Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bringing Micropayments To the phpnuke Community

Posted by Hemos on from the makin'-the-money dept.

aelfakih writes "Centipaid.com made available a phpnuke add-on making it possible for anyone with a phpnuke site to collect micro fees for accessing specific sections of the site. The module is released under GPL and it is still beta, but seems to be stable. There is a demo of the micropayment system for phpnuke on http://phpnuke.centipaid.com. There is also a GPL Apache module that does the same thing, but it is intended for system admin with access to the apache server config files, or .htaccess. Links to the phpnuke info is on http://www.centipaid.com/download.html as well as the phpnuke.org site. Links to the apache::centipaid module is on http://www.centipaid.com/download.html and on freshmeat.net "

9 of 22 comments (clear)

  1. Wow by Koos+Baster · · Score: 3, Interesting

    Although techniques like these have probably been around for some time (it's not even fundamentally different than credit-card) I must say I'm truly amazed by the simplicity of this concept. It seems pretty solid. Even though the system is completely open to hackers/crackers, I can't see a way that privacy information gets anywhere but with Centipaid.

    Now whether or not Centipaid is more trustworthy than Microsoft's Passport system, only time will tell. But I'm very optimistic. Great job guys!

    --
    Money is the root of all evil (Send $30 for more info)

  2. Horror story by Twylite · · Score: 5, Insightful

    A patent pending technology for electronic commerce that [uses a] "variable length key that is encrypted using blowfish algorithm then merged with the image of the stamp using another variable length password" with no peer review of the securtiy of the system? Users can "exhange stamps online and many users can use one internet stamp until it runs out of funds"? A sales site (interstamps.net) with no indication of parent company, physical address, telephone number? A completely anonomous system with a tracking serial number?

    This sounds like the worst of horror stories that can be devices by Open Source and Privacy advocates combined, but we're singing its praises because it released some code under the GPL?

    So apart from the many pointers that indicate that no self respecting online purchaser should hand over ANY details to this site, what about security and anonomity?

    Sites you purchase from clearly can't track your identity across transactions (assuming you use a different stamp). Or can they?

    Well, Centipaid or Internetstamps can certainly track all purchases you make, by virtue of the stamp's serial number. While they promise nicely in their Privacy Notice not to "materially change" their privacy policy, they reserve the right to. They also say they won't divulge "account contact or payment information", but that's easy to sidestep in a number of ways (is what your purchased and where you bought it "payment information"?).

    Since Centipaid has close ties with the sellers (producer and consumers of the technology, right?), can we be sure that our purchasing trends aren't being syndicated to ALL of the sellers? Or maybe to Doubleclick or a similar organisation. All you're really doing in this system is trusting a third party to behave responsibly ... one that doesn't even provide a physical address or indication of incorporation on their website. Ouch.

    As for security, well, they're rather scant on details. A quick look over the PHP source code available from the site seems to indicate that you get redirected to a gateway under Centipaid's control - a standard mechanism for payments through Trusted Third Parties. But it would also seem (although I could be mistaken) that the communication between the merchant and Centipaid is not encrypted or authenticated (signed).

    Without going into detail, any third party payment system that does not use a PKI and does not have secure communication between pair of parties can be attacked. In this case it is most likely that the merchant could be attacked. Nice for the purchaser, not so nice for the seller.

    Besides this is the original claim that users can "exhange stamps online and many users can use one internet stamp until it runs out of funds". So this is really a debit facility (prepaid account) with a gimmick (a pretty picture ... oooh, aaah!). Your stamp is no more or less secure than a credit card -- you just have a better ability to limit your losses.

    No, I wouldn't trust the security of this system...

    It may be interesting to take a read over this Internet draft, written by the guy who appears to own/run Centipaid. The paragraph entitled "Electronic postage support" is especially interesting, as is this notice: "Adonis El Fakih has a patent pending that may relate to AMDP internet draft specifically to the work derived from draft-amdp-00.txt", after which some reference is made to non-discriminatory terms.

    I'll let you draw your own conclusions...

    --
    i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net
    1. Re:Horror story by aelfakih · · Score: 3, Insightful
      Hi Twylite,

      internetstamps an centipaid are the owned by the same companym adn are, they just present two different brands.

      Getting to answer your questions.

      1. Security and anonymity... It is secure there is no way for anyone to predict what an internet stamp is, the internetstamp itself is compsed of at least 7 different keys that need to coincide before it can be used for payment.

      2. Anoymous.. yes although "right now" internetstamps.net knows who you are, that can be easily changed onces you can purchase internet stamps by methods that are not tracked i.e. cash, or other means. When it comes to the merchants, they never know who is making payment. Why? becuase they are not handed the stamps serial number at all, not even in ther monthly staments. they only get a receipt number for the transaction.

      3. Are you sure that trends will be synsdicated, and my answer will yes be sure that they are not. I am as fed as anyone with being tracked when I make purchases, and the business model of centipaid is to make money from teh transactions and NOT from where people go. Most likely when the business matures there will be reports that say X% bought from thie merchant, but there will NEVER be report that says who bought what... I mean that is the whole point of the anonymous system..

      4. the communication between the merchant and centipaid is dfeintly not encrypted becuase it does not need to.. The user never hands the internet stamp to the merchant, they pay centipaid using our gateway, and then the merhcnat receives a receipt number, which they autheticate with our servers to make sure a payment is made. Now if someone intercepts the receipt number,it is fine, since it does not indicate anything. Merchants who are are too paranoid wanting to encrypt their receipt numbers, can do that in future versions :)

      5. Yes the internetstamp in a way is a debit facility. How can you make payments if you did not?? and yes it is designed to limit your losses. you got it that is the whole point. If you mess up and give your stamp to someone your losses are limited. Also each internet stamp comes with a proof of pruchase. It is never used in a pruchase, but in the event that you stamp has been compromised by an outsider, or you want to move funds, etc.. then this is the ultimate proof of you owning the stamp, since at the end the model allows for complete anonymity, not even centipaid willknow who you are if you purchase the stamp with cash.

