Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.programmer > #20074 > unrolled thread

Arranging free trials for online services.

Back to article view | Back to comp.lang.java.programmer

Contents

  Arranging free trials for online services. Roedy Green <see_website@mindprod.com.invalid> - 2012-12-03 10:45 -0800
    Re: Arranging free trials for online services. Roedy Green <see_website@mindprod.com.invalid> - 2012-12-03 10:53 -0800
    Re: Arranging free trials for online services. Leif Roar Moldskred <leifm@dimnakorr.com> - 2012-12-03 14:06 -0600
    Re: Arranging free trials for online services. Arne Vajhøj <arne@vajhoej.dk> - 2012-12-03 22:22 -0500
    Re: Arranging free trials for online services. Daniele Futtorovic <da.futt.news@laposte-dot-net.invalid> - 2012-12-04 16:02 +0100
      Re: Arranging free trials for online services. Roedy Green <see_website@mindprod.com.invalid> - 2012-12-04 18:06 -0800
        Re: Arranging free trials for online services. Lew <lewbloch@gmail.com> - 2012-12-05 10:39 -0800
          Re: Arranging free trials for online services. Roedy Green <see_website@mindprod.com.invalid> - 2012-12-05 14:27 -0800
        Re: Arranging free trials for online services. Daniele Futtorovic <da.futt.news@laposte-dot-net.invalid> - 2012-12-06 00:18 +0100
    Re: Arranging free trials for online services. "Chris Uppal" <chris.uppal@metagnostic.REMOVE-THIS.org> - 2012-12-04 18:31 +0000
      Re: Arranging free trials for online services. Lew <lewbloch@gmail.com> - 2012-12-04 12:59 -0800
      Re: Arranging free trials for online services. Roedy Green <see_website@mindprod.com.invalid> - 2012-12-04 18:02 -0800
        Re: Arranging free trials for online services. "Chris Uppal" <chris.uppal@metagnostic.REMOVE-THIS.org> - 2012-12-15 12:24 +0000
      Re: Arranging free trials for online services. Gene Wirchenko <genew@telus.net> - 2012-12-13 09:01 -0800
    Re: Arranging free trials for online services. Joshua Cranmer <Pidgeot18@verizon.invalid> - 2012-12-06 11:01 -0600
      Re: Arranging free trials for online services. Leif Roar Moldskred <leifm@dimnakorr.com> - 2012-12-06 11:50 -0600
        Re: Arranging free trials for online services. Lew <lewbloch@gmail.com> - 2012-12-06 10:49 -0800

#20074 — Arranging free trials for online services.

I was disturbed when a grammar checking online service wanted my
credit card before they would even let me see the product.  I
declined.

Then I started to wonder what such a service could to prevent people
from getting endless free trials.  Software you install can hide
something in the registry, but what can online software do?

They have used a credit card number, which presumably they can check
for validity, and prevent reuse, then issue a login/password for the
trial period.

It would be nice if people had unique ids.  Perhaps someday everyone
will get a code-signing cert to use as online ID.

You could track IP, but a student at a university plugging in anywhere
to a campus net would get a different IP and many students would get
the same IP.

You could run some JWS signed code to snoop on the CPU ID, but that
can be turned off and AMD chips don't have one.

Ideas?
-- 
Roedy Green Canadian Mind Products http://mindprod.com
Students who hire or con others to do their homework are as foolish 
as couch potatoes who hire others to go to the gym for them. 

[toc] | [next] | [standalone]

#20075

On Mon, 03 Dec 2012 10:45:47 -0800, Roedy Green
<see_website@mindprod.com.invalid> wrote, quoted or indirectly quoted
someone who said :

>You could run some JWS signed code to snoop on the CPU ID, but that
>can be turned off and AMD chips don't have one.

So long as you were prepared to force some traditional app code or a
JWS signed code to run before _every_ session you could handle  it
there. However, that destroys the big advantage of using a browser
based app. No install, no security concerns.
-- 
Roedy Green Canadian Mind Products http://mindprod.com
Students who hire or con others to do their homework are as foolish 
as couch potatoes who hire others to go to the gym for them. 

