Arranging free trials for online services.

Discussion in 'Java' started by Roedy Green, Dec 3, 2012.

  1. Roedy Green

    Roedy Green Guest

    I was disturbed when a grammar checking online service wanted my
    credit card before they would even let me see the product. I
    declined.

    Then I started to wonder what such a service could to prevent people
    from getting endless free trials. Software you install can hide
    something in the registry, but what can online software do?

    They have used a credit card number, which presumably they can check
    for validity, and prevent reuse, then issue a login/password for the
    trial period.

    It would be nice if people had unique ids. Perhaps someday everyone
    will get a code-signing cert to use as online ID.

    You could track IP, but a student at a university plugging in anywhere
    to a campus net would get a different IP and many students would get
    the same IP.

    You could run some JWS signed code to snoop on the CPU ID, but that
    can be turned off and AMD chips don't have one.

    Ideas?
    --
    Roedy Green Canadian Mind Products http://mindprod.com
    Students who hire or con others to do their homework are as foolish
    as couch potatoes who hire others to go to the gym for them.
    Roedy Green, Dec 3, 2012
    #1
    1. Advertising

  2. Roedy Green

    Roedy Green Guest

    On Mon, 03 Dec 2012 10:45:47 -0800, Roedy Green
    <> wrote, quoted or indirectly quoted
    someone who said :

    >You could run some JWS signed code to snoop on the CPU ID, but that
    >can be turned off and AMD chips don't have one.


    So long as you were prepared to force some traditional app code or a
    JWS signed code to run before _every_ session you could handle it
    there. However, that destroys the big advantage of using a browser
    based app. No install, no security concerns.
    --
    Roedy Green Canadian Mind Products http://mindprod.com
    Students who hire or con others to do their homework are as foolish
    as couch potatoes who hire others to go to the gym for them.
    Roedy Green, Dec 3, 2012
    #2
    1. Advertising

  3. Roedy Green

    Arne Vajhøj Guest

    On 12/3/2012 1:45 PM, Roedy Green wrote:
    > I was disturbed when a grammar checking online service wanted my
    > credit card before they would even let me see the product. I
    > declined.
    >
    > Then I started to wonder what such a service could to prevent people
    > from getting endless free trials. Software you install can hide
    > something in the registry, but what can online software do?


    Very little.

    You can tie the trial to an email address, but people can create
    dozens of free email addresses, so ...

    > They have used a credit card number, which presumably they can check
    > for validity, and prevent reuse, then issue a login/password for the
    > trial period.


    Credit card mean not really free.

    > It would be nice if people had unique ids. Perhaps someday everyone
    > will get a code-signing cert to use as online ID.


    Some countries has it.

    But it is not something a site can do anything about.

    > You could track IP, but a student at a university plugging in anywhere
    > to a campus net would get a different IP and many students would get
    > the same IP.


    Absolutely hopeless.

    > You could run some JWS signed code to snoop on the CPU ID, but that
    > can be turned off and AMD chips don't have one.


    And it also requires a lot of faith in the site to approve
    that kind of privs.

    Arne
    Arne Vajhøj, Dec 4, 2012
    #3
  4. Roedy Green

    Lew Guest

    Chris Uppal wrote:
    > Another possibility: make the cost to the user of applying for the free trial
    > higher than the benefit of using the service for <whatever> trial days.
    > Similarly, increase the cost to the user of each use of the free trial, which
    > alsoo adjusts the balance in your favour.
    >
    > E.g. Make them solve some difficult capchas (or similar) before they can sign
    > up for the trial, then make them solve yet more captchas each time they log in
    > after the first time (or first very few times).
    >
    > Or make them wait for an inconveniently long time between logging in and
    > actually using the service (except for the first time). Maybe have their
    > browser do some heavy number crunching for you while they're waiting.


    Yeah, because annoying and inconveniencing your potential customers is the
    surest way to convince them that you deserve their money.

