Successful software requires more than just good programming.
Double amputee sprinter Oscar Pistorius has finally been given the chance to qualify for the Olympics after the the IAAF’s ban on him competing against ‘able bodied’ sprinters was overturned. Oscar’s achievements in battling against his disabilities and a unsympathetic IAAF is an inspiration to everyone struggling to achieve their personal goals.
I got this email yesterday:
Dear Sir
We received a formal application from a company who is called Meiao Investment Co.,Ltd are applying to register “ oryxdigital” as their domain name and Internet keyword in China and also in Asia on Apr 17 2008. During our auditing procedure we find out that the alleged Meiao Investment Co.,Ltd has no trade mark, brand nor patent even similar to that word. As authorized anti-cybersquatting organization we hereby suspect the alleged Meiao Investment Co.,Ltd to be a domain grabber. Hence we need you confirmation for two things,
First of all, whether this alleged Meiao Investment Co.,Ltd is your business partner or distributor in China.
Secondly, whether you are interested in registering these domains. (The alleged Meiao Investment Co.,Ltd will be entitled to obtain a domain not needed by original trademark owner.)
If you are not in charge of this please transfer this email to appropriate dept.
This is a letter for confirmation. If the mentioned third party is your business partner or distributor in China please DO NOT reply. We will automatically confirm application from your business partner after this audit procedure.
Bst Rgs
chenllychen
Registration Commissioner
Beijing HA ZD Networks Science and Technology Co., Ltd
Tel: +86-10-82772601
Fax: +86-10-82773610
Email:chenlly.chen@ha-zd.com
Http://www.ha-zd.com.cn
Needless to say, it’s yet another scam. The “Meiao Investment Co” (if they even exist) have no interest in my domain. I am guessing the scammer just wants me to pay good money for a worthless .cn domain. Sigh. More details here.
Hopefully somebody Googling “Meiao Investment Co” or “ha-zd.com” will find this post and save themselves a few dollars.
In the 10 months that I have been writing this blog I have pointed the finger at quite a few companies I consider to be giving less than great service. I would like to even that up a bit by recommending svp.co.uk [1]. SVP supply blank CDs, printer paper, printer cartridges and an ever increasing range of computer related consumables and other items at very good prices. Their service has also been consistently good in the several years that I have used them. If you are based in the UK, you should check them out.
[1] I have no financial interest in SVP. I am just a happy customer.
Ripoff: A ripoff (or rip-off) is a bad deal. Usually it refers to an incident in which a person pays too much for something. A ripoff is distinguished from a scam in that a scam involves wrongdoing such as fraud. From Wikipedia.
Digitally signing your software allows you to show that you are the author of the software and that the application hasn’t been tampered with. If your software isn’t signed, Windows displays scary looking warnings when customers download it. So it makes a lot of sense to digitally sign your software if you are distributing it on Windows. So far so good.
Anyone can create their own digital signature, but Windows only ‘trusts’ signatures that have been created by certain third parties. While there are quite a few Microsoft root certificate program members, I am only aware of 3 that sell code signing (’authenticode’) certificates. This is where it starts to get ugly. Here are their published prices per year:
Verisign: $499.00
Thawte: $299.00
Comodo: $119.95
That seems an awful lot considering that all they appear to do is check a document (e.g. a scan of your certificate of incorporation), check your whois record, multiply a couple of large prime numbers and then send you a certificate file. Much of this process is (or should be) automated. No wonder the founder of Thawte could afford to be one of the first space tourists.
Given that authenticode certificates from these three companies are functionally identical[1], as far as I can tell, why the price difference? It seems even more bizarre when you consider that Verisign now own Thawte. If you had the misfortune to sign up for the Microsoft ‘works with Vista’ program you could get a 1-year Verisign code signing certificate for $99. I doubt they were doing this at a loss, so how can they justify selling the exact same certificate for $499? I would guess that at least 99% of customers will never check who issued a certificate, so it can hardly be due to the power of the brand.
So why doesn’t someone just set up their own certificating authority, get approved by Microsoft, and undercut these 3 companies? Because their root certificate wouldn’t be installed on all the millions of PCs currently out there. It would be worthless until the vast majority of PCs had the new root certificate. What a fantastic lock-in!
The good news is that you can buy Comodo certificates for much more reasonable prices from these resellers:
Tucows: $75 [2]
KSoftware: $85 ($75 for ASP members)
Which rather begs the question - if resellers can make a profit at $75, why are Comodo charging $119? