Author Topic: Peer Lending Server (New Lending Club Software)  (Read 26229 times)

sociallender

  • Sr. Member
  • ****
  • Posts: 273
    • View Profile
    • Email
Re: Peer Lending Server (New Lending Club Software)
« Reply #15 on: September 06, 2013, 04:49:26 PM »
I will do my best:

I do not and will never collect your password!  I am a legitimate financial LLC and would never jeopardize it with anything illegal.  I have never been to jail, and have no desire to end up in one.

I know these are only words, but hopefully from my history and work at sociallender.blogspot.com and now peerlendingserver.com, You can see that I am not going to jeopardize my work and do anything illegal.

Beyond that, if you are uncomfortable, I won't be offended if you decide against it. 


core

  • Hero Member
  • *****
  • Posts: 1784
  • Your loss is my gain
    • View Profile
Re: Peer Lending Server (New Lending Club Software)
« Reply #16 on: September 06, 2013, 05:25:49 PM »
Not to play devils advocate, but can you somehow convince us that your program doesn't capture the password and forwards it elsewhere (outside of my machine)?

It sounds like the pricing will be a time-based licensed.  If the program needs to "phone home" in order to verify said license, if that communication is encrypted I can think of no way to verify any claims either way.  If the license communication was plaintext then you could just put a sniffer on the thing and verify that it's not sending anything nasty.  Of course that doesn't prevent it from doing so at some point in the future.  It would be best if the app didn't need to talk to the author's server at all and then you could just block everything but LC connections with a software firewall.

sociallender

  • Sr. Member
  • ****
  • Posts: 273
    • View Profile
    • Email
Re: Peer Lending Server (New Lending Club Software)
« Reply #17 on: September 06, 2013, 05:38:07 PM »
My thoughts on future pricing will probably be a flat fee or commission based.  I don't have immediate plans to monetize the software. 

In regards to license verification.  Yes, it would be nice to block all communication other than lending club.   If there was a way to secure the software to prevent un-authorized use,  I would have taken that route.  Unfortunately, in today's day and age, piracy is a prevalent issue. 

Communication for license validation is a simple process.  We simply add a file to a public share.  PLS does a http request to make sure a file exists with the same name as the user.  If it exists, then the user is validated.

For future accounting purposes, for each order, an email is sent with the total dollar amount and software version. 

No other information is collected.




viking

  • Sr. Member
  • ****
  • Posts: 370
    • View Profile
    • Email
Re: Peer Lending Server (New Lending Club Software)
« Reply #18 on: September 06, 2013, 05:39:14 PM »
Not to play devils advocate, but can you somehow convince us that your program doesn't capture the password and forwards it elsewhere (outside of my machine)?

It sounds like the pricing will be a time-based licensed.  If the program needs to "phone home" in order to verify said license, if that communication is encrypted I can think of no way to verify any claims either way.  If the license communication was plaintext then you could just put a sniffer on the thing and verify that it's not sending anything nasty.  Of course that doesn't prevent it from doing so at some point in the future.  It would be best if the app didn't need to talk to the author's server at all and then you could just block everything but LC connections with a software firewall.
I was thinking the exact same thing. Maybe the license verification could be made plain text, and thereafter the user could block everything except LC. The program could be running until license expire. Only need to verify again if logging off/in at a later stage.

viking

  • Sr. Member
  • ****
  • Posts: 370
    • View Profile
    • Email
Re: Peer Lending Server (New Lending Club Software)
« Reply #19 on: September 06, 2013, 05:45:00 PM »
In regards to license verification.  Yes, it would be nice to block all communication other than lending club.   If there was a way to secure the software to prevent un-authorized use,  I would have taken that route.  Unfortunately, in today's day and age, piracy is a prevalent issue. 
Even software that "calls home" can be cracked by those who know how (although it may take more effort)...

core

  • Hero Member
  • *****
  • Posts: 1784
  • Your loss is my gain
    • View Profile
Re: Peer Lending Server (New Lending Club Software)
« Reply #20 on: September 06, 2013, 05:56:19 PM »
Unfortunately, in today's day and age, piracy is a prevalent issue. 