[toc] | [prev] | [next] | [standalone]

#20078

Roedy Green <see_website@mindprod.com.invalid> wrote:
> 
> It would be nice if people had unique ids.  Perhaps someday everyone
> will get a code-signing cert to use as online ID.
> 
> You could track IP, but a student at a university plugging in anywhere
> to a campus net would get a different IP and many students would get
> the same IP.
> 
> You could run some JWS signed code to snoop on the CPU ID, but that
> can be turned off and AMD chips don't have one.
> 
> Ideas?

Require test users to sign in with a Facebook account (users could
always get around that by creating fake Facebook accounts, but it
appears most people wouldn't go to the bother), or require a
two-factor authentication to log in, with the second factor being an
Android or Iphone app which can uniquely link a given user account to
a particular device.

-- 
Leif Roar Moldskred

[toc] | [prev] | [next] | [standalone]

#20082

On 12/3/2012 1:45 PM, Roedy Green wrote:
> I was disturbed when a grammar checking online service wanted my
> credit card before they would even let me see the product.  I
> declined.
>
> Then I started to wonder what such a service could to prevent people
> from getting endless free trials.  Software you install can hide
> something in the registry, but what can online software do?

Very little.

You can tie the trial to an email address, but people can create
dozens of free email addresses, so ...

> They have used a credit card number, which presumably they can check
> for validity, and prevent reuse, then issue a login/password for the
> trial period.

Credit card mean not really free.

> It would be nice if people had unique ids.  Perhaps someday everyone
> will get a code-signing cert to use as online ID.

Some countries has it.

But it is not something a site can do anything about.

> You could track IP, but a student at a university plugging in anywhere
> to a campus net would get a different IP and many students would get
> the same IP.

Absolutely hopeless.

> You could run some JWS signed code to snoop on the CPU ID, but that
> can be turned off and AMD chips don't have one.

And it also requires a lot of faith in the site to approve
that kind of privs.

Arne

[toc] | [prev] | [next] | [standalone]

#20091

On 03/12/2012 19:45, Roedy Green allegedly wrote:
> I was disturbed when a grammar checking online service wanted my
> credit card before they would even let me see the product.  I
> declined.
> 
> Then I started to wonder what such a service could to prevent people
> from getting endless free trials.  Software you install can hide
> something in the registry, but what can online software do?
> 
> They have used a credit card number, which presumably they can check
> for validity, and prevent reuse, then issue a login/password for the
> trial period.
> 
> It would be nice if people had unique ids.  Perhaps someday everyone
> will get a code-signing cert to use as online ID.
> 
> You could track IP, but a student at a university plugging in anywhere
> to a campus net would get a different IP and many students would get
> the same IP.
> 
> You could run some JWS signed code to snoop on the CPU ID, but that
> can be turned off and AMD chips don't have one.
> 
> Ideas?

I'm not enthused, to say the least, by your suggestion to fix certain
people's business model by an invasion of everyone's privacy -- not to
mention the inevitable statist structure which maintaining such a scheme
would require.

-- 
DF.

[toc] | [prev] | [next] | [standalone]

#20106

On Tue, 04 Dec 2012 16:02:10 +0100, Daniele Futtorovic
<da.futt.news@laposte-dot-net.invalid> wrote, quoted or indirectly
quoted someone who said :

>I'm not enthused, to say the least, by your suggestion to fix certain
>people's business model by an invasion of everyone's privacy -- not to
>mention the inevitable statist structure which maintaining such a scheme
>would require.

I had another idea I sent to Thawte, basically using code signing
certs as id.  You don't put yourself at any financial risk and you
don't divulge anything of value.

The service they are trying to protect is in the  order of $200 a
year, well worth some cheating. How can they offer a limited time free
trial without giving away the farm?

What is being used now is requiring a credit card number, something I
find unacceptable. I won't even do that when I buy something. It is
like handing over  pile of blank cheques.
-- 
Roedy Green Canadian Mind Products http://mindprod.com
Students who hire or con others to do their homework are as foolish 
as couch potatoes who hire others to go to the gym for them. 