    I see why you're not employed in marketing.

    --
    Lew
    Lew, Dec 4, 2012
    #4
  5. Roedy Green

    Roedy Green Guest

    On Tue, 4 Dec 2012 18:31:13 -0000, "Chris Uppal"
    <-THIS.org> wrote, quoted or indirectly
    quoted someone who said :

    >
    >E.g. Make them solve some difficult capchas (or similar) before they can sign
    >up for the trial, then make them solve yet more captchas each time they log in
    >after the first time (or first very few times).


    This is the problem. What is to stop them from presenting themselves
    as a virgin over and over?
    --
    Roedy Green Canadian Mind Products http://mindprod.com
    Students who hire or con others to do their homework are as foolish
    as couch potatoes who hire others to go to the gym for them.
    Roedy Green, Dec 5, 2012
    #5
  6. Roedy Green

    Roedy Green Guest

    On Tue, 04 Dec 2012 16:02:10 +0100, Daniele Futtorovic
    <> wrote, quoted or indirectly
    quoted someone who said :

    >I'm not enthused, to say the least, by your suggestion to fix certain
    >people's business model by an invasion of everyone's privacy -- not to
    >mention the inevitable statist structure which maintaining such a scheme
    >would require.


    I had another idea I sent to Thawte, basically using code signing
    certs as id. You don't put yourself at any financial risk and you
    don't divulge anything of value.

    The service they are trying to protect is in the order of $200 a
    year, well worth some cheating. How can they offer a limited time free
    trial without giving away the farm?

    What is being used now is requiring a credit card number, something I
    find unacceptable. I won't even do that when I buy something. It is
    like handing over pile of blank cheques.
    --
    Roedy Green Canadian Mind Products http://mindprod.com
    Students who hire or con others to do their homework are as foolish
    as couch potatoes who hire others to go to the gym for them.
    Roedy Green, Dec 5, 2012
    #6
  7. Roedy Green

    Lew Guest

    Roedy Green wrote:
    > The service they are trying to protect is in the order of $200 a
    > year, well worth some cheating. How can they offer a limited time free


    Wow. You have a very loose definition of "well worth some cheating". That's
    less than 55₵/day.

    > trial without giving away the farm?


    Where can you buy a farm for 55₵?

    The answer is - just give it away. Require a valid customer ID for support.

    > What is being used now is requiring a credit card number, something I
    > find unacceptable. I won't even do that when I buy something. It is
    > like handing over pile of blank cheques.


    Yeah, that's wrong. They should just give it away.

    It's a great way to make money.

    --
    Lew
    Lew, Dec 5, 2012
    #7
  8. Roedy Green

    Roedy Green Guest

    On Wed, 5 Dec 2012 10:39:35 -0800 (PST), Lew <>
    wrote, quoted or indirectly quoted someone who said :

    >Wow. You have a very loose definition of "well worth some cheating". That's=
    >=20
    >less than 55=E2=82=B5/day.


    I think the hackers are motivated primarily by the challenge, and
    perhaps the notoriety of playing Robin Hood, providing something
    people want but perceive they cannot afford. $200 is sufficient
    motivation, obviously not just for personal use though.

    The Grammarly people are worried enough about it to demand a credit
    card which they acknowledge scares off customers part way through the
    free trial registration.

    There should be out the box solutions to ordinary commerce problems
    like this. I am endlessly astounded by how inept and fraud-friendly
    commerce is, particularly the credit card. see
    http://mindprod.com/jgloss/creditcard.html
    --
    Roedy Green Canadian Mind Products http://mindprod.com
    Students who hire or con others to do their homework are as foolish
    as couch potatoes who hire others to go to the gym for them.
    Roedy Green, Dec 5, 2012
    #8
  9. On 05/12/2012 03:06, Roedy Green allegedly wrote:
    > On Tue, 04 Dec 2012 16:02:10 +0100, Daniele Futtorovic
    > <> wrote, quoted or indirectly
    > quoted someone who said :
    >
    >> I'm not enthused, to say the least, by your suggestion to fix certain
    >> people's business model by an invasion of everyone's privacy -- not to
    >> mention the inevitable statist structure which maintaining such a scheme
    >> would require.

