Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bringing Micropayments To the phpnuke Community

Posted by Hemos on from the makin'-the-money dept.

aelfakih writes "Centipaid.com made available a phpnuke add-on making it possible for anyone with a phpnuke site to collect micro fees for accessing specific sections of the site. The module is released under GPL and it is still beta, but seems to be stable. There is a demo of the micropayment system for phpnuke on http://phpnuke.centipaid.com. There is also a GPL Apache module that does the same thing, but it is intended for system admin with access to the apache server config files, or .htaccess. Links to the phpnuke info is on http://www.centipaid.com/download.html as well as the phpnuke.org site. Links to the apache::centipaid module is on http://www.centipaid.com/download.html and on freshmeat.net "

5 of 22 comments (clear)

  1. Horror story by Twylite · · Score: 5, Insightful

    A patent pending technology for electronic commerce that [uses a] "variable length key that is encrypted using blowfish algorithm then merged with the image of the stamp using another variable length password" with no peer review of the securtiy of the system? Users can "exhange stamps online and many users can use one internet stamp until it runs out of funds"? A sales site (interstamps.net) with no indication of parent company, physical address, telephone number? A completely anonomous system with a tracking serial number?

    This sounds like the worst of horror stories that can be devices by Open Source and Privacy advocates combined, but we're singing its praises because it released some code under the GPL?

    So apart from the many pointers that indicate that no self respecting online purchaser should hand over ANY details to this site, what about security and anonomity?

    Sites you purchase from clearly can't track your identity across transactions (assuming you use a different stamp). Or can they?

    Well, Centipaid or Internetstamps can certainly track all purchases you make, by virtue of the stamp's serial number. While they promise nicely in their Privacy Notice not to "materially change" their privacy policy, they reserve the right to. They also say they won't divulge "account contact or payment information", but that's easy to sidestep in a number of ways (is what your purchased and where you bought it "payment information"?).

    Since Centipaid has close ties with the sellers (producer and consumers of the technology, right?), can we be sure that our purchasing trends aren't being syndicated to ALL of the sellers? Or maybe to Doubleclick or a similar organisation. All you're really doing in this system is trusting a third party to behave responsibly ... one that doesn't even provide a physical address or indication of incorporation on their website. Ouch.

    As for security, well, they're rather scant on details. A quick look over the PHP source code available from the site seems to indicate that you get redirected to a gateway under Centipaid's control - a standard mechanism for payments through Trusted Third Parties. But it would also seem (although I could be mistaken) that the communication between the merchant and Centipaid is not encrypted or authenticated (signed).

    Without going into detail, any third party payment system that does not use a PKI and does not have secure communication between pair of parties can be attacked. In this case it is most likely that the merchant could be attacked. Nice for the purchaser, not so nice for the seller.

    Besides this is the original claim that users can "exhange stamps online and many users can use one internet stamp until it runs out of funds". So this is really a debit facility (prepaid account) with a gimmick (a pretty picture ... oooh, aaah!). Your stamp is no more or less secure than a credit card -- you just have a better ability to limit your losses.

    No, I wouldn't trust the security of this system...

    It may be interesting to take a read over this Internet draft, written by the guy who appears to own/run Centipaid. The paragraph entitled "Electronic postage support" is especially interesting, as is this notice: "Adonis El Fakih has a patent pending that may relate to AMDP internet draft specifically to the work derived from draft-amdp-00.txt", after which some reference is made to non-discriminatory terms.

    I'll let you draw your own conclusions...

    --
    i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net
    1. Re:Horror story by aelfakih · · Score: 3, Insightful
      Hi Twylite,

      internetstamps an centipaid are the owned by the same companym adn are, they just present two different brands.

      Getting to answer your questions.

      1. Security and anonymity... It is secure there is no way for anyone to predict what an internet stamp is, the internetstamp itself is compsed of at least 7 different keys that need to coincide before it can be used for payment.

      2. Anoymous.. yes although "right now" internetstamps.net knows who you are, that can be easily changed onces you can purchase internet stamps by methods that are not tracked i.e. cash, or other means. When it comes to the merchants, they never know who is making payment. Why? becuase they are not handed the stamps serial number at all, not even in ther monthly staments. they only get a receipt number for the transaction.