[toc] | [prev] | [next] | [standalone]

#20116

Roedy Green wrote:
> The service they are trying to protect is in the  order of $200 a
> year, well worth some cheating. How can they offer a limited time free

Wow. You have a very loose definition of "well worth some cheating". That's 
less than 55₵/day.

> trial without giving away the farm?

Where can you buy a farm for 55₵?

The answer is - just give it away. Require a valid customer ID for support.

> What is being used now is requiring a credit card number, something I
> find unacceptable. I won't even do that when I buy something. It is
> like handing over  pile of blank cheques.

Yeah, that's wrong. They should just give it away.

It's a great way to make money.

-- 
Lew

[toc] | [prev] | [next] | [standalone]

#20118

On Wed, 5 Dec 2012 10:39:35 -0800 (PST), Lew <lewbloch@gmail.com>
wrote, quoted or indirectly quoted someone who said :

>Wow. You have a very loose definition of "well worth some cheating". That's=
>=20
>less than 55=E2=82=B5/day.

I think the hackers are motivated primarily by the challenge, and
perhaps the notoriety of playing Robin Hood, providing something
people want but perceive they cannot afford.  $200 is sufficient
motivation, obviously not just for personal use though.

The Grammarly people are worried enough about it to demand a credit
card which they acknowledge scares off customers part way through the
free trial registration.

There should be out the box solutions to ordinary commerce problems
like this.  I am endlessly astounded by how inept and fraud-friendly
commerce is, particularly the credit card.  see
http://mindprod.com/jgloss/creditcard.html
-- 
Roedy Green Canadian Mind Products http://mindprod.com
Students who hire or con others to do their homework are as foolish 
as couch potatoes who hire others to go to the gym for them. 

[toc] | [prev] | [next] | [standalone]

#20123

On 05/12/2012 03:06, Roedy Green allegedly wrote:
> On Tue, 04 Dec 2012 16:02:10 +0100, Daniele Futtorovic
> <da.futt.news@laposte-dot-net.invalid> wrote, quoted or indirectly
> quoted someone who said :
> 
>> I'm not enthused, to say the least, by your suggestion to fix certain
>> people's business model by an invasion of everyone's privacy -- not to
>> mention the inevitable statist structure which maintaining such a scheme
>> would require.
> 
> I had another idea I sent to Thawte, basically using code signing
> certs as id.  You don't put yourself at any financial risk and you
> don't divulge anything of value.

Firstly, what these guys call "code signing certs" are really just certs
with digital signing usage.

Secondly, if someone like Thawte did it (i.e., a PKI vendor), I guess I
would have no problem with it. But this really doesn't work out.

You go to site XXX, and they say: "you can access resource YYY if you
show conclusive evidence that you have the private key to a
Thawte-signed certificate"? So what then -- must I go to Thawte and buy
a cetificate? Or will the one providing the restricted service be buying
the cert for me? In other words: who pays?

And then: how does Thawte determine your identity, and that, regardless
of who pays for it, they didn't already issue you a signing certificate?
It's merely shifting the problem. I guess if the provider of the
restricted service were okay with whatever Thawte's due diligence were
to be, I wouldn't care. But we both know that given the technology,
Thawte's due diligence isn't going to be worth much. Or it will cost
much. And then: who pays?

The follow-up suggestion at this point is usually that the bloody gov't,
the pox on all its houses, should issue these certs like it issues IDs,
and enforce it with its armed thugs. Which would create criminality and
generally mean a huge burden for everyone. Do you want the internet
experience to feel like a trip to the DMV? Cause I sure don't. And all
this to help people, viz. the providers of the restricted services,
whose service I probably don't even give a rat's arse about.

So it boils down to what I said: fixing certain people's business model
by imposing a burden on every one else.

And there's a much simpler solution that doesn't affect the lives of
anyone but those who have an interest in the matter: you want the
service, you pay for it. And if the service provider isn't able to
provide appetisers for their service, too bad, but it ain't got nothing
to do with me.

> 
> The service they are trying to protect is in the  order of $200 a
> year, well worth some cheating. How can they offer a limited time free
> trial without giving away the farm?
> 
> What is being used now is requiring a credit card number, something I
> find unacceptable. I won't even do that when I buy something. It is
> like handing over  pile of blank cheques.

