Currently because the volume of bogus support requests is so enourmously high, and the fraud attempts also very high - the cost to properly do something like handle account lockout requests properly (on the scale of billions of users) would be EXTREMELY high.

Google is actually pretty clear for consumer accounts, if you lock yourself out your content is lost and they suggest setting up a new account.

Cell phone companies do handle this, you can do things like sim swaps etc with a real person - but you are usually paying $50 - $100 per MONTH with them. And even there plenty of folks have complained of having 2FA codes stolen as a result of this convenience.

If they could charge $50 or $100 to provide paid support (a situation that is actually very COMMON at the enterprise level) for at least some people this will be worth doing. Then the business case is there to staff / resource etc the fix.

Currently, with youtube / gmail etc, the revenue per user is so low it will NEVER make economic sense to have humans dealing with an account.

But keep on banning paid support and you'll keep on getting no support.

The security they can deploy (apple pay seems pretty good now as long as card onboarding isn't broken) seems like they could drive down to basically low interchange?

So you can spin up in a few seconds, scale, stop and even invest in the platform without worrying too much. Also - they don't seem to discontinue services that quickly, again, doesn't feel like you will be screwed.

I just had a call TODAY with a vendor, the price could be as low as $30/unit or $120/unit - that's a near 4x delta from sure to hell no for our use case. Sales guy needs to go talk to their manager to see if they can get us the lower pricing. And who knows if next year (it's annual) we'll again get their "manager" to sign off on the lower pricing.

Something about enterprise sales folks thinking is very short term. No price transparency - maybe we can qualify and squeeze them for more per unit. Or maybe get them in low and squeeze them on renewal once they've invested. The overhead of dealing with them is so high too. Show me actual product screens (not talking heads and bullet points). By the time you get to the demo you have wasted a week of your life.

So big thumbs up to AWS here. You can see baseline pricing up to huge traffic. You can see savings plans discounts up to large amounts etc.

AWS gets this right (even though invoice is high level). You get something that can be quickly forwarded down / up and around and end up in the AP system / accounting system etc in good shape (ie, vs a 6 page PDF of an email chain). They just care that third party invoice is there in good shape with approval by whoever owns the expense line its hitting.

For a while I had individual insurance (prior to obamacare). Because it had pretty high deductibles, I would just do a private pay / cash doctor for primary care etc.

Some big wins:

NO discussion about whether something was covered or not! You want to get service, just call.

No crazy surprise bills - yes - I once tried to go to urgent care for something at the main hospital, but NO ONE would tell me what I would be charged as a cash pay client. Yes, it can be expensive to do cash pay, but with a doctor billing by the time you can basically predict / know your cost.

Service - you are paying by the hour. I never felt pressured out the door (no surprise). The service is good to great.

Convenience - I got someone close who used his downstairs as his office. Have a problem, go in and get checked out. Because you don't need the huge billing infrastructure I think you can get away with smaller office sizes. To pay for a full time biller you need a few doctors, who then need a receptionist etc etc.

This guy was a grade A jerk too - if he doesn't do time then white collar crime is going to be even more unfairly under-enforced.

Google does this well. Yubico Security Key + they seem to monitor my logins / rate limits etc.

I deal as do many folks with relatively to extremely sensitive info (yes, also have stuff on auto-delete).

Complex passwords require a password manager - if those get updated and rooted then my yubico seems to save me again.

In fact, with yubico I have a few passwords I memorized that aren't TOO crazy long - with a 2FA hardware key you may be able to SIMPLIFY passwords and still have good security.

And the yubico is EASY! Clip it to your keychain and go.

Getting INTO stores is hard. The store can dump product back onto you - so they have no risk. The price on shelf has NOTHING to do with what you get, if you are small you are already going through some intermediaries. Ie, person making product, packing, shipping to distributor (some make you pay cost to get it to them), then distribution costs then retailer markups then return handling yadda yadda. THEN retailers will ask you to run promos and give them discounts or they will drop you.

3%? EVERYONE would pay that. In retail I'd say person making product gets maybe 20%? 80% is taken by others?

