Whats the point?

Whats the worst you could lose....a few gigs of b/w?

The cost of bandwidth lost can't even come close to the cost of a chargeback.

You've got to agree with me on that point bro.

Generally speaking, Frog's AMS will only be invoked by
the valid member after Frog detects password abuse and
changes the password. The webmaster can track how
many times AMS was invoked for each member. If a member
is suspected of sharing passes, usually, a gentle email to
the member (along with the data that shows proof of abuse)
is enough to change the member's behavior. It is best not
to accuse a member of cheating.

This is based upon the collective experience of our clients.

With Frog you don't have to sacrifice bandwith loss or
member satisfaction. You can have it both ways!

24/7 Access for your members thru Frog's AMS keeps
them happy and more likely to extend their subscription

Frog's High-Resolution Geo-IP Tracking will detect abuse
before any other system helping you keep control of
your bandwidth abuse.

Here's another Frog client testimonial to illustrate my point:

Within the first couple of days a new client sent us this
comment: (see http://phantomfrog.com/Testimonials.html)

"Normally at the 17th hour one of our servers would be over 40 gigs ...
Last run: Total Daily Bandwidth: 25gigs

And our Gordon Server would also be over 40 gigs ...
Last run: Total Daily Bandwidth: 19 gigs

So, Frog helps your bottom line in so many ways including
bandwidth savings / less charge-backs / less webmaster
time consumed with pass management

if a pass is suspended more then say 2-3 times in a 24 hour period, you know they are giving the password out. Also what's to stop them from running a simple script to grab the new password from email and posting it automatically to the site/group etc.

I was just curious if it had that option, sure bandwidth is very cheap now days, but it doesn't mean you want to give out the pass 20 times in a day or 2. Odds are if you are doing that, they used a stolen cc and you will get a chargeback anyway.

you could lose your entire members area, ripped & spread on the trading forums for everyone to view for FREE

:upsidedow

You get notified of violations.... So if you notice someone is abusing it, then cut them off.
I'd put money on the fact that its less time to notice someone is abusing it and manually kill the pass then it is to reissue blocked pass's for ligit members all the time.

I also think you are giving these people too much credit, I really doubt they would take the time to write something to bypass, they would post it on some forum, get emailed, repost it a couple times maybe, and then say fuck it and move on to the next site. I mean thats providing they even check the email they used again in the first place.

you obviously don't run a large program, that shit happens anyways, no matter what

all you can do is put a b/w limit on your users to stop that...& once again, it might be someone who just wants to watch movies non-stop for an entire weekend, so you cut him off & bam...chargeback

systems should re-issue passwords to the persons e-mail that signed up when compromised, then it should be up to the webmaster to manually kill the account if they see it being abused

an account should NEVER be completely shut off automatically, its just a bad idea.........

The [Enter] key. Sometimes lines get way too long to read comfortably
on some boards, so I'm in the habit of using the [Enter] key to end lines.

No, that's not what I mean. Well, that's a small part of it.
Just using random passesthey can and often are ripped just the same as
if the user chooses them, which is why Frog has to issue new passwords,
because the original passwords aren't secure. There is more that we
do to make sure that crackers can't get the passwords, unless of course
the member gives it out.

All it takes is one line in his .procmail file and then the server side include
in the page keeps it updated. I don't have to PICTURE this happening, I SEE
it all day long in the wild.


Generally one or two, but with a certain feature that I can't publicly discuss that
makes it tend much more toward one than in the case of Frog, for example.
This feature that I don't care to tell the Frog guys about tends to make Strongbox
less likely to block the one valid user and more likely to discourage a single
friend sharing it.
Truthfully, though, there isn't much difference here between the modern systems,
basically Strongbox and Frog, nor can there ever be. Contrary to Frog's marketing hype, the graphs of real world trading statistics we've previously
posted show that when passwords are shared they almost always spread
around to many people very quickly. If it's not immediately posted, a friend
gives it to another friend, who gives it to three more friends, and within hours
30 people are trying to use it. So either modern system will stop it within a
couple of hours. Strongbox will tend to have lower bandwidth usage during that
short time before it's blocked, but either system will stop it quickly.
Strongbox wil have fewer false positives - legitimate users blocked because
they get an IP that was at one time assigned to an ISP headquarted far away.


That is NOT correct. Several people use Strongbox with a similar zip set type
site, and at a reasonable price. Strongbox is not priced per protected area,
but per site.

Very rarely is the IP also blocked if a username is blocked. It's usually one or the other. If it's the IP that gets blocked, you should re-enable the IP. You can also set usernames specifically to never get blocked.

but the issue is you (the webmaster) can't manually over-ride the strongbox block, and its very frustrating (and costly) when paying members can't get into the site because they've logged in/out too many times in a day

maybe not a large program, but a VERY popular site with many thousands of members - i think i'm well qualified to speak on this :)

putting a b/w limit on your users HELPS stop ripping, but if you have a pass being shared it also helps stop it

if you have a password being used during the same time frame, from different locations, its OBVIOUS its being shared. a b/w limit isnt needed in that case - a password re-issue & even a temporary "block" is necessary at that time



anyway, we're both agreeing to the same thing, that re-issuing passwords is good

:thumbsup

So your saying random alphanumeric with special charactors is LESS secure then the passwords that strongbox uses for preventing brut force attacks from getting a successfull user/pass....
Maybe its just me, but RANDOM alphanumeric with special charactors is about as secure a password as you can create.
Or are you just talking about that picture that members have to enter, the one that every member hates have to fill in to get into the site?

Seems to me most of the big password sharing sites are forums, I dont know of many forums that alow php tags in posts.
And even then I would be surprised if you got one user a week that would do this and require you to manually dissable his account. That seems a whole lot less work then having to deal with users every single day all the time.

I have only heard of one person using strongbox with zips, and how they got it working is well interesting I guess you would call it. Everyone else says not to even try using strongbox for zips.

"Avoid strongbox like the plague. If you get a big brute force attempt it will crash your server."
From a Server admin...

"All I can say if is that if you use CCBILL and want to sell zip sets you cannot use Strongbox......

Thats why i switched."
From serveral people.


If this stuff isnt true you should make sure people know about it, because it seems people dont.

Clarification about AMS
 

Just to add a little more clarification regarding the
sequence of events and operation of Frog's
AMS for replacing blocked passes automatically
and directly to valid members.

When Frog detects password abuse the password is
changed but NOT emailed. Only when the valid member
returns (could be days or weeks) is the password
emailed --- after the member validates himself.

Both events trigger a notification to webmaster. If a
webmaster sees to much activity, he can take the
appropriate action. Usually a simple, polite email to
the member--along with Frog's proof of abuse copy/pasted
into the email--is sufficient to stop the behavior. The
webmaster almost never has to take further action.

No, what I said was that how the passwords are chosen is just one small part
of keeping them secure. Randomly generated passwords are worthless if they
are posted everywhere. There are other important considerations to making sure
that the bad guys don't get the passwords in the first place. To my knowledge,
none of the other "password trading protection" like systems addresses that
at all, except of course for brute force attacks. They just try to detect
compromised passwords after the fact. If you've ever had your entire
password list posted you know that while detecting it is good, preventing it in
the first place would have been a whole lot better.

jeffrey, you sure do spend a lot of time attacking Strongbox, mostly posting
total BS that's not anything like the truth, which I guess means you've probably
never even seen Strongbox. Do you work for proxypass or did one of us
piss you off in a previous life?