1. Home
  2. Categories
  3. Side Bar WTF
  4. Choose your own price with Kagi

Choose your own price with Kagi

  • B

     

    Summary: Kagi is a payment processing e-commerce type application. It sends an xml string from the vendor's site. Included in this xml string is the price of the product.. which you can change if you like.

    The Kagi CEO then comments on the blog entry and says it's a feature not a bug.

    0
  • E

    Actually, that's not exactly a true summary. The CEO makes some very cogent points, and the developer seems like a real jackass. A better summary would be:

    Developer: I just discovered that you can use Kagi to buy shareware below normal price!

    CEO: If you do that, we can very easily take you to court for theft, unless you're also using a stolen credit card, and what sort of idiot would bother? We allow developers to set a floor on the price if they want, which would solve this problem, but the point is that developers can use this system to give people discounts on the fly. If the author of the program you used hadn't been dumb enough to compile the XML into their app as plain text without doing any tests to make sure it hadn't been edited, you wouldn't even have noticed this.

    Developer: Your word choice shows that this is a huge security hole with no remedy! I'm absolutely right and you're absolutely wrong, and it doesn't matter if there's a workaround! Everything is broken forever and your company sucks!

    Not that I expected anything better off a random developer's blog, but still...

    Moderator's note: fixed paragraphing

    0
  • S

    @El Disposo said:

    If the author of the program you used hadn't been dumb enough to compile the XML into their app as plain text without doing any tests to make sure it hadn't been edited, you wouldn't even have noticed this.

    ... that's just the wrong way of thinking about it.

     

    Developer: Your word choice shows that this is a huge security hole with no remedy! I'm absolutely right and you're absolutely wrong, and it doesn't matter if there's a workaround!

    "Workaround" is never a proper substitute for "proper security". Also, clearly it's not working very well, because this guy managed to get a 96.6% discount.

    0
  • S

    @El Disposo said:

    If you do that, we can very easily take you to court for theft
     

    You can take someone to court for just about anything very easily, the question is if you will win.  I think a good lawyer could easily prove your changing the price was an offer, and their server permitting you to buy the product at that price was acceptance.

    0
  • E

    @shepd said:

    @El Disposo said:

    If you do that, we can very easily take you to court for theft
     

    You can take someone to court for just about anything very easily, the question is if you will win.  I think a good lawyer could easily prove your changing the price was an offer, and their server permitting you to buy the product at that price was acceptance.

    Nope, there was a case of this sort already, so there's precedent. Doing that would fall under the terms of the DMCA and you would lose. (Circumventing copy protection, no matter how trivial it may be, is illegal.)

    It's approximately equivalent to noticing that your neighbor's front door is only locked shut by a hook over a nail inside, and pushing hard enough on the door that the nail is pulled out of the wood. It doesn't matter how crappy the lock is: if you had to break it to get in, you're guilty of breaking and entering.

    Moderator's note: paragraphing again

    0
  • N

    @El Disposo said:

    @shepd said:

    @El Disposo said:

    If you do that, we can very easily take you to court for theft
     

    You can take someone to court for just about anything very easily, the question is if you will win.  I think a good lawyer could easily prove your changing the price was an offer, and their server permitting you to buy the product at that price was acceptance.

    Nope, there was a case of this sort already, so there's precedent. Doing that would fall under the terms of the DMCA and you would lose. (Circumventing copy protection, no matter how trivial it may be, is illegal.)

    It's approximately equivalent to noticing that your neighbor's front door is only locked shut by a hook over a nail inside, and pushing hard enough on the door that the nail is pulled out of the wood. It doesn't matter how crappy the lock is: if you had to break it to get in, you're guilty of breaking and entering.


    I think your analogy shows why this is a WTF - only an idiot would trust there valuables to such a crappy "lock" and the reassurance that if anyone does "steal" from them they can find the person and attempt to take them to court. We all know litigation is much easier, cheaper and more foolproof then implementing server-side validation for online transactions.

    0
  • Zemm

    @El Disposo said:

    It's approximately equivalent to noticing that your neighbor's front door is only locked shut by a hook over a nail inside, and pushing hard enough on the door that the nail is pulled out of the wood
     

    I'd say in this case it is more like being in a store and taking a price-tag off one item and placing it onto another, then the check-out operator not noticing that you put a $1 price tag onto a $30 item. (Assuming barcodes are not in use, etc)

    @El Disposo said:

    Circumventing copy protection, no matter how trivial it may be, is illegal.

    Is plain text copy protected?

    0
  • S

    @Zemm said:

    @El Disposo said:

    It's approximately equivalent to noticing that your neighbor's front door is only locked shut by a hook over a nail inside, and pushing hard enough on the door that the nail is pulled out of the wood
     

    I'd say in this case it is more like being in a store and taking a price-tag off one item and placing it onto another, then the check-out operator not noticing that you put a $1 price tag onto a $30 item. (Assuming barcodes are not in use, etc)

    @El Disposo said:

    Circumventing copy protection, no matter how trivial it may be, is illegal.

    Is plain text copy protected?

     

    In the United States, it would probably be almost trivial to convince a judge and/or jury who are not knowledgeable in the field that the data being in XML format counted as some sort of encryption.

    0
  • MiffTheFox

    @Someone You Know said:

    In the United States, it would probably be almost trivial to convince a judge and/or jury who are not knowledgeable in the field that the data being in XML format counted as some sort of encryption.

    Hell, ASCII likely counts as encryption here.

    0
  • S

    TRWTF is using a service to sell your products rather than handling the shopping cart yourself. Of course, as a payment processing industry insider, I can also add in another WTF with Kagi that they are probably (unless they have an exemption) violating Visa and MasterCard's rules by doing factoring (where a business processes payment card transactions on behalf of another business)

    0
  • E

    The CEO's point, which was valid but which you (like the original programmer) did not bother to consider because you were too busy ranting, was that if you make the XML even slightly difficult to edit, this problem essentially solves itself. The Kagi service works by distributing serial numbers in exchange for payment, not by verifying apps which phone home. Anyone capable of decrypting encrypted XML inside an application is going to be capable of either cracking the application to remove the shareware block entirely or finding a serial number on a Warez site, so there's no point in wasting a lot of effort on this method, when a better one is already available for those who care.

    0
  • S

    @MiffTheFox said:

    @Someone You Know said:

    In the United States, it would probably be almost trivial to convince a judge and/or jury who are not knowledgeable in the field that the data being in XML format counted as some sort of encryption.

    Hell, ASCII likely counts as encryption here.

     

    Yes. Most people don't have any idea what it means, but referring to it as an "encoding" will probably be enough.

    0
  • E

    @El Disposo said:

    Actually, that's not exactly a true summary. The CEO makes some very cogent points, and the developer seems like a real jackass.

    Well, the developer does have a good point with the malware scenario. Imagine some sort of malware altering the XML-containing the price without the user even noticing.

    0
  • ?

    @enfiskutensykkel said:

    @El Disposo said:
    Actually, that's not exactly a true summary. The CEO makes some very cogent points, and the developer seems like a real jackass.

    Well, the developer does have a good point with the malware scenario. Imagine some sort of malware altering the XML-containing the price without the user even noticing.

     

    And what would that accomplish?  "I'm going to write a worm that gives everybody who's infected discounts on shareware products purchased through Kagi!"  Yeah... not happening.

    0
  • L

    @Aaron said:

    "I'm going to write a worm that gives everybody who's infected discounts on shareware products purchased through Kagi!"  Yeah... not happening.

    Unless someone would be willing to pay for that to happen, say a compeditor to Kagi?

    0
Log in to reply