. I am not sure if they differentiate between an intentional phishing vs a site/domain which was hack or hijacked. I am not even sure how they determine if the site is indeed phishing. If I put up a spoof making fun of the bank’s bad service, would I be target of a take down?

(2) how effective is the domain name take down the phishers could easily use IP address instead of domain names?

Once again, he dodge the question without giving any data but at least his answer is more plausible: one should make use of all mechanism available to fight the problem. Nevertheless, i remain unconvinced that taking down domain names would deter the phishers as they could easily use IP address instead. Do we then go to RIR and ISPs to blackhole the routing for an attack that might last merely hours?

I might be more open if the takedown is temporary, as an emergency one-off measure if it significantly threaten the general public or the normal operation of the Internet. And we can proof that the best way to stop that specific attack is in the DNS.

However, I am not convince ICANN and registries is the best way to deal with the problem on the long term continuous basis. I think this is a classic case of “if we have a hammer (ie. ICANN), everything looks like a nail”.

This is not to say I don’t think registries don’t play a part in the anti-phishing. This is where I go back to Jonathan and HKIRC (.hk).

McAfee published a report on Mapping the Mal Web Revisited in May. This report said “Hong Kong (.HK) soared in 2008 to become the most risky country TLD”.

Obviously, this report upset quite a few people, including Hong Kong Internet veterans like Charles Mok and Pindar Wong (see IT360). Jonathan contested that the report is unfair because the data point for the report is based on 2007 whereas the problem have being substantially improved in early 2008.

What have being done by HKIRC is a model of what I think the registries should adopt.

1. In March 2007, HKIRC working with HKCERT and the HK Police Force on a procedures to verify whether a .hk domain name has been used for phishing. They also work with OFTA, the local regulatory body, who will provide a definite list of .hk domain names that is involved in spamvertising in Jul 2008.

2. In July 2007, HKIRC tighten their online payment (HKIRC is also the registrar) so that stolen cards and lost credit cards cannot be used. In early 2008, they also developed an internal auditing system where they would flag suspicious registrations, which would then be process manually for additional documentary proof from registrant.

An example which would trigger the flagging is when a domain name is known to be phishing site from a definite list by OFTA, the other domain names registered by the same registrants would be considered suspicious.

What was done by HKIRC is non-intrusive, nor disruptive to the registrants. Neither do they presume guilty before innocent, and take down domain names on suspicion notes. They work with regulators and polices to make sure they got the right person. They let judges do their job, of determine one guilty or innocent.

Most importantly, these have being effectively in curbing the problem.