Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reading Archival CDs from the PayMyBills Service?

Posted by Cliff on from the artificial-barriers-of-use dept.

renehollan asks: "PayMyBills produces Windows-only year-end archive CDs, without warning. Has anyone tried to read these under Linux, Solaris or other non-MS operating systems? My experience to date is here." I can emphasize with renehollan, here: apparently PayMyBills sends out scanned images of the checks used to pay your bills, however they go to great lengths to make sure the information is only usable on Windows without mentioning it as a requirement for their archive CDs. I assume this is done so that the data on the disk can be "encrypted" (or just password protected) when the disk is published. Has anyone else using this service been able to get at the pertinent data?

18 of 31 comments (clear)

  1. JAD by adamy · · Score: 3, Insightful

    If you take a lok at the class files under JAD, I am sure you will find a hard coded string literal "../dir" name. Send them a Bug Fix which is:

    String astring = new StringBuffer("..").append(File.separator).append(" dir");

    --
    Open Source Identity Management: FreeIPA.org
    1. Re:JAD by Hard_Code · · Score: 2

      I'd second that opinion. JAD is absolutely amazing.

      http://kpdus.tripod.com/jad.html

      --

      It's 10 PM. Do you know if you're un-American?
    2. Re:JAD by woggo · · Score: 2
      Actually, that code has the same problem. Since File.separator is a compile-time constant, it is replaced with the separator character for the OS you're compiling under; under UNIX, that's "/", and under Windows, it's a backslash -- the end result is that the path will work on the system you're compiling on, but not on one with a different path separator.

      What you'll want to do to get the runtime-system-dependent path separator is System.getProperty("file.separator").

      jad is pretty rad, though.

  2. Already solved... by Hard_Code · · Score: 3, Informative

    According to his journal, it looks like he already solved it...

    --

    It's 10 PM. Do you know if you're un-American?
    1. Re:Already solved... by renehollan · · Score: 2

      Well, my solution does involve software which isn't (I think) completely free: the JRE that Sun ships with the J2SDK 1.4.0 for Linux. Kaffe barfs on ptcopycd.class

      --
      You could've hired me.
    2. Re:Already solved... by renehollan · · Score: 2

      The big question is if it comes bundled with a complete enough JRE. I'd also have to use jode to decompile the .class files and recompile them with gjc, but that's probably not a big problem.

      --
      You could've hired me.
  3. Re:Stopped reading by renehollan · · Score: 3, Interesting
    Actually, what bothers me is that they don't make a point of saying that Windows is required. They saw the CD is "browsable". A reasonable person would presume that it would be browsable by any moderately complient browser, espescially a browser that works with their online system. It isn't: you need Windows executables.

    The ironic thing is they could at least provide a Linux JRE to permit Linux users to decrypt the CD and browse it normally. (Browsing the encrypted CD would require running Apache properly integrated with Tomcat, I imagine).

    --
    You could've hired me.
  4. Re:JAD (Thanks) by renehollan · · Score: 2

    I'll try it out. I've had fairly good success with jode.

    --
    You could've hired me.
  5. CDs without warning... by mosch · · Score: 4, Funny
    PayMyBills produces Windows-only year-end archive CDs, without warning.
    Holy fuck! A CD just appeared out of nowhere!
  6. Re:English lesson by mosch · · Score: 2, Informative

    no, in real companies they employ tech writers. Secretaries generally have to type memos, create powerpoints, arrange schedules, filter visitors and for the front-desk secretary, have big tits.

  7. Re:What fun by renehollan · · Score: 2
    Thanks for the suggestions.

    I have already spoken to one of their customer service reps at length about some of the flaws in their "encryption" approach: 1) it's rather pointless since they send the key in plain text; 2) it disenfranchises non-Windows and non-Mac users; 3) it increases support costs; 4) Linux users are a growing crowd. He seamed willing to listen at least and acknowledged my points.

    I mentioned that, with a bit of effort and luck, I might be able to read the disk under [GNU/]Linux. So far, I have managed to decrypt the CD contents, and more importantly, gotten their local http server to run under Linux to read the CD directly (using J2SDK 1.4.0 and more file name folding hackery -- their java presumes upon Windows (well DOS) filename case folding in a couple of places and has other less avoidable Windowsisms). I had asked for any tech support they could send my way, with a promise to share my findings. To date, I have received no support. (In fairness, they made it clear that they "do not support" Linux).