    >
    > I had another idea I sent to Thawte, basically using code signing
    > certs as id. You don't put yourself at any financial risk and you
    > don't divulge anything of value.


    Firstly, what these guys call "code signing certs" are really just certs
    with digital signing usage.

    Secondly, if someone like Thawte did it (i.e., a PKI vendor), I guess I
    would have no problem with it. But this really doesn't work out.

    You go to site XXX, and they say: "you can access resource YYY if you
    show conclusive evidence that you have the private key to a
    Thawte-signed certificate"? So what then -- must I go to Thawte and buy
    a cetificate? Or will the one providing the restricted service be buying
    the cert for me? In other words: who pays?

    And then: how does Thawte determine your identity, and that, regardless
    of who pays for it, they didn't already issue you a signing certificate?
    It's merely shifting the problem. I guess if the provider of the
    restricted service were okay with whatever Thawte's due diligence were
    to be, I wouldn't care. But we both know that given the technology,
    Thawte's due diligence isn't going to be worth much. Or it will cost
    much. And then: who pays?

    The follow-up suggestion at this point is usually that the bloody gov't,
    the pox on all its houses, should issue these certs like it issues IDs,
    and enforce it with its armed thugs. Which would create criminality and
    generally mean a huge burden for everyone. Do you want the internet
    experience to feel like a trip to the DMV? Cause I sure don't. And all
    this to help people, viz. the providers of the restricted services,
    whose service I probably don't even give a rat's arse about.

    So it boils down to what I said: fixing certain people's business model
    by imposing a burden on every one else.

    And there's a much simpler solution that doesn't affect the lives of
    anyone but those who have an interest in the matter: you want the
    service, you pay for it. And if the service provider isn't able to
    provide appetisers for their service, too bad, but it ain't got nothing
    to do with me.

    >
    > The service they are trying to protect is in the order of $200 a
    > year, well worth some cheating. How can they offer a limited time free
    > trial without giving away the farm?
    >
    > What is being used now is requiring a credit card number, something I
    > find unacceptable. I won't even do that when I buy something. It is
    > like handing over pile of blank cheques.


    Which sounds perfectly reasonable. And which, I reckon, is those guys'
    problem.

    And if you have a problem with it, you obviously have chosen that it's
    not a problem that weighs higher than the problem you would have with
    giving our your credit card info. So I'd say just live with your choice.

    --
    DF.
    Daniele Futtorovic, Dec 5, 2012
    #9
  10. On 12/3/2012 12:45 PM, Roedy Green wrote:
    > I was disturbed when a grammar checking online service wanted my
    > credit card before they would even let me see the product. I
    > declined.
    >
    > Then I started to wonder what such a service could to prevent people
    > from getting endless free trials. Software you install can hide
    > something in the registry, but what can online software do?


    Send an email and require the user to reply to it. Email is a pretty
    good unique identifier (few people share email addresses nowadays), and
    some analysis on the replied email message can catch some people who are
    using multiple email addresses to try to subvert the free trial.
    Alternatively, a Facebook account seems an increasingly acceptable
    alternative nowadays...

    > It would be nice if people had unique ids. Perhaps someday everyone
    > will get a code-signing cert to use as online ID.


    We call these online IDs "email addresses." Despite all the constant
    crowing about the death of email, email addresses remain the single most
    common identifier on the internet.

    > You could track IP, but a student at a university plugging in anywhere
    > to a campus net would get a different IP and many students would get
    > the same IP.
    >
    > You could run some JWS signed code to snoop on the CPU ID, but that
    > can be turned off and AMD chips don't have one.


