Arranging free trials for online services.
 

I was disturbed when a grammar checking online service wanted my
credit card before they would even let me see the product. I
declined.

Then I started to wonder what such a service could to prevent people
from getting endless free trials. Software you install can hide
something in the registry, but what can online software do?

They have used a credit card number, which presumably they can check
for validity, and prevent reuse, then issue a login/password for the
trial period.

It would be nice if people had unique ids. Perhaps someday everyone
will get a code-signing cert to use as online ID.

You could track IP, but a student at a university plugging in anywhere
to a campus net would get a different IP and many students would get
the same IP.

You could run some JWS signed code to snoop on the CPU ID, but that
can be turned off and AMD chips don't have one.

Ideas?
--
Roedy Green Canadian Mind Products http://mindprod.com
Students who hire or con others to do their homework are as foolish
as couch potatoes who hire others to go to the gym for them.

Re: Arranging free trials for online services.
 

On Mon, 03 Dec 2012 10:45:47 -0800, Roedy Green
<see_website@mindprod.com.invalid> wrote, quoted or indirectly quoted
someone who said :

>You could run some JWS signed code to snoop on the CPU ID, but that
>can be turned off and AMD chips don't have one.

So long as you were prepared to force some traditional app code or a
JWS signed code to run before _every_ session you could handle it
there. However, that destroys the big advantage of using a browser
based app. No install, no security concerns.
--
Roedy Green Canadian Mind Products http://mindprod.com
Students who hire or con others to do their homework are as foolish
as couch potatoes who hire others to go to the gym for them.

Re: Arranging free trials for online services.
 

On 12/3/2012 1:45 PM, Roedy Green wrote:
> I was disturbed when a grammar checking online service wanted my
> credit card before they would even let me see the product. I
> declined.
>
> Then I started to wonder what such a service could to prevent people
> from getting endless free trials. Software you install can hide
> something in the registry, but what can online software do?

Very little.

You can tie the trial to an email address, but people can create
dozens of free email addresses, so ...

> They have used a credit card number, which presumably they can check
> for validity, and prevent reuse, then issue a login/password for the
> trial period.

Credit card mean not really free.

> It would be nice if people had unique ids. Perhaps someday everyone
> will get a code-signing cert to use as online ID.

Some countries has it.

But it is not something a site can do anything about.

> You could track IP, but a student at a university plugging in anywhere
> to a campus net would get a different IP and many students would get
> the same IP.

Absolutely hopeless.

> You could run some JWS signed code to snoop on the CPU ID, but that
> can be turned off and AMD chips don't have one.

And it also requires a lot of faith in the site to approve
that kind of privs.

Arne

Re: Arranging free trials for online services.
 

Chris Uppal wrote:
> Another possibility: make the cost to the user of applying for the free trial
> higher than the benefit of using the service for <whatever> trial days.
> Similarly, increase the cost to the user of each use of the free trial, which
> alsoo adjusts the balance in your favour.
>
> E.g. Make them solve some difficult capchas (or similar) before they can sign
> up for the trial, then make them solve yet more captchas each time they log in
> after the first time (or first very few times).
>
> Or make them wait for an inconveniently long time between logging in and
> actually using the service (except for the first time). Maybe have their
> browser do some heavy number crunching for you while they're waiting.

Yeah, because annoying and inconveniencing your potential customers is the
surest way to convince them that you deserve their money.

I see why you're not employed in marketing.

--
Lew

Re: Arranging free trials for online services.
 

On Tue, 4 Dec 2012 18:31:13 -0000, "Chris Uppal"
<chris.uppal@metagnostic.REMOVE-THIS.org> wrote, quoted or indirectly
quoted someone who said :

>
>E.g. Make them solve some difficult capchas (or similar) before they can sign
>up for the trial, then make them solve yet more captchas each time they log in
>after the first time (or first very few times).

This is the problem. What is to stop them from presenting themselves
as a virgin over and over?
--
Roedy Green Canadian Mind Products http://mindprod.com
Students who hire or con others to do their homework are as foolish
as couch potatoes who hire others to go to the gym for them.

Re: Arranging free trials for online services.
 

On Tue, 04 Dec 2012 16:02:10 +0100, Daniele Futtorovic
<da.futt.news@laposte-dot-net.invalid> wrote, quoted or indirectly
quoted someone who said :

>I'm not enthused, to say the least, by your suggestion to fix certain
>people's business model by an invasion of everyone's privacy -- not to
>mention the inevitable statist structure which maintaining such a scheme
>would require.

I had another idea I sent to Thawte, basically using code signing
certs as id. You don't put yourself at any financial risk and you
don't divulge anything of value.

The service they are trying to protect is in the order of $200 a
year, well worth some cheating. How can they offer a limited time free
trial without giving away the farm?

What is being used now is requiring a credit card number, something I
find unacceptable. I won't even do that when I buy something. It is
like handing over pile of blank cheques.
--
Roedy Green Canadian Mind Products http://mindprod.com
Students who hire or con others to do their homework are as foolish
as couch potatoes who hire others to go to the gym for them.

Re: Arranging free trials for online services.
 

Roedy Green wrote:
> The service they are trying to protect is in the order of $200 a
> year, well worth some cheating. How can they offer a limited time free

Wow. You have a very loose definition of "well worth some cheating". That's
less than 55₵/day.

> trial without giving away the farm?

Where can you buy a farm for 55₵?

The answer is - just give it away. Require a valid customer ID for support.

> What is being used now is requiring a credit card number, something I
> find unacceptable. I won't even do that when I buy something. It is
> like handing over pile of blank cheques.

