You might also be interested in
Replies (7)
Please login or register to join the discussion.
"Half-Baked" Security
Duane
While Sage clearly need to do something to improve their login security model, the Kashflow approach of placing an https login form on pages that are not protected by an SSL certificate could not be described as "security best practice". You place your users at greater risk of falling prey to "phishing" attacks which are a far more popular and effective means of harvesting user names and passwords than actually trying to intercept clear text passwords when they are being transmitted over the ether.
As for the ICAEW guide to online accounting software, the body of the guide is a balanced and informative piece by a respected author in the field and to call it "half-baked" because you didn't get a free piece promoting your business seems somewhat unwarranted, especially considering we are working in an industry where the products are never finished and so by definition are half-baked. Reading the guide you will see that Kashflow gets equivalent coverage in comparison to both those who contributed to the cost involved in preparation of a product review at the end of the guide and those who elected not to when it was offered.
Given the target audience and the expected shelf life of such a guide compared to typical off-the-page advertising the cost of inclusion was pretty good value and I am sure that Kashflow could have stretched to the amount being asked.
Alan Wright
Director
[email protected]
Accounting Software with Payroll - Online from Liberty Accounts
Passwords in clear text ...... new concept ...... saves hackers
Duane - just picked up on your Sage security posting - what a howler!
There are many ways to deal with SaaS security but having passwords in clear text is not one of them. Perhaps someone should educate Sage on the merits of encryption, cookies, session variables or FormsAuthenticationTickets - (NET) & so on....
Still it should probably be no surprise bearing in mind that L50 has(d?) issues with record locking even after many years in production; try rebooting L50 without shutting down and one used to get all sorts of nonsense about resetting users - great dynamic system locking ....!
Unfortunately Sage really have not understood the basic principles of online systems and a stateless medium; with this in mind they should probably withdraw these products immediately
Of course really the disappointing thing about this, is the influence (damage) Sage will have on the minds of the general public by raising possible doubts about security, especially when every other supplier has done their best to reassure the users
Basically Sage is a marketing company (a very good one) and NOT a technology company, which this episode undoubtedly proves. Furthermore they have left joining the SaaS party so late in the day that they now go head to head with mature established competition
What will be very interesting is how they perform upgrades & future release for their online products. Releasing an app in one place (server) is a vastly simplified aproach, however, the impact of getting it wrong is immediate and far reaching; with Sage's seemingly sloppy procedures this might well be a receipe for disaster and if they get it wrong it could well be their death nell because there will be no lack of free advertising on the subject!!
The message is simple - Sage should stick to what they know - advertising .... and sub-contract out their system development
Hences the "clueless" in my blog title
The 'clueless' in my blog title was for exactly the reasons JC states below. They should have seen that reporting us to Trading Standards just plays into our hands from a publicity perspective.
It probably wasn't a joined-up decision. One part of Sage (legal) was just doing what it does without the involvement of another part (PR/Media Relations).
I do understand why they'd choose not to comment on my post re Trading Standards.
But I think they should now be forced into action regarding the serious security issues in Sage Live now being discussed on Accounting Webs sister site, UKBF.
As I said there, they're not in a good place. Either they do the right thing and pull the service to get it fixed or they bury their head in the sand and pretend there isn't a problem.
I suspect the latter. They wont even acknowledge the existence of serious security flaws in their SaaS offering because it gives kudos to KashFlow for discovering it.
More concerned with losing face than losing customer data.
You might say that, Duane, but I couldn't possibly comment...
This is perhaps the difference between the old and new media styles, Duane. While I openly admit that your little quip about advertising did provoke me into action, the article merely reports what has been going on. I am not really interested in taking sides, since I've got to deal with both of you on a regular basis.
Good reporting also demands putting allegations directly to the party concerned, which I have done. While Sage let me know that it's not their style to dive into online flame wars, I did suggest to them that the hands-off approach to bloggers and forums put them in an invidious position where assertions, allegations and criticisms went unchallenged. This, of course, plays into the hands of those who want to characterise Sage as slow to react and remote from the latest developments.
If something gets to the point where Sage does respond, it may well involve m'learned friends, which gives people like you the opportunity to call the company a bully.
Not surprisingly, Sage declined to comment on the conundrum it faces here. Sage does a very good job doing what it does, and makes lots of money - and as the market leader it will always be the target for snipers (much like Microsoft). Conflicts like this don't amount to much in the long term - but people like reading and arguing about them, which is what this site is about.
I do find it interesting how media guerillas like you are able to exploit the available tools to gain publicity and can definitely see that direct interaction like this presents a big challenge for traditional corporate marketing methods.
Here's to open and honest online debate.
John Stokdyk
Technology editor
AccountingWEB.co.uk
Sage - own goal ....
Frankly Sage need to grow up.
These sort or comparisons are generally taken with a 'pinch of salt' anyway, because nobody in their right mind is going to provide a benchmark that is better than their own.
All Sage have done is highlight an area that most would probably have overlooked, by bringing it into the spotlight, thereby giving credence to the claims and shooting themselves in the foot along the way.
This sort to bad judgement by Sage is an absolute advertising gift to Duane and yet Sage don't seem to have grasped this simple fact. One couldn't have paid for this type of advertising
Well done guys - a great own goal !!!
So you agree?
Thanks for raising to my "bet you don't publish this" bait.
You say
"But he also made the point that by taking the approach that it has, Sage is in danger of reinforcing the view that the company bullies small businesses"
Are you agreeing with that point?
The blog has only been in existence ofr a couple of months, but it's certainly been a useful addition to our marketing arsenal.
Make sure you check out the most recent post about Sage's (lack of) security on their Sage Live offering.
(There are non-Sage related posts there too, honest!)
Value in the ICAEW report
While the ICAEW report has come under attack for the way it is funded (fair enough), it has a pretty good 15-page overview of the impact of online accounting on practices.
Well worth a read and free to ICAEW faculty members.
Mark Davies
e-conomic - freedom from evil