Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bringing Micropayments To the phpnuke Community

Posted by Hemos on from the makin'-the-money dept.

aelfakih writes "Centipaid.com made available a phpnuke add-on making it possible for anyone with a phpnuke site to collect micro fees for accessing specific sections of the site. The module is released under GPL and it is still beta, but seems to be stable. There is a demo of the micropayment system for phpnuke on http://phpnuke.centipaid.com. There is also a GPL Apache module that does the same thing, but it is intended for system admin with access to the apache server config files, or .htaccess. Links to the phpnuke info is on http://www.centipaid.com/download.html as well as the phpnuke.org site. Links to the apache::centipaid module is on http://www.centipaid.com/download.html and on freshmeat.net "

22 comments

  1. Wow by Koos+Baster · · Score: 3, Interesting

    Although techniques like these have probably been around for some time (it's not even fundamentally different than credit-card) I must say I'm truly amazed by the simplicity of this concept. It seems pretty solid. Even though the system is completely open to hackers/crackers, I can't see a way that privacy information gets anywhere but with Centipaid.

    Now whether or not Centipaid is more trustworthy than Microsoft's Passport system, only time will tell. But I'm very optimistic. Great job guys!

    --
    Money is the root of all evil (Send $30 for more info)

  2. Horror story by Twylite · · Score: 5, Insightful

    A patent pending technology for electronic commerce that [uses a] "variable length key that is encrypted using blowfish algorithm then merged with the image of the stamp using another variable length password" with no peer review of the securtiy of the system? Users can "exhange stamps online and many users can use one internet stamp until it runs out of funds"? A sales site (interstamps.net) with no indication of parent company, physical address, telephone number? A completely anonomous system with a tracking serial number?

    This sounds like the worst of horror stories that can be devices by Open Source and Privacy advocates combined, but we're singing its praises because it released some code under the GPL?

    So apart from the many pointers that indicate that no self respecting online purchaser should hand over ANY details to this site, what about security and anonomity?

    Sites you purchase from clearly can't track your identity across transactions (assuming you use a different stamp). Or can they?

    Well, Centipaid or Internetstamps can certainly track all purchases you make, by virtue of the stamp's serial number. While they promise nicely in their Privacy Notice not to "materially change" their privacy policy, they reserve the right to. They also say they won't divulge "account contact or payment information", but that's easy to sidestep in a number of ways (is what your purchased and where you bought it "payment information"?).

    Since Centipaid has close ties with the sellers (producer and consumers of the technology, right?), can we be sure that our purchasing trends aren't being syndicated to ALL of the sellers? Or maybe to Doubleclick or a similar organisation. All you're really doing in this system is trusting a third party to behave responsibly ... one that doesn't even provide a physical address or indication of incorporation on their website. Ouch.

    As for security, well, they're rather scant on details. A quick look over the PHP source code available from the site seems to indicate that you get redirected to a gateway under Centipaid's control - a standard mechanism for payments through Trusted Third Parties. But it would also seem (although I could be mistaken) that the communication between the merchant and Centipaid is not encrypted or authenticated (signed).

    Without going into detail, any third party payment system that does not use a PKI and does not have secure communication between pair of parties can be attacked. In this case it is most likely that the merchant could be attacked. Nice for the purchaser, not so nice for the seller.

    Besides this is the original claim that users can "exhange stamps online and many users can use one internet stamp until it runs out of funds". So this is really a debit facility (prepaid account) with a gimmick (a pretty picture ... oooh, aaah!). Your stamp is no more or less secure than a credit card -- you just have a better ability to limit your losses.

    No, I wouldn't trust the security of this system...

    It may be interesting to take a read over this Internet draft, written by the guy who appears to own/run Centipaid. The paragraph entitled "Electronic postage support" is especially interesting, as is this notice: "Adonis El Fakih has a patent pending that may relate to AMDP internet draft specifically to the work derived from draft-amdp-00.txt", after which some reference is made to non-discriminatory terms.

    I'll let you draw your own conclusions...

    --
    i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net
    1. Re:Horror story by aelfakih · · Score: 3, Insightful
      Hi Twylite,

      internetstamps an centipaid are the owned by the same companym adn are, they just present two different brands.