Yeah, that's wrong. They should just give it away.

It's a great way to make money.

--
Lew

Re: Arranging free trials for online services.
 

On Wed, 5 Dec 2012 10:39:35 -0800 (PST), Lew <lewbloch@gmail.com>
wrote, quoted or indirectly quoted someone who said :

>Wow. You have a very loose definition of "well worth some cheating". That's=
>=20
>less than 55=E2=82=B5/day.

I think the hackers are motivated primarily by the challenge, and
perhaps the notoriety of playing Robin Hood, providing something
people want but perceive they cannot afford. $200 is sufficient
motivation, obviously not just for personal use though.

The Grammarly people are worried enough about it to demand a credit
card which they acknowledge scares off customers part way through the
free trial registration.

There should be out the box solutions to ordinary commerce problems
like this. I am endlessly astounded by how inept and fraud-friendly
commerce is, particularly the credit card. see
http://mindprod.com/jgloss/creditcard.html
--
Roedy Green Canadian Mind Products http://mindprod.com
Students who hire or con others to do their homework are as foolish
as couch potatoes who hire others to go to the gym for them.

Re: Arranging free trials for online services.
 

On 05/12/2012 03:06, Roedy Green allegedly wrote:
> On Tue, 04 Dec 2012 16:02:10 +0100, Daniele Futtorovic
> <da.futt.news@laposte-dot-net.invalid> wrote, quoted or indirectly
> quoted someone who said :
>
>> I'm not enthused, to say the least, by your suggestion to fix certain
>> people's business model by an invasion of everyone's privacy -- not to
>> mention the inevitable statist structure which maintaining such a scheme
>> would require.
>
> I had another idea I sent to Thawte, basically using code signing
> certs as id. You don't put yourself at any financial risk and you
> don't divulge anything of value.

Firstly, what these guys call "code signing certs" are really just certs
with digital signing usage.

Secondly, if someone like Thawte did it (i.e., a PKI vendor), I guess I
would have no problem with it. But this really doesn't work out.

You go to site XXX, and they say: "you can access resource YYY if you
show conclusive evidence that you have the private key to a
Thawte-signed certificate"? So what then -- must I go to Thawte and buy
a cetificate? Or will the one providing the restricted service be buying
the cert for me? In other words: who pays?

And then: how does Thawte determine your identity, and that, regardless
of who pays for it, they didn't already issue you a signing certificate?
It's merely shifting the problem. I guess if the provider of the
restricted service were okay with whatever Thawte's due diligence were
to be, I wouldn't care. But we both know that given the technology,
Thawte's due diligence isn't going to be worth much. Or it will cost
much. And then: who pays?

The follow-up suggestion at this point is usually that the bloody gov't,
the pox on all its houses, should issue these certs like it issues IDs,
and enforce it with its armed thugs. Which would create criminality and
generally mean a huge burden for everyone. Do you want the internet
experience to feel like a trip to the DMV? Cause I sure don't. And all
this to help people, viz. the providers of the restricted services,
whose service I probably don't even give a rat's arse about.

So it boils down to what I said: fixing certain people's business model
by imposing a burden on every one else.

And there's a much simpler solution that doesn't affect the lives of
anyone but those who have an interest in the matter: you want the
service, you pay for it. And if the service provider isn't able to
provide appetisers for their service, too bad, but it ain't got nothing
to do with me.

>
> The service they are trying to protect is in the order of $200 a
> year, well worth some cheating. How can they offer a limited time free
> trial without giving away the farm?
>
> What is being used now is requiring a credit card number, something I
> find unacceptable. I won't even do that when I buy something. It is
> like handing over pile of blank cheques.

Which sounds perfectly reasonable. And which, I reckon, is those guys'
problem.

And if you have a problem with it, you obviously have chosen that it's
not a problem that weighs higher than the problem you would have with
giving our your credit card info. So I'd say just live with your choice.

--
DF.

Re: Arranging free trials for online services.
 

On 12/3/2012 12:45 PM, Roedy Green wrote:
> I was disturbed when a grammar checking online service wanted my
> credit card before they would even let me see the product. I
> declined.
>
> Then I started to wonder what such a service could to prevent people
> from getting endless free trials. Software you install can hide
> something in the registry, but what can online software do?

Send an email and require the user to reply to it. Email is a pretty
good unique identifier (few people share email addresses nowadays), and
some analysis on the replied email message can catch some people who are
using multiple email addresses to try to subvert the free trial.
Alternatively, a Facebook account seems an increasingly acceptable
alternative nowadays...

> It would be nice if people had unique ids. Perhaps someday everyone
> will get a code-signing cert to use as online ID.

We call these online IDs "email addresses." Despite all the constant
crowing about the death of email, email addresses remain the single most
common identifier on the internet.

> You could track IP, but a student at a university plugging in anywhere
> to a campus net would get a different IP and many students would get
> the same IP.
>
> You could run some JWS signed code to snoop on the CPU ID, but that
> can be turned off and AMD chips don't have one.

There are several pieces of data which tend to be consistent over short
periods of time that you can combine for fingerprinting:

List of installed fonts
Number of CPUs
IP address
Browser User-Agent
All other HTTP request headers
Computer's username
Computer's local hostname

Many of these you can get by snooping the request data; the rest can be
triggered by watchdog plugins (Java applets or Flash objects). If you
take all of this data and let 1 or 2 pieces change, then you should be
able to build a sufficiently good unique identifier. The purpose of
security isn't to make your system unbreakable; it's to make it more
annoying to break than the person next door.
--
Beware of bugs in the above code; I have only proved it correct, not
tried it. -- Donald E. Knuth