Which sounds perfectly reasonable. And which, I reckon, is those guys'
problem.

And if you have a problem with it, you obviously have chosen that it's
not a problem that weighs higher than the problem you would have with
giving our your credit card info. So I'd say just live with your choice.

-- 
DF.

[toc] | [prev] | [next] | [standalone]

#20097

Roedy Green wrote:

> Then I started to wonder what such a service could to prevent people
> from getting endless free trials.  Software you install can hide
> something in the registry, but what can online software do?

Another possibility: make the cost to the user of applying for the free trial 
higher than the benefit of using the service for <whatever> trial days. 
Similarly, increase the cost to the user of each use of the free trial, which 
alsoo adjusts the balance in your favour.

E.g. Make them solve some difficult capchas (or similar) before they can sign 
up for the trial, then make them solve yet more captchas each time they log in 
after the first time (or first very few times).

Or make them wait for an inconveniently long time between logging in and 
actually using the service (except for the first time).  Maybe have their 
browser do some heavy number crunching for you while they're waiting.

    -- chris

[toc] | [prev] | [next] | [standalone]

#20101

 Chris Uppal wrote:
> Another possibility: make the cost to the user of applying for the free trial 
> higher than the benefit of using the service for <whatever> trial days. 
> Similarly, increase the cost to the user of each use of the free trial, which 
> alsoo adjusts the balance in your favour.
> 
> E.g. Make them solve some difficult capchas (or similar) before they can sign 
> up for the trial, then make them solve yet more captchas each time they log in 
> after the first time (or first very few times).
> 
> Or make them wait for an inconveniently long time between logging in and 
> actually using the service (except for the first time).  Maybe have their 
> browser do some heavy number crunching for you while they're waiting.

Yeah, because annoying and inconveniencing your potential customers is the 
surest way to convince them that you deserve their money.

I see why you're not employed in marketing.

-- 
Lew

[toc] | [prev] | [next] | [standalone]

#20105

On Tue, 4 Dec 2012 18:31:13 -0000, "Chris Uppal"
<chris.uppal@metagnostic.REMOVE-THIS.org> wrote, quoted or indirectly
quoted someone who said :

>
>E.g. Make them solve some difficult capchas (or similar) before they can sign 
>up for the trial, then make them solve yet more captchas each time they log in 
>after the first time (or first very few times).

This is the problem. What is to stop them from presenting themselves
as a virgin over and over?
-- 
Roedy Green Canadian Mind Products http://mindprod.com
Students who hire or con others to do their homework are as foolish 
as couch potatoes who hire others to go to the gym for them. 

[toc] | [prev] | [next] | [standalone]

#20357

Roedy Green wrote:
> On Tue, 4 Dec 2012 18:31:13 -0000, "Chris Uppal"
> <chris.uppal@metagnostic.REMOVE-THIS.org> wrote, quoted or indirectly
> quoted someone who said :
>
> >
> > E.g. Make them solve some difficult capchas (or similar) before they
> > can sign up for the trial, then make them solve yet more captchas each
> > time they log in after the first time (or first very few times).
>
> This is the problem. What is to stop them from presenting themselves
> as a virgin over and over?

quoting from the post you replied to:

>Another possibility: make the cost to the user of applying for the free trial
>higher than the benefit of using the service for <whatever> trial days.
>Similarly, increase the cost to the user of each use of the free trial, which
>alsoo adjusts the balance in your favour.

    -- chirs 

[toc] | [prev] | [next] | [standalone]

#20293

On Tue, 4 Dec 2012 18:31:13 -0000, "Chris Uppal"
<chris.uppal@metagnostic.REMOVE-THIS.org> wrote:

>Roedy Green wrote:
>
>> Then I started to wonder what such a service could to prevent people
>> from getting endless free trials.  Software you install can hide
>> something in the registry, but what can online software do?
>
>Another possibility: make the cost to the user of applying for the free trial 
>higher than the benefit of using the service for <whatever> trial days. 
>Similarly, increase the cost to the user of each use of the free trial, which 
>alsoo adjusts the balance in your favour.
>
>E.g. Make them solve some difficult capchas (or similar) before they can sign 
>up for the trial, then make them solve yet more captchas each time they log in 
>after the first time (or first very few times).
>
>Or make them wait for an inconveniently long time between logging in and 
>actually using the service (except for the first time).  Maybe have their 
>browser do some heavy number crunching for you while they're waiting.