    There are several pieces of data which tend to be consistent over short
    periods of time that you can combine for fingerprinting:

    List of installed fonts
    Number of CPUs
    IP address
    Browser User-Agent
    All other HTTP request headers
    Computer's username
    Computer's local hostname

    Many of these you can get by snooping the request data; the rest can be
    triggered by watchdog plugins (Java applets or Flash objects). If you
    take all of this data and let 1 or 2 pieces change, then you should be
    able to build a sufficiently good unique identifier. The purpose of
    security isn't to make your system unbreakable; it's to make it more
    annoying to break than the person next door.
    --
    Beware of bugs in the above code; I have only proved it correct, not
    tried it. -- Donald E. Knuth
    Joshua Cranmer, Dec 6, 2012
    #10
  11. Roedy Green

    Lew Guest

    Leif Roar Moldskred wrote:
    > Joshua Cranmer wrote:
    >> Send an email and require the user to reply to it. Email is a pretty
    >> good unique identifier (few people share email addresses nowadays), and
    >> some analysis on the replied email message can catch some people who are
    >> using multiple email addresses to try to subvert the free trial.

    >
    > The problem with that approach is services like Mailinator which make
    > it quick and easy (and free) to use throw-away e-mail addresses at the
    > drop of a hat.


    The goal isn't to eliminate all cheating. If your product is so all-fired valuable
    that someone so all-fired enthusiastic is going to the trouble to use throwaway
    email addresses just to avoid 55 cents a day, and it's going to cost you 56 cents
    a day in direct, indirect plus opportunity costs to chase such folks down, why
    bother? Take the 0.3% hit in sales you weren't going to get from such cheap-ass
    bastards anyway and let them be a free mouthpiece to their friends about how
    good your stuff is. Amortize that 55 cents across the thousands of people who
    love your product and are not sleazy little petty thieves.

    You don't need 100%. You only need X% where X is manageable and leaves you
    a profit in both cash and time, and is less than 100.

    --
    Lew
    Lew, Dec 6, 2012
    #11
  12. On Tue, 4 Dec 2012 18:31:13 -0000, "Chris Uppal"
    <-THIS.org> wrote:

    >Roedy Green wrote:
    >
    >> Then I started to wonder what such a service could to prevent people
    >> from getting endless free trials. Software you install can hide
    >> something in the registry, but what can online software do?

    >
    >Another possibility: make the cost to the user of applying for the free trial
    >higher than the benefit of using the service for <whatever> trial days.
    >Similarly, increase the cost to the user of each use of the free trial, which
    >alsoo adjusts the balance in your favour.
    >
    >E.g. Make them solve some difficult capchas (or similar) before they can sign
    >up for the trial, then make them solve yet more captchas each time they log in
    >after the first time (or first very few times).
    >
    >Or make them wait for an inconveniently long time between logging in and
    >actually using the service (except for the first time). Maybe have their
    >browser do some heavy number crunching for you while they're waiting.


    I try a different service and never look back.

    Sincerely,

    Gene Wirchenko
    Gene Wirchenko, Dec 13, 2012
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Arsalan

    VS studio, Arranging ASP.NET files ?

    Arsalan, Apr 5, 2005, in forum: ASP .Net
    Replies:
    2
    Views:
    346
    TDAVISJR
    Apr 5, 2005
  2. chooser
    Replies:
    0
    Views:
    343
    chooser
    Jun 28, 2006
  3. Kyle Root

    Arranging a dependency tree

    Kyle Root, Aug 12, 2004, in forum: Python
    Replies:
    9
    Views:
    358
    Paul McGuire
    Aug 14, 2004
  4. Mr Seth T

    activex troubles and trials

    Mr Seth T, Jun 26, 2007, in forum: ASP .Net
    Replies:
    0
    Views:
    317
    Mr Seth T
    Jun 26, 2007
  5. kkirtac
    Replies:
    18
    Views:
    569
    Jerry Coffin
    Sep 2, 2007
Loading...

Share This Page