After reading about Sony’s major clusterf… cock-up on their PSP network breach, and how up to 77 million accounts could have been stolen, including credit card data, I propose a method to cure the generic problem of storing customer payment details for recurring billing, such as subscriptions or subsequent purchases.

Step 1. Payment gateway provides business with an individual public encryption key

Upon setting up a payment gateway for processing credit card payments, the business, in this case, Sony, would be issued a public key – be it by the bank if they deal directly with them, or a payment gateway such as RBS.

Step 2. Business encrypts credit card data with public key before storage

PCI DSS specs for storing credit card data securely call for very strong access control, encryption and accountability, but this is not viable against sloppy employees, loss of encryption keys that protect the card data, and so on. Once you have a break-in, if you keep the keys to the safe in the office your valuables are completely naked. With a public key, you are effectively storing the safe’s keys somewhere else. This is how the process works, schematically (click for large size):

Step 3. User makes a purchase

Once the user decides to make a purchase, or has to be billed for the month’s service, the business pulls the encrypted credit card data off its database, combines it with the purchase price and other required information, and sends it to the payment processor for authorization. The payment processor can decrypt the credit card data with its private key, and can thus process the transaction normally:

What does all this solve?

• Users only hand over their credit card data at the start of the relationship, and the data is never stored by the business/merchant.
• Merchant doesn’t keep credit card data that can be recovered, even by a corrupt employee or full-blown data breach.
• Encrypted card data cannot be used in replay attacks in other places, or by other merchants, as the public-key is issued per-merchant.
• If a breach takes place, all the payment gateway needs to do is to revoke the public key and destroy the private key, thus card data cannot be compromised.

All this would obviously cost time and money to implement, but in my view it would be a big step forward in keeping customer credit card data secure.

No pun intended, honestly, but Tony Smith’s article on The Register’s RegHardware ‘How to get your Wi-Fi working again‘, while making a nice and broad effort at examining the problems plaguing WiFi nowadays, and reviewing several options to improve your experience around WiFi, also uses somewhat pseudoscientific methods to measure things like signal strength.

Not that the N1 is a poor choice. Belkin’s software makes set-up a doddle and it’s handily compatible with both 802.11b and 802.11g for older, un-upgradeable devices. I hooked the N1 up to my cable modem, and was quickly up and running with the 802.11n USB adaptor plugged into my Vaio in the next room. Here, the signal registered as four blocks, two higher than the 802.11g RangeMax router yielded in the same location, albeit at a different time.

What exactly is four blocks? -60dBm? -110dBm? Cutting Tony some slack, he attempts to explain the issues and measurements in layman’s terms, so that as many people reading the article as possible will understand what he is talking about, but still, there are better ways to measure performance of WiFi networks. Signal strength readings are as reliable as my 90-year-old granny at the shooting range, save for a few cards which provide pretty accurate figures. A good measure of the performance, or lack thereof, in the various setups he studies, could have been net throughput. There are various tools to do this, such as the excellent yet very simple NetCPS from Netchain Communications. In WiFi, throughput is proportional (amongst other things) to available wireless bandwidth, that is, theoretical bandwidth minus artifacts such as interference and background noise – thus, between two particular machines, NetCPS would provide a good sense on how good a combination of routers, bands and adapters is performing.

It seems that after VISA and MasterCard decided to stop processing payments for the controversial Russian site allofmp3.com, their only means to acquire revenue was Chronopay, a payment processor based in the Netherlands, has also decided to fold their account. Trying to buy new credit on the AllTunes site results in this: “Processing for this site disabled.”

RIAA 2 – Allofmp3 nil. I hope the recent open letter from Steve Jobs, and the even more recent news of EMI dropping DRM on their iTunes catalog will prompt a resolution to this problem. It seems crazy how the music industry, instead of trying to strike a deal with this company, insists it operates illegally, when they are distributing unprotected, DRM-free content on the music CDs you can buy (and rip) in any store.

Chronopay press release: JSC ChronoPay accepts Russian music stores with NP FAIR license only – essentially, it states that the license type under which allofmp3.com operates is no longer valid in their eyes.

Not much point to .mobi domains in the realms of Verizon, it seems – the New York Times reports that starting 2007, ads will be placed on sites that are accessed using their mobile phones. The Verizon Wireless release claims that certain types of ads and video clips will not be allowed, as they may not be compatible with the limited browsers found in the phones, but this is not very encouraging – meaning that they will allow video clips. Will this not hugely increase the amount of data used during browsing? I believe Verizon offers all-you-can-eat data plans, but if you are not using one of those, you could feel the pain. In any case, having to wade through a mobile website rendered on a tiny screen is hard enough as it is, with some devices not being able to cope with the amount of processing required, resulting in a very slow and frustrating experience. Add videos, which require much higher resources to be played back, and you have a recipe for disaster.

Reading an article in The Register by Bill Ray, he thinks the Apple iPhone will fail, actually, fail badly. I somewhat doubt his conclusions.

The main argument to support his analysis is that since network operators have to like the phone, then Apple has to do a good job convincing them. Remember the ROKR? It was rather a failure due to the fact it could only be loaded with iTunes music over cable, and thus mobile operators were left out of attractive data chargers levied when buying music directly from the phone. There was even speculation that Apple allowed it to launch on purpose, to protect their audio player market.
Where Bill goes wrong in my opinion is that the handset market is heavily controlled in the US, but not in Europe – go to any shop in the latter and you will have a very large variety of handsets to buy unsubsidized. Why? Because a lot of people value the ability to switch operators as they see fit, without having to enter into contracts involving their soul. In the US, there isn’t a culture of operator hopping, but rather of staying with one just to get a phone $50 or $100 cheaper.