      6. Thanks for seeing the proposed document to ietf, and yes when I was working on the new mail application design, i realized that a reliable micropayment system will be requiered, and the design of the internet stamp technology came into to play, and internet stamps are designed to be used in scenarios where anonymity is key.

      Now I am not sure what you mean with draw your conclusions. I have drawn one that you did not read much on the centipaid site, since many of these points are explained in detail.

      I agrees withyou that interent stamps shoould have more information, and we will work on that..

      In all cases I do appretiate your honesty and your feedback, and hope that I have answered some of your questions.

      Best regards, Adonis

  3. Who is Adonis El Fakih? by Futurepower(R) · · Score: 4, Insightful


    The bottom of the Centipaid.com home page says, "2002 c Copyright Centipaid.com, Adonis El Fakih." Is this person "Adonis the faker"? Is this an elaborate joke?

    The Centipaid.com Contact Us page does not list a telephone number, only an address, email addresses, and fax numbers. Would you trust your business to someone who won't give you a telephone number?

    Centipaid.com depends entirely on another company, InternetStamps.net.

    The InternetStamps.net web site doesn't seem finished. At present, the Shipping & Returns page says, "Put here your Shipping & Returns information."

    The bottom of the InternetStamps.net page says, "1580 requests since Wednesday 27 November, 2002". These people are not good at marketing. If they were, they would explain their service better.

    The bottom of the InternetStamps.net page also says, "Copyright c 2002 osCommerce Powered by osCommerce". What is osCommerce? Yes, I can guess, but I would like to be told definitively.

    Whoever Adonis El Fakih is, English does not seem to be his first language. The Services page says, "For example you can decide to charge 1 cent to grant access for one day to one section of your site, and , while another area will be 10 cents for a week."

    What is "and ,"?

    Why the very long page load times?

    1. Re:Who is Adonis El Fakih? by Eustace+Tilley · · Score: 3, Insightful
      What is osCommerce? Yes, I can guess, but I would like to be told definitively.


      Hmm, the osCommerce is an Anchor tag, with a URI. Clicking on it leads to what appears to be the osCommerce website. There's a forum section with (apparently) a few thousand posts.

      "Adonis the faker"? Is this an elaborate joke?
      Anything's possible in the world wide web, but I note that three of the nine "people" stamps are Lebanese celebrities, and the U.S. celebrity stamp is J.F.Kennedy, one of our less obnoxious presidents. My Arabic is skimpy, but Google has 1,500 hits for the surname "el Fakih."
    2. Re:Who is Adonis El Fakih? by aelfakih · · Score: 2, Informative
      Thanks Eustace :)

      Fortuanatly I have been in many places, and thanks to google I can be easily tracked.

      A little about me??
      I founded ayna.com the first arabic internet guide (still kicking), developed the algorithms for the search, and just did everythig in it.

      I also worked in genral dynamics, and oracle corporation as senior principal consultant in the advnaced technology solutions division.

      What got me down this road was the unrelenting spam that I had to deal with on ayna.com. I get over 250,000 messages a day, 90% of it is spam. We spend most of time and money just fending off spam attacks in all of theur variations. So I sat down early 2002 and designed a complete mail system from the ground up that is not prone to spam attacks, and that lead to the internet stamps, which prompted me to adapt for online payments when I found out that it will be impossible for me to keep ayna.com alive forever if it does not generate revenues, and at the same time no one will be willing to pay 10 or 30/month to simply access an internet directory, but they are willing to pay .005 for few days, and that is how eveything started :))) And now with over 1 million using ayna, I can actually reposition that portal to stand on its feet generating its own revenue.

      And here we are chatting about who am I? :)

      Again thanks to all for th wonderfull opportunity yo discuss these issues...

      Adonis

  4. Re:Solution to eliminating spam? by aelfakih · · Score: 2, Informative
    The internet stamps came out as a child project from an email system that I was developing to eliminate spam in the long run.

    The model assumes that each domain name has a public mail policy. the mail policy will set the postage for the domain based on the mail category. If anyone wants to mail that domain then they need to pay, or the message is denied.

    I submited a proposal to ietf, but since it is in draft mode, it can not be used for reference, and if people are interested in this please let me know. I can give you access to the source code of the demo implementation that make this possible based on the designed model.

    Thanks, Adonis

  5. Re:Dead on Arrival by aelfakih · · Score: 2, Informative
    Hi anonymous,

    I beg to differ. As a website owner, I do not generate enough funds to keep my sites kicking. We all pay to get online, but once we are online we want everything free, which is a good thing, but at the end good websites without major funding will have to close if they do not generate some kind of revenue.

    I mean look at slashdot. they are managed by a big company and still charge you for accessing their site. the trick is to charge users "reasonable" fees that are not too high that makes no sense paying them.

    For example, how much would you pay to access slashdot??? If you are able to put a price, then we do not have a DOA... instead you see my point, everything has a price, but it may not be 30 dollars a month, maybe it is 50 cents per week? or 1 cent a day... everything has a price.

    If it continues to be DOA i will need to bring my first aid kit next time around :)

    Best regards, adonis

  6. Philately by Eustace+Tilley · · Score: 2, Interesting

    I wonder ... could the Lebanese Postal Authority be persuaded to (act as) issuer of these stamps? That could mean that anyone trying to crack the encryption would be violating counterfeiting laws, perhaps bringing in Interpol. With all the factionalism in Lebanon, I imagine that the career beaureaucrats are the among the most discreet on the planet.