     I try a different service and never look back.

Sincerely,

Gene Wirchenko

[toc] | [prev] | [next] | [standalone]

#20133

On 12/3/2012 12:45 PM, Roedy Green wrote:
> I was disturbed when a grammar checking online service wanted my
> credit card before they would even let me see the product.  I
> declined.
>
> Then I started to wonder what such a service could to prevent people
> from getting endless free trials.  Software you install can hide
> something in the registry, but what can online software do?

Send an email and require the user to reply to it. Email is a pretty 
good unique identifier (few people share email addresses nowadays), and 
some analysis on the replied email message can catch some people who are 
using multiple email addresses to try to subvert the free trial. 
Alternatively, a Facebook account seems an increasingly acceptable 
alternative nowadays...

> It would be nice if people had unique ids.  Perhaps someday everyone
> will get a code-signing cert to use as online ID.

We call these online IDs "email addresses." Despite all the constant 
crowing about the death of email, email addresses remain the single most 
common identifier on the internet.

> You could track IP, but a student at a university plugging in anywhere
> to a campus net would get a different IP and many students would get
> the same IP.
>
> You could run some JWS signed code to snoop on the CPU ID, but that
> can be turned off and AMD chips don't have one.

There are several pieces of data which tend to be consistent over short 
periods of time that you can combine for fingerprinting:

List of installed fonts
Number of CPUs
IP address
Browser User-Agent
All other HTTP request headers
Computer's username
Computer's local hostname

Many of these you can get by snooping the request data; the rest can be 
triggered by watchdog plugins (Java applets or Flash objects). If you 
take all of this data and let 1 or 2 pieces change, then you should be 
able to build a sufficiently good unique identifier. The purpose of 
security isn't to make your system unbreakable; it's to make it more 
annoying to break than the person next door.
-- 
Beware of bugs in the above code; I have only proved it correct, not 
tried it. -- Donald E. Knuth

[toc] | [prev] | [next] | [standalone]

#20134

Joshua Cranmer <Pidgeot18@verizon.invalid> wrote:
> 
> Send an email and require the user to reply to it. Email is a pretty 
> good unique identifier (few people share email addresses nowadays), and 
> some analysis on the replied email message can catch some people who are 
> using multiple email addresses to try to subvert the free trial. 

The problem with that approach is services like Mailinator which make
it quick and easy (and free) to use throw-away e-mail addresses at the
drop of a hat.

-- 
Leif Roar Moldskred

[toc] | [prev] | [next] | [standalone]

#20135

Leif Roar Moldskred wrote:
> Joshua Cranmer wrote:
>> Send an email and require the user to reply to it. Email is a pretty 
>> good unique identifier (few people share email addresses nowadays), and 
>> some analysis on the replied email message can catch some people who are 
>> using multiple email addresses to try to subvert the free trial. 
> 
> The problem with that approach is services like Mailinator which make
> it quick and easy (and free) to use throw-away e-mail addresses at the
> drop of a hat.

The goal isn't to eliminate all cheating. If your product is so all-fired valuable 
that someone so all-fired enthusiastic is going to the trouble to use throwaway 
email addresses just to avoid 55 cents a day, and it's going to cost you 56 cents 
a day in direct, indirect plus opportunity costs to chase such folks down, why
bother? Take the 0.3% hit in sales you weren't going to get from such cheap-ass
bastards anyway and let them be a free mouthpiece to their friends about how 
good your stuff is. Amortize that 55 cents across the thousands of people who 
love your product and are not sleazy little petty thieves. 

You don't need 100%. You only need X% where X is manageable and leaves you 
a profit in both cash and time, and is less than 100.

-- 
Lew

[toc] | [prev] | [standalone]

Back to top | Article view | comp.lang.java.programmer

csiph-web