      3. Are you sure that trends will be synsdicated, and my answer will yes be sure that they are not. I am as fed as anyone with being tracked when I make purchases, and the business model of centipaid is to make money from teh transactions and NOT from where people go. Most likely when the business matures there will be reports that say X% bought from thie merchant, but there will NEVER be report that says who bought what... I mean that is the whole point of the anonymous system..

      4. the communication between the merchant and centipaid is dfeintly not encrypted becuase it does not need to.. The user never hands the internet stamp to the merchant, they pay centipaid using our gateway, and then the merhcnat receives a receipt number, which they autheticate with our servers to make sure a payment is made. Now if someone intercepts the receipt number,it is fine, since it does not indicate anything. Merchants who are are too paranoid wanting to encrypt their receipt numbers, can do that in future versions :)

      5. Yes the internetstamp in a way is a debit facility. How can you make payments if you did not?? and yes it is designed to limit your losses. you got it that is the whole point. If you mess up and give your stamp to someone your losses are limited. Also each internet stamp comes with a proof of pruchase. It is never used in a pruchase, but in the event that you stamp has been compromised by an outsider, or you want to move funds, etc.. then this is the ultimate proof of you owning the stamp, since at the end the model allows for complete anonymity, not even centipaid willknow who you are if you purchase the stamp with cash.

      6. Thanks for seeing the proposed document to ietf, and yes when I was working on the new mail application design, i realized that a reliable micropayment system will be requiered, and the design of the internet stamp technology came into to play, and internet stamps are designed to be used in scenarios where anonymity is key.

      Now I am not sure what you mean with draw your conclusions. I have drawn one that you did not read much on the centipaid site, since many of these points are explained in detail.

      I agrees withyou that interent stamps shoould have more information, and we will work on that..

      In all cases I do appretiate your honesty and your feedback, and hope that I have answered some of your questions.

      Best regards, Adonis

  2. Who is Adonis El Fakih? by Futurepower(R) · · Score: 4, Insightful


    The bottom of the Centipaid.com home page says, "2002 c Copyright Centipaid.com, Adonis El Fakih." Is this person "Adonis the faker"? Is this an elaborate joke?

    The Centipaid.com Contact Us page does not list a telephone number, only an address, email addresses, and fax numbers. Would you trust your business to someone who won't give you a telephone number?

    Centipaid.com depends entirely on another company, InternetStamps.net.

    The InternetStamps.net web site doesn't seem finished. At present, the Shipping & Returns page says, "Put here your Shipping & Returns information."

    The bottom of the InternetStamps.net page says, "1580 requests since Wednesday 27 November, 2002". These people are not good at marketing. If they were, they would explain their service better.

    The bottom of the InternetStamps.net page also says, "Copyright c 2002 osCommerce Powered by osCommerce". What is osCommerce? Yes, I can guess, but I would like to be told definitively.

    Whoever Adonis El Fakih is, English does not seem to be his first language. The Services page says, "For example you can decide to charge 1 cent to grant access for one day to one section of your site, and , while another area will be 10 cents for a week."

    What is "and ,"?

    Why the very long page load times?

    1. Re:Who is Adonis El Fakih? by Eustace+Tilley · · Score: 3, Insightful
      What is osCommerce? Yes, I can guess, but I would like to be told definitively.


      Hmm, the osCommerce is an Anchor tag, with a URI. Clicking on it leads to what appears to be the osCommerce website. There's a forum section with (apparently) a few thousand posts.

      "Adonis the faker"? Is this an elaborate joke?
      Anything's possible in the world wide web, but I note that three of the nine "people" stamps are Lebanese celebrities, and the U.S. celebrity stamp is J.F.Kennedy, one of our less obnoxious presidents. My Arabic is skimpy, but Google has 1,500 hits for the surname "el Fakih."
  3. Dead on Arrival by Anonymous Coward · · Score: 1, Insightful

    Internet users already pay for content and access to web sites. It's called paying Internet access fees to your ISP. Additional fees will never be accepted. This idea is DOA.