Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
The Almighty Buck

Reading Archival CDs from the PayMyBills Service? 31

Posted by Cliff from the artificial-barriers-of-use dept.
renehollan asks: "PayMyBills produces Windows-only year-end archive CDs, without warning. Has anyone tried to read these under Linux, Solaris or other non-MS operating systems? My experience to date is here." I can emphasize with renehollan, here: apparently PayMyBills sends out scanned images of the checks used to pay your bills, however they go to great lengths to make sure the information is only usable on Windows without mentioning it as a requirement for their archive CDs. I assume this is done so that the data on the disk can be "encrypted" (or just password protected) when the disk is published. Has anyone else using this service been able to get at the pertinent data?
This discussion has been archived. No new comments can be posted.

Reading Archival CDs from the PayMyBills Service? More

Reading Archival CDs from the PayMyBills Service?

Comments Filter:

  • JAD (Score:3, Insightful)

    by adamy ( 78406 ) on Tuesday February 05, 2002 @04:42PM (#2957770) Homepage Journal
    If you take a lok at the class files under JAD, I am sure you will find a hard coded string literal "../dir" name. Send them a Bug Fix which is:

    String astring = new StringBuffer("..").append(File.separator).append(" dir");
    • I'd second that opinion. JAD is absolutely amazing.

      http://kpdus.tripod.com/jad.html
    • I'll try it out. I've had fairly good success with jode [sourceforge.net].

    • Re:JAD (Score:2)

      by woggo ( 11781 )
      Actually, that code has the same problem. Since File.separator is a compile-time constant, it is replaced with the separator character for the OS you're compiling under; under UNIX, that's "/", and under Windows, it's a backslash -- the end result is that the path will work on the system you're compiling on, but not on one with a different path separator.

      What you'll want to do to get the runtime-system-dependent path separator is System.getProperty("file.separator").

      jad is pretty rad, though.

      • Re:JAD (Score:1)

        by woggo ( 11781 )
        (I should point out, before I confuse anyone, that by "path separator" in my above prose, I mean the Java concept of "file separator", which is different from the Java concept of "path separator", which refers to how you separate elements in a list of directories.)

  • Already solved... (Score:3, Informative)

    by Hard_Code ( 49548 ) on Tuesday February 05, 2002 @05:10PM (#2957980)
    According to his journal, it looks like he already solved it...

  • CDs without warning... (Score:4, Funny)

    by mosch ( 204 ) on Tuesday February 05, 2002 @07:33PM (#2958935) Homepage
    PayMyBills produces Windows-only year-end archive CDs, without warning.
    Holy fuck! A CD just appeared out of nowhere!
  • I can understand you wanting to work all this out as fun or education. Hell I'm of the hacking mind myself and learned most of my electronics and computer stuff by beating my head against things like this.

    However......

    Since they assume that everyone using their service runs Windows, you should make the point with them that this is not the case. Maybe do them the favor of pointing out their flaws but don't fix them for free.

    What you are doing might have some value to their business. If so you should get a cut of that value.

    Otherwise let them figure out how to make their product secure yet available to all their customers.
    • Thanks for the suggestions.

      I have already spoken to one of their customer service reps at length about some of the flaws in their "encryption" approach: 1) it's rather pointless since they send the key in plain text; 2) it disenfranchises non-Windows and non-Mac users; 3) it increases support costs; 4) Linux users are a growing crowd. He seamed willing to listen at least and acknowledged my points.

      I mentioned that, with a bit of effort and luck, I might be able to read the disk under [GNU/]Linux. So far, I have managed to decrypt the CD contents, and more importantly, gotten their local http server to run under Linux to read the CD directly (using J2SDK 1.4.0 and more file name folding hackery -- their java presumes upon Windows (well DOS) filename case folding in a couple of places and has other less avoidable Windowsisms). I had asked for any tech support they could send my way, with a promise to share my findings. To date, I have received no support. (In fairness, they made it clear that they "do not support" Linux).

      As to negotiating reimbursement from them for sharing my efforts, I'm afraid that would be a violation of my H1B visa. Even doing it for them for free might be (I'd have to show that I volounteered something that was not ordinarily a paid service).

      • Re:What fun (Score:2, Funny)

        by mosch ( 204 )
        or just send it to them without a credit attached, for the betterment of mankind.

        you do like mankind don't you? If you don't, then the terrorists have already won.

      • I used to think that way to and would have given the results of my labor to the company for free. But there is more at stake here than that. There are several things to consider.