      Getting to answer your questions.

      1. Security and anonymity... It is secure there is no way for anyone to predict what an internet stamp is, the internetstamp itself is compsed of at least 7 different keys that need to coincide before it can be used for payment.

      2. Anoymous.. yes although "right now" internetstamps.net knows who you are, that can be easily changed onces you can purchase internet stamps by methods that are not tracked i.e. cash, or other means. When it comes to the merchants, they never know who is making payment. Why? becuase they are not handed the stamps serial number at all, not even in ther monthly staments. they only get a receipt number for the transaction.

      3. Are you sure that trends will be synsdicated, and my answer will yes be sure that they are not. I am as fed as anyone with being tracked when I make purchases, and the business model of centipaid is to make money from teh transactions and NOT from where people go. Most likely when the business matures there will be reports that say X% bought from thie merchant, but there will NEVER be report that says who bought what... I mean that is the whole point of the anonymous system..

      4. the communication between the merchant and centipaid is dfeintly not encrypted becuase it does not need to.. The user never hands the internet stamp to the merchant, they pay centipaid using our gateway, and then the merhcnat receives a receipt number, which they autheticate with our servers to make sure a payment is made. Now if someone intercepts the receipt number,it is fine, since it does not indicate anything. Merchants who are are too paranoid wanting to encrypt their receipt numbers, can do that in future versions :)

      5. Yes the internetstamp in a way is a debit facility. How can you make payments if you did not?? and yes it is designed to limit your losses. you got it that is the whole point. If you mess up and give your stamp to someone your losses are limited. Also each internet stamp comes with a proof of pruchase. It is never used in a pruchase, but in the event that you stamp has been compromised by an outsider, or you want to move funds, etc.. then this is the ultimate proof of you owning the stamp, since at the end the model allows for complete anonymity, not even centipaid willknow who you are if you purchase the stamp with cash.

      6. Thanks for seeing the proposed document to ietf, and yes when I was working on the new mail application design, i realized that a reliable micropayment system will be requiered, and the design of the internet stamp technology came into to play, and internet stamps are designed to be used in scenarios where anonymity is key.

      Now I am not sure what you mean with draw your conclusions. I have drawn one that you did not read much on the centipaid site, since many of these points are explained in detail.

      I agrees withyou that interent stamps shoould have more information, and we will work on that..

      In all cases I do appretiate your honesty and your feedback, and hope that I have answered some of your questions.

      Best regards, Adonis

  3. Who is Adonis El Fakih? by Futurepower(R) · · Score: 4, Insightful


    The bottom of the Centipaid.com home page says, "2002 c Copyright Centipaid.com, Adonis El Fakih." Is this person "Adonis the faker"? Is this an elaborate joke?

    The Centipaid.com Contact Us page does not list a telephone number, only an address, email addresses, and fax numbers. Would you trust your business to someone who won't give you a telephone number?

    Centipaid.com depends entirely on another company, InternetStamps.net.

    The InternetStamps.net web site doesn't seem finished. At present, the Shipping & Returns page says, "Put here your Shipping & Returns information."

    The bottom of the InternetStamps.net page says, "1580 requests since Wednesday 27 November, 2002". These people are not good at marketing. If they were, they would explain their service better.

    The bottom of the InternetStamps.net page also says, "Copyright c 2002 osCommerce Powered by osCommerce". What is osCommerce? Yes, I can guess, but I would like to be told definitively.

    Whoever Adonis El Fakih is, English does not seem to be his first language. The Services page says, "For example you can decide to charge 1 cent to grant access for one day to one section of your site, and , while another area will be 10 cents for a week."

    What is "and ,"?

    Why the very long page load times?

    1. Re:Who is Adonis El Fakih? by Eustace+Tilley · · Score: 3, Insightful
      What is osCommerce? Yes, I can guess, but I would like to be told definitively.


      Hmm, the osCommerce is an Anchor tag, with a URI. Clicking on it leads to what appears to be the osCommerce website. There's a forum section with (apparently) a few thousand posts.