Communication for license validation is a simple process.  We simply add a file to a public share.  PLS does a http request to make sure a file exists with the same name as the user.  If it exists, then the user is validated.

Heh you can't comment on piracy and then mention such a simple validation scheme in the same post! ;)  If I were gonna subvert that I'd just hijack the request to that server and return a 200 OK on its behalf.  At least make the thieves learn some assembly.

Even software that "calls home" can be cracked by those who know how (although it may take more effort)...

True, but when dealing with network applications you have a lot more latitude in how much protection you can throw in there.  With such things it really is possible to make things almost crack proof.  For example in one application I needed protected, in addition to the standard anti piracy stuff, the actual login code (which was very difficult BTW) was run on the server which handed the session tokens back to the client.  The only way it could be cracked is if the pirate wrote half of the code himself and added it to the exe, and once you're at that point why not just finish a new app yourself.  I realize this situation is slightly different but my point is with network stuff there are always ways.  It's different from MS Office or a local game.

Fred

  • Hero Member
  • *****
  • Posts: 1421
    • View Profile
Re: Peer Lending Server (New Lending Club Software)
« Reply #21 on: September 06, 2013, 05:56:52 PM »
Have you secured some kind of agreement with LC that they will not block your systems due to heavy demand on LC resources?

In particular, how do we know what happened with IR recently (e.g., http://www.lendacademy.com/forum/index.php?topic=1515.0) will not happen to your site?
« Last Edit: September 06, 2013, 06:11:39 PM by Fred »

sociallender

  • Sr. Member
  • ****
  • Posts: 273
    • View Profile
    • Email
Re: Peer Lending Server (New Lending Club Software)
« Reply #22 on: September 06, 2013, 07:35:23 PM »
Quote
Heh you can't comment on piracy and then mention such a simple validation scheme in the same post! ;)  If I were gonna subvert that I'd just hijack the request to that server and return a 200 OK on its behalf.  At least make the thieves learn some assembly.

Yes, there is always a way if you really want it bad enough.  Just a simple protection scheme for now.  I am hoping there won't be a need for something more sophisticated.

Quote
Have you secured some kind of agreement with LC that they will not block your systems due to heavy demand on LC resources?

I am not sure what happened with IR.  However, PLS is run from your own internet connection.  My servers do not connect to LC on your behalf.  The load generated by PLS is the same as a normal user and is self generated.  Typical scenario would be:

4 times daily: download notes (process on computer locally), create an order and submit.

This is generally the process that many do manually anyway.  I don't see a load/volume issue to warrant blocking traffic.


 

core

  • Hero Member
  • *****
  • Posts: 1784
  • Your loss is my gain
    • View Profile
Re: Peer Lending Server (New Lending Club Software)
« Reply #23 on: September 06, 2013, 07:55:11 PM »
4 times daily: download notes (process on computer locally), create an order and submit.

This is generally the process that many do manually anyway.  I don't see a load/volume issue to warrant blocking traffic.

It only checks once per feeding time?  Naw, certainly it has to keep trying until they show up, right?

At any rate, I'd probably agree that the IR thing has little relevance here, especially since this isn't churning through Folio results.  On the other hand, if something bad does happen and causes an IP block, the user won't even be able to log in with their own browser.  Since Rev hasn't shared the story about how much fuss it was with LC customer support to restore access from his own IP, several users might have to find out the hard way on their own.

viking

  • Sr. Member
  • ****
  • Posts: 370
    • View Profile
    • Email
Re: Peer Lending Server (New Lending Club Software)
« Reply #24 on: September 06, 2013, 08:13:18 PM »
Quote
Heh you can't comment on piracy and then mention such a simple validation scheme in the same post! ;)  If I were gonna subvert that I'd just hijack the request to that server and return a 200 OK on its behalf.  At least make the thieves learn some assembly.