Other business obviously have MUCH higher refund rates (sneaky autobill businesses etc). For these loosing 5% on the refunds matters if they have a lot of refunds, so they'll be very tempted by no costs if you autobill and get caught. They'll just autorenew everyone, autosign up and then be VERY good about refunds to avoid chargebacks. Even if just 30% of customers don't catch a few months you end up with real money.

Of course, CUSTOMERS may hate these players, but stripe I guess is focused on what works for the businesses generating lots of refunds.

Ie, if you are paying for google apps, have credit card on file, meet their rate limiting rules for outbound with SPF / Dkim etc then you are probably OK. Some random IP doing direct mail? Much less likely to be OK.

Given govt has done such a bad job in this space, these big corps are essentially picking up the slack / trust that you'd normally say govt was responsible for. Gives them a metric ton of power, and they don't tax so have no money to provide any corresponding service.

I've got no problem with their operation, but YOU are going down a VERY dangerous and slippery slope by saying I can't block domains that clearly host trash because they might host something else.

On my network I can block child porn, malware sites, scam sites and even entertainment sites like youtube. If you are running a service that mixes the content together, then you may be blocked by folks (like me) who don't have time to chase down every (free) subdomain you allow scammers to create.

That is my right. Period. Full stop. That is not censorship.

Folks here get censorship confused. The govt does virtually nothing to stop these scam sites - so they are certainly not being censored. I'm fine if govt does nothing, as long as communities of people can block these places.

And yes, if you run a site on the internet and don't make it slightly difficult for scammers to use your site to host crap, then other folks in the neighborhood will move the heck away from you.

These scam sites are like that - do you really think you can make $30,000 a week working 30 minutes a day from your home computer if you just send these idiot $25?

Google and Apple can at least plausibly infrastructure an anonymized data collection service and control access to it reasonably.

- You probably should worry more about the per user per connection logs your "loggless" VPN provider keeps in crappy open to the world datastores.

- The data sniffing and tracking your own ISP is doing.

- The uninstallable malware / bloatware etc that comes on huge number of phones built by third parties (ie, not google or apple).

Whenever I sign up for a "free" service (like google analytics or its equivalent for android) I am under almost no illusion that google isn't also using that data to help track users access the web target them, figure out what ads to show on my site (if I let them) etc etc.

And yes, we will find out that facebook tracks the URLs of sites people share on their platform and "snoopes" on that to figure out popularity trends. And twitter will watch tweet metrics related to their competitors. I wonder if we will get some headlines over those issues.

Finally, some folks come up with weird threat models - google is out to get me and now they can. Heads up, google could get you before this as well if they cared to. Can you imagine a govt having google's power. That would be a near dictatorship!

Some mail delivery systems start to notice that your domain name is being used as part of a lot of spam / bogus emails, so you can have perfect IP history / no spam and STILL start triggering some random filters (no big players but smaller protection product filters).

So the game must be absolutely never ending for everyone and the inbox a valuable target - especially now that unsolicited phone calls really do seem to get ignored these days - I feel like spammers killed the golden goose on phone calls and the telcos let them.

I will say DKIM / DMARC is working well, except google (which we now use for outbound) gives us transient SPF errors even though we are 100% using their IPs. Not sure why that is (ie, SPF failure on an IP that should clear)

How are they trawling through all our buckets and databases without codepaths for access?

Again, they aren't talking about amazon data (ie, billing, support inquiries etc). They are talking about customer production data.

Before going into our AWS production S3 buckets, looking at our databases for customer lists AWS seems to be pretty careful to get an OK.

Now we are being told that production customer data was normal to trawl? How in the HELL are they passing all their certs with all production data so wide open. I do customer managed keys - I mean, this is a HUGE backdoor.

Either Amazon is lying about AWS security (and has fooled a bunch of others) or routinely trawling AWS customer production workloads for data is a false statement.

Car thefts as well, I lived in a tough neighborhood, same guys checking cars all the time. If these guys were around just roll down windows and leave car unlocked. Still had my car stolen which was annoying.