      "Adonis the faker"? Is this an elaborate joke?
      Anything's possible in the world wide web, but I note that three of the nine "people" stamps are Lebanese celebrities, and the U.S. celebrity stamp is J.F.Kennedy, one of our less obnoxious presidents. My Arabic is skimpy, but Google has 1,500 hits for the surname "el Fakih."
    2. Re:Who is Adonis El Fakih? by Eustace+Tilley · · Score: 1

      Google has over a thousand hits for "Adonis el Fakih" ranging from his winning the silver medal in a Lebanese internet design contest to being credited for a suggestion for cacheing in ZBabel. Far away places with strange sounding names? Please do not be so ... parochial.

    3. Re:Who is Adonis El Fakih? by aelfakih · · Score: 1
      Hi,

      No it is not a joke, it is just left over text that I inserted when developing the site.

      centipaid and intenrtstamps are the same company but different brands, since each one deals with different part of the payment system.

      You are right the internetstamps site needs more info, but our focus is on putting a copmrehesive set of information on centipaid.

      And you are also right, my first language is not english we are not all blessed to speak/write three languages :)

      I am not being mean, but when you pick on little things like this it hurts :(

      But no hard feelings I get that a lot :)

      Adonis

    4. Re:Who is Adonis El Fakih? by aelfakih · · Score: 2, Informative
      Thanks Eustace :)

      Fortuanatly I have been in many places, and thanks to google I can be easily tracked.

      A little about me??
      I founded ayna.com the first arabic internet guide (still kicking), developed the algorithms for the search, and just did everythig in it.

      I also worked in genral dynamics, and oracle corporation as senior principal consultant in the advnaced technology solutions division.

      What got me down this road was the unrelenting spam that I had to deal with on ayna.com. I get over 250,000 messages a day, 90% of it is spam. We spend most of time and money just fending off spam attacks in all of theur variations. So I sat down early 2002 and designed a complete mail system from the ground up that is not prone to spam attacks, and that lead to the internet stamps, which prompted me to adapt for online payments when I found out that it will be impossible for me to keep ayna.com alive forever if it does not generate revenues, and at the same time no one will be willing to pay 10 or 30/month to simply access an internet directory, but they are willing to pay .005 for few days, and that is how eveything started :))) And now with over 1 million using ayna, I can actually reposition that portal to stand on its feet generating its own revenue.

      And here we are chatting about who am I? :)

      Again thanks to all for th wonderfull opportunity yo discuss these issues...

      Adonis

  4. Solution to eliminating spam? by Anonymous Coward · · Score: 0

    Would this make it possible to build a system that would charge people every time they send you an email?

    Instead of giving people an email address, give them a URL where they can enter their message, and this URL charges a (tiny) given amount, that will not break the bank of individuals that send you a few occasional emails. You could also have a separate URL/address to give to merchants you don't trust, that charges a lot more.

    Even if spammers find out your trusted address, they can't do repeated broadcast mailings without paying a significant amount. Plus, if the sponsoring website credits your account with a % of the proceeds, in some cases merchants might offset the cost of internet usage enough so that it might end up free.

    I still think the free market will eventually solve the spam problem without lots of regulation and enforcement.

    1. Re:Solution to eliminating spam? by aelfakih · · Score: 2, Informative
      The internet stamps came out as a child project from an email system that I was developing to eliminate spam in the long run.

      The model assumes that each domain name has a public mail policy. the mail policy will set the postage for the domain based on the mail category. If anyone wants to mail that domain then they need to pay, or the message is denied.

      I submited a proposal to ietf, but since it is in draft mode, it can not be used for reference, and if people are interested in this please let me know. I can give you access to the source code of the demo implementation that make this possible based on the designed model.

      Thanks, Adonis

  5. Dead on Arrival by Anonymous Coward · · Score: 1, Insightful

    Internet users already pay for content and access to web sites. It's called paying Internet access fees to your ISP. Additional fees will never be accepted. This idea is DOA.

    1. Re:Dead on Arrival by aelfakih · · Score: 2, Informative
      Hi anonymous,

      I beg to differ. As a website owner, I do not generate enough funds to keep my sites kicking. We all pay to get online, but once we are online we want everything free, which is a good thing, but at the end good websites without major funding will have to close if they do not generate some kind of revenue.

      I mean look at slashdot. they are managed by a big company and still charge you for accessing their site. the trick is to charge users "reasonable" fees that are not too high that makes no sense paying them.