        Like a kid with a toy they've been given vs. one they earned, the company will value and respect the work more if they pay for it. If he gives them the tweak to make the CD work then it's more like "oh look what the nice kid who plays with Linux gave us" rather than giving his work the credit that is due.

        Second, if you give it to them you set a precident. They will come to expect that they can pay to hire programmers to write Windows apps then have Linux compatability follow for free.

        I came to understand this recently working as a mechanic. The agency that hired me does not have money in this years budget to pay me overtime. Sometimes I get involved in a job and don't want to quit and am willing to stay late a few more minutes without pay to finish up.

        Sounds fine right?

        Not when there are other mechanics who are budgeted. By working for free I have taken the opportunity for them to work. I've taken money away from them. So not only am I not playing nicely with the other mechanics, now my employeer thinks "it's no big deal to budget for this guy for overtime next year, he'll work for free".

        The same thing would apply here.

        I'm not saying he should ask a fortune, but at the very least he should seek a token for his work.

        Tough thing tho about the H1B restrictions. Not sure about how to work around that and even giving it away could cause problems.
        • Your points are insightful, but there are several problems:

          1) The whole H1B visa thing: it can be so bad that you can get kicked out of the country for cleaning your own gutters -- "depriving an American of the job"! Yes, that was an extreme case, and it involved a TN1 instead of an H1B visa (basically, someone pissed off their neighbor who found an INS asshole and turned the gutter-cleaner in), but the fact is INS people have increadible discretionary powers.

          2) It's not like PayMyBills needs the patch. I'm sure they have plenty of Windows customers.

          3) If I don't give it to them, or they refuse to pay me for it, or I can't make it available to them for INS reasons, the Linux community is left poorer. I don't care as much about PayMyBills getting a freebie, or getting paid for it, as I do the community getting a useful tool.

          4) DMCA. One could argue that PayMyBills has a compilation copyright on the compilation of my bills. They've protected access to that compilation with an encryption scheme (a good one, I might add, as far as I can tell). My disclosure of how to circumvent that could run me afoul of the DMCA (though I already described the basic steps in my journal). I suppose I could argue an "interoperability defense" but it is questionable if that would work. Since one still requires the key, I could argue that nothing was circumvented, but the counter would be "use of Windows was circumvented".

          This should really be simple: I should just give the damn fix away to anyone BUT PayMyBills unless they pay for the right to use it. But the legalities are surprisingly complex.

          • I'm with you there. I've worked with several folks who were here under H1B status and it does suck in a lot of ways. I would imagine it's even tougher dealing with INS after last September.

            You're right that it really should be a simple thing. With all these complications and restrictions we're lucky we can even breath without a permit and a dozen lawyers involved. I would love it if we could get back to where business deals were conducted over a drink and sealed with a handshake that was binding. Then again, in this day and age, I'm sure I could be sued for suggesting that.

            Sigh.

            Oh well. Smile. And good luck with that CD.
            • The INS isn't all that bad. I just wish the rules were simpler (not requiring a lawyer to do every little thing), and they processed things faster. They just have a good deal of clout, and, like any organization, occasionally employ an asshole. Assholes with clout == bad.

              I found out a bit more about the CD. It contains cryptix32.jar: an open source JCE 1.2 implementation. The interesting thing is that this includes RSA (no longer patented), and IDEA algorithms. IDEA is free to use for noncommercial purposes. Since I paid for the CD, I'd think PayMyBills is using cryptix32 for "a commercial purpose". It is a bit more complex since the IDEA code appears not to be executed in PayMyBills' application (they use Blowfish), so I suppose it's up to the lawyers to argue whether IDEA is "used" or not. Still, I'm finding this fun... I'm tempted to rework my own version of the CD with none of PayMyBills' code. I figure I'll rework the embedded http server (which does the encryption), and then tackle the HTML UI and add a few features (like exporting the data).

      • I wonder if there's any DMCA chicanery that could be pulled, or EULA, in addition to the H1B issue? Digging into someone's code to figure how it works is probably a no-no, but calling them up and talking about it might be worse.

        Sorry, man. Just raising the question.

        • No EULA on the CD jacket or packaging, but there are TOS regarding what I can do with PayMyBills service (basically, I can't resell it).

          As for the DMCA... the encrypted data are mine and PayMyBills acknowledges that. In fact I give them limited power of attorney to use that only to facilitate it's collection and presentation to me. They go to some pains to express that the data is not theirs.

  • I thought GNU/Linux was supposed to make everything free as in beer. How come you still have bills to pay?

    The hard part was convincing my landlord to release my apartment under the GPL.

Slashdot Top Deals

Get hold of portable property. -- Charles Dickens, "Great Expectations"

Close