Yes, there is always a way if you really want it bad enough.  Just a simple protection scheme for now.  I am hoping there won't be a need for something more sophisticated.
If a simple protection scheme is all, then just E-mail them a certificate that is based on their hardware configuration. Then there would be no need to connect anywhere else except LC. For the E-mails regarding purchases, that could simply be generated locally.

sociallender

  • Sr. Member
  • ****
  • Posts: 273
    • View Profile
    • Email
Re: Peer Lending Server (New Lending Club Software)
« Reply #25 on: September 06, 2013, 08:52:12 PM »
Quote
If a simple protection scheme is all, then just E-mail them a certificate that is based on their hardware configuration. Then there would be no need to connect anywhere else except LC. For the E-mails regarding purchases, that could simply be generated locally.

Thanks for the suggestion.  However, hardware based licensing won't work because the application is virtualized.  There is no way to query the underlying hardware for validation (it runs in an isolated environment).  I orginally designed PLS to run on a dedicated server, running linux as a physical appliance.  Virtualizing it allows it to run on top of a host OS as a guest. 

I am open to other ideas but I haven't been able to come up with any other method that doesn't require some form of communication. 

I am thinking that perhaps a 3rd party trusted source could verify that all communication generated back to me does not contain a password.  Perhaps, someone familiar with sniffers could run the software for 30+days and monitor outbound connections from PLS.  This source would verify that only license requests and reporting (order information) is sent. 

In the absence of other better ideas, does this sound like an alternative?





core

  • Hero Member
  • *****
  • Posts: 1784
  • Your loss is my gain
    • View Profile
Re: Peer Lending Server (New Lending Club Software)
« Reply #26 on: September 06, 2013, 09:11:28 PM »
I am thinking that perhaps a 3rd party trusted source could verify that all communication generated back to me does not contain a password.  Perhaps, someone familiar with sniffers could run the software for 30+days and monitor outbound connections from PLS. 

It's a start, but after those users give the all-clear there is nothing stopping a malicious author (not saying you) from flipping the switch and sending the passwords.

This source would verify that only license requests and reporting (order information) is sent. 

So you are tracking what people purchase from LC?  If not, what reporting / "order information" are you referring to?

Quote
In the absence of other better ideas

If you wanted to eliminate communication with your server you could just viking's approach but use the person's email address as the unique key rather than the hardware setup which you cannot access.  It would accomplish the same thing but be slightly more secure from a piracy standpoint and allow usage on say a laptop, etc.  Hash in the expiration date as part of the emailed registration code. 

I don't know.  There are some folks who don't want to monkey with keys and just want it to work and won't care what kind of communication is going on behind the scenes.

sociallender

  • Sr. Member
  • ****
  • Posts: 273
    • View Profile
    • Email
Re: Peer Lending Server (New Lending Club Software)
« Reply #27 on: September 06, 2013, 10:11:13 PM »
Quote
It's a start, but after those users give the all-clear there is nothing stopping a malicious author (not saying you) from flipping the switch and sending the passwords.

Fair enough

Quote
So you are tracking what people purchase from LC?  If not, what reporting / "order information" are you referring to?

Here is a recent order report for my account:

2013-09-05 16:49:33 Lending Club service started (API Enabled)
2013-09-05 16:49:33 LC notes up to date
2013-09-05 16:49:33 Classification and SA models up to date
2013-09-05 16:49:33 Filtered 1 of 32 available loans
2013-09-05 16:49:38 Submit $25.0 note 6955491 ORDER_FULFILLED: $25.0 invested
2013-09-05 16:49:38 Order submitted - Total: $25

Current Version: 3.6

It includes timestamp, note that was added and total, plus version number.   The report is for potential commission billing and record of action for PLS.