      For example, how much would you pay to access slashdot??? If you are able to put a price, then we do not have a DOA... instead you see my point, everything has a price, but it may not be 30 dollars a month, maybe it is 50 cents per week? or 1 cent a day... everything has a price.

      If it continues to be DOA i will need to bring my first aid kit next time around :)

      Best regards, adonis

    2. Re:Dead on Arrival by Anonymous Coward · · Score: 0

      How much would I pay to access Slashdot? Zero. I pay to access the Internet. Period. The Internet satisfied me just fine when I first accessed it in 1984, and it will continue to serve me just fine when all of these dumb "we need to profit off of this thing" ideas pass away.

    3. Re:Dead on Arrival by Anonymous Coward · · Score: 0
      How much would I pay to access Slashdot? Zero.
      So you are claiming that you would not pay 1/1000 of a cent to access Slashdot. What a stubborn cuss you are.
    4. Re:Dead on Arrival by cduffy · · Score: 1

      I pay for my account on Modern Tales, a webcartoonists collective -- and am very glad that I do!

      Likewise, the creator of digitalblasphemy has also managed to live off of subscriptions to the web site with his art.

      The idea is by no means DOA; there are many who will pay for content of extraordinary quality. (Slashdot, no).

    5. Re:Dead on Arrival by m3b3l33 · · Score: 1

      Are you guys idiots or something, you don't pay for content, you pay for bandwidth! The bandwidth can be used to view other's sites. The only content you are paying for is your ISP's homepage. Most web sites are *completely* different organizations. You guys seem to be under the impression that the internet is one big corporation and every one that produces content on the internet gets paid, although that used to be what AOL was like it's not any more. Why you would use AOL is beyond me.

  6. Philately by Eustace+Tilley · · Score: 2, Interesting

    I wonder ... could the Lebanese Postal Authority be persuaded to (act as) issuer of these stamps? That could mean that anyone trying to crack the encryption would be violating counterfeiting laws, perhaps bringing in Interpol. With all the factionalism in Lebanon, I imagine that the career beaureaucrats are the among the most discreet on the planet.

  7. Ignore those pretending to be superior... by Futurepower(R) · · Score: 1


    Adonis,

    Everything I said still stands. Ignore those pretending to be superior by sympathizing. Do you see that I am helping you by showing you the reaction you will get from visitors?

    Your sites are sloppy. Everyone makes mistakes of this sort. However, you didn't hire an editor to find them.

    Marketing is trying to create a connection between your companies and the outside world. You aren't doing that successfully.

    You said, "when you pick on little things like this it hurts". That is an unprofessional reaction. Do you want to be successful or do you want to have realistic criticism?

    By being sloppy, you are destroying your own chances.

    Everyone wants some scheme like this to succeed. We need micropayments. You seem technically competent, but ignorant about how to become an important public figure, as you will be if your companies succeed.

  8. Mr. El Fakih's sloppiness is self-destructive. by Futurepower(R) · · Score: 1


    See my comment #5216889 below.

    Mr. El Fakih's sloppiness is self-destructive. My comment has nothing to do with whether he is a nice guy. His success will depend on whether he is excellent at communicating his message.

  9. Demo Site Using PHPWebsite not PHPNuke by Anonymous Coward · · Score: 0

    Guess this tool can be integrated into any of the "nuke" variations, I mean centipaid.com is promoting PHPNuke.org because that is the most popular variation...but they are using PHPWebsite's variation to "demo" the use of the system. It will be interesting to see if Postnuke etc will be able to use the system because in theory this is exactly what is needed...but I do have my concerns with privacy issues etc.

    However, please don't promote the use of phpNuke because the security in that software is horrendous! Just because it is popular doesn't mean it is secure....

    1. Re:Demo Site Using PHPWebsite not PHPNuke by Anonymous Coward · · Score: 0
      There are two demos on centipaid.com

      One uses the apache module (phpwebsite demo) http://demo.centipaid.com

      and the other is phpnuke using the php module. I agree that the security in phpnuke is bad, and hopefully it can get its act togther. http://phpnuke.centipaid.com

      I like postnuke much better, and I wonder if you can use some of the software on centipaid for that..