    As to negotiating reimbursement from them for sharing my efforts, I'm afraid that would be a violation of my H1B visa. Even doing it for them for free might be (I'd have to show that I volounteered something that was not ordinarily a paid service).

    --
    You could've hired me.
  8. Re:What fun by mosch · · Score: 2, Funny
    or just send it to them without a credit attached, for the betterment of mankind.

    you do like mankind don't you? If you don't, then the terrorists have already won.

  9. Re:TANSTAAFL by renehollan · · Score: 2
    Your points are insightful, but there are several problems:

    1) The whole H1B visa thing: it can be so bad that you can get kicked out of the country for cleaning your own gutters -- "depriving an American of the job"! Yes, that was an extreme case, and it involved a TN1 instead of an H1B visa (basically, someone pissed off their neighbor who found an INS asshole and turned the gutter-cleaner in), but the fact is INS people have increadible discretionary powers.

    2) It's not like PayMyBills needs the patch. I'm sure they have plenty of Windows customers.

    3) If I don't give it to them, or they refuse to pay me for it, or I can't make it available to them for INS reasons, the Linux community is left poorer. I don't care as much about PayMyBills getting a freebie, or getting paid for it, as I do the community getting a useful tool.

    4) DMCA. One could argue that PayMyBills has a compilation copyright on the compilation of my bills. They've protected access to that compilation with an encryption scheme (a good one, I might add, as far as I can tell). My disclosure of how to circumvent that could run me afoul of the DMCA (though I already described the basic steps in my journal). I suppose I could argue an "interoperability defense" but it is questionable if that would work. Since one still requires the key, I could argue that nothing was circumvented, but the counter would be "use of Windows was circumvented".

    This should really be simple: I should just give the damn fix away to anyone BUT PayMyBills unless they pay for the right to use it. But the legalities are surprisingly complex.

    --
    You could've hired me.
  10. GCJ's library is missing some packages by yerricde · · Score: 2

    There's always gcj, and gcj is Free

    GCJ is just a compiler for the Java language, and it needs a class library to run programs, and if the software relies on a class that your JRE's class library doesn't have, you're screwed. From the GCJ home page: "Most of the APIs specified by 'The Java Class Libraries' Second Edition and the 'Java 2 Platform supplement' are supported ... AWT is currently unsupported" (my bold), which means it can't run GUI apps or applets.

    --
    Will I retire or break 10K?
    1. Re:GCJ's library is missing some packages by renehollan · · Score: 2

      Yeah, I found out very quickly that AWT is unsupported in gcj. Still, gjc is worth watching.

      --
      You could've hired me.
  11. Re:TANSTAAFL by renehollan · · Score: 2
    The INS isn't all that bad. I just wish the rules were simpler (not requiring a lawyer to do every little thing), and they processed things faster. They just have a good deal of clout, and, like any organization, occasionally employ an asshole. Assholes with clout == bad.

    I found out a bit more about the CD. It contains cryptix32.jar: an open source JCE 1.2 implementation. The interesting thing is that this includes RSA (no longer patented), and IDEA algorithms. IDEA is free to use for noncommercial purposes. Since I paid for the CD, I'd think PayMyBills is using cryptix32 for "a commercial purpose". It is a bit more complex since the IDEA code appears not to be executed in PayMyBills' application (they use Blowfish), so I suppose it's up to the lawyers to argue whether IDEA is "used" or not. Still, I'm finding this fun... I'm tempted to rework my own version of the CD with none of PayMyBills' code. I figure I'll rework the embedded http server (which does the encryption), and then tackle the HTML UI and add a few features (like exporting the data).

    --
    You could've hired me.
  12. Bills? by Mignon · · Score: 2
    I thought GNU/Linux was supposed to make everything free as in beer. How come you still have bills to pay?

    The hard part was convincing my landlord to release my apartment under the GPL.

  13. Re:What fun -DMCA? by renehollan · · Score: 2
    No EULA on the CD jacket or packaging, but there are TOS regarding what I can do with PayMyBills service (basically, I can't resell it).

    As for the DMCA... the encrypted data are mine and PayMyBills acknowledges that. In fact I give them limited power of attorney to use that only to facilitate it's collection and presentation to me. They go to some pains to express that the data is not theirs.

    --
    You could've hired me.