Quote
If you wanted to eliminate communication with your server you could just viking's approach but use the person's email address as the unique key rather than the hardware setup which you cannot access.  It would accomplish the same thing but be slightly more secure from a piracy standpoint and allow usage on say a laptop, etc.  Hash in the expiration date as part of the emailed registration code. 

I don't know.  There are some folks who don't want to monkey with keys and just want it to work and won't care what kind of communication is going on behind the scenes.

I was going to use a hashed key initially.  I decided against it primarily because of the need to track transactions for commission billing.  This required communication back to me so I opted for the simple method I have now.  I think the key method makes sense for a flat fee based approach.  No need to communicate back to me for any reason.  I will be considering this going forward. 

Fred

  • Hero Member
  • *****
  • Posts: 1421
    • View Profile
Re: Peer Lending Server (New Lending Club Software)
« Reply #28 on: September 07, 2013, 03:10:06 PM »
Check out a brief demo video at:

http://peerlendingserver.com/software/peer-lending-server-videos

SL

SL,

I like your new approach of employing AI and running the program on the user's system.

Having watched the video -- if I make comments -- it seems your pROI (Projected ROI) is on the conservative side.  Although this is a good stance to take in a lot of cases, I do still think there is room for improvement.

Your model makes the following assumptions:

The system automatically downloads lending club’s historical database and performs the following instance manipulations:
Re-labels all late loans over 31 days as charged off
Re-labels all default loans as charged off


In the risk-modeling parlance, you are essentially setting:

Prob( Loss | status=Late31+ ) =  Prob( Loss | status=Default ) = Prob( Loss | status=ChargedOff ) = 1


These numbers are LGD (Loss Given Default --- http://en.wikipedia.org/wiki/Loss_given_default).  LC publishes their numbers here: https://www.lendingclub.com/info/statistics-performance.action (note the caveats).

If you can relax your label from a binary factor to a probabilistic one, I think you'll get more accurate pROI.

sociallender

  • Sr. Member
  • ****
  • Posts: 273
    • View Profile
    • Email
Re: Peer Lending Server (New Lending Club Software)
« Reply #29 on: September 07, 2013, 05:50:49 PM »
Quote
I like your new approach of employing AI and running the program on the user's system.

Thanks Fred.  Glad you like it

Peer lending server uses a different approach than sociallender.blogspot.com.  The classification algorithm for PLS uses only fully paid or charged off loans for learning.  I do not do any relabeling.  The trade off is that less loans are used for classification but slightly better accuracy.  However, classification is not used in projecting the ROI as it can only give binomial classification at time 0.   

In regards to the projected ROI, I use survival analysis (cox proportional hazard) which allows PLS to learn on both mature and non-mature notes (all notes are used for learning which is a big improvement).  For more detailed information, take a look at research on credit score modeling.  This is what allows PLS to make a point in time projection of loan survival.  Standard classification can only be applied at time 0 which is origination.  However, SA models can estimate loan survival at any time X throughout the life of the loan.   

Once the survival estimate (up to loan term) is determined, you can use the estimate to discount the remaining principal.  Take a look at how the instantaneous ROI is calculated:

http://peerlendingserver.com/support/faqs/iroi-instant-roi-calculated/

Instead of assuming the remaining principal will be fully paid as in the above instant ROI (iROI) calculation, the remaining principal is discounted by the probability of survival.  The instantaneous ROI is way too optimistic as most experienced investors know that some loans will eventually charge off.  However, the projected ROI gives a more accurate projection based on historical learning.  Essentially, SA has the ability to "loss factor" loans similar to loss factors given by LC with late loans.   

So, the assumptions from my other site are not used in either of the 2 models.  I intend on shutting down the blogspot in the future.  PLS is far superior in its capabilities. 

I will be adding more information to the web site as time permits.  Right now everything is still under construction. 

Thanks for your feedback,
SL