One thing I have never understood is why people get themselves tied into a two year contract for a $50 saving. If they worked out how much they could save by moving operators taking advantage of special offers, they may think twice.

There is a very large number of paths Apple could follow, first, they have a nice distribution network with excellent shops placed in key areas, second, they have a large and loyal crowd of followers, who would probably not mind paying an unsubsidized device, and third, there are already a number of MVNOs and fixed-line operators that are willing to take a bite from the large networks. As for the subsidy, I wonder…are iPods subsidized by anyone? Apple costumers are used to pay for quality, and in my view, the iPhone will be no different.

Techworld.com reports that UK WiFi aggregator Divine Wireless will be offering a new service, which covers some 15.000 hotspots run by BT Openzone, amongst others, charged in minutes rather than hours or days. Thus, a user would pay 8 pence per minute, or 4.80 GBP per hour. This is still very expensive, but the fact that you only pay for the minutes you use will make it very attractive to occasional users, to quickly check email, for example. Will people go for it? Maybe, but only if you really can get connected while waiting for the bus to come, as they claim in their typical scenario.

The New York Times ran a story two days ago, also picked up by Glenn Fleishman over at WiFi Net News, about how hard it is sometimes to get connected at hotels over their WiFi networks. Some travelers even report a failure rate of 50%, in comparison with 5% in wired connections. Support is usually directed to a hotline run by the hotspot operator, which results in a rather frustrating experience.

I have also seen it all, hotels with only WiFi in the lobby and wired connections in the rooms (Hotel Fox, in Copenhagen), others with very spotty coverage that reached only certain rooms, getting connected to another hotel’s WiFi across the street, then realizing it was free and only asked for a room number and surname, while your own hotel charged you a fortune, and so on.

My best experience was during DEFCON 14 in Las Vegas, where we stayed in the MGM Grand hotel. These guys went over the top, and installed an AP in every single room!. It was bolted underneath the table, inside a metal case, and the deprecated Ethernet cable was connected to it. A quick scan revealed that I could only see about 4 or 5 networks from my room, and only two with a half-decent signal, which makes me believe they turned down the power of the APs so as to avoid interference problems.

Wouldn’t it be great if with falling hardware costs, other hotels would do the same thing? To avoid interference between rooms, apart from channel variations, one could either turn each room into miniature Faraday cages, or turn down the power of the AP to a minimum.

This is not confirmed, and a speculation, based on the observation that when you shop for music at allofmp3.com, you are directed to the music.allofmp3.com subdomain – where I could swear that before they simply used www.allofmp3.com – can anyone confirm or deny this? Maybe we will soon see videos.allofmp3.com or movies.allofmp3.com…

Various sources have picked up on the FCC’s announcement that it is removing the requirement of five-words-per-minute Morse code that was required to get an amateur radio license. Boing Boing and Engadget (uggh!) for example talk about the ‘dead’ language, arcane, old and tired. Digital communications, the SMS and the web are here to stay, and replace Morse, right? Maybe not so fast.

When disasters such as Katrina strike, modern digital communication networks fail – and this is a fact. Generators can only give juice to power-hungry cell networks for so many hours, and that is if the generators are working (and have not been stolen!). Usually, in these scenarios, initial status reports, help requests, and coordination attempts come from none other than the amateur radio community, and in many cases, it comes in…morse. When your expensive Motorola phone stops working, a radio ham will build a QRP (low power) transmitter with nothing else but a few capacitors, resistors, and coils, power it off whatever battery he can find (or even a solar cell), and start sending out dashes and dots. The reason for Morse code? It stands out above the noise, and thus makes faint signals much easier to interpret.

Remember the famous SOS, Save Our Souls, dot dot dot, dash dash dash, dot dot dot, …—…, which was sent out by the Titanic before its final trip to the bottom of the ocean. If you have a radio ham friend, give him a hug, and ask him to please keep proficient in morse, if only for when the bad times come.

Personally, I think it is right to remove it as a requirement for obtaining a license, knowing Morse will be something to be proud of. A couple of stories related to Morse – in the movie “Enemy of the state”, starred by Will Smith and Gene Hackman, the ultra-high-tech surveillance satellite used by the NSA to track a prey is actually seen sending out the letters ‘CQ’ in Morse…these stand for ‘attention airwaves, I have something to say’. Nice touch from a good friend, Steve Uhrig, who sadly passed away a few weeks ago (more on this in a post coming soon) and who was the technical advisor in the movie.

The second story is in the movie “Space Camp”, where I can only remember Lea Thompson, and is about a space shuttle that is launched into orbit with a bunch of kids from Space Camp on board. For some strange reason, the long-range radios hadn’t been installed (uh?), and so one of the kids actually starts sending out Morse to mission control, by flicking a switch on the shuttle that toggles a lamp on some telemetry panel down in Houston.

Starting to think about removing Engadget from my gReader subscriptions. Why? It really really annoys me that all the links in their posts are to…themselves! You read some interesting article, and try clicking some of the links, which take you right to other Engadget posts or sections. I consider this to be selfish, self-centered and simply wrong. When you make a living writing stuff about other’s products and services, the very least you could do is drive some traffic towards them.

A perfect example is this post, where they have 8 links in the text, and all of them go right back to Engadget. Even when they mention Skype they link to their own section on Skype. At the end of the post, there is a short, meaningless ‘Read’ link that takes you to the external article. What does Engadget gain from compulsive self-linking? In my opinion, this policy makes the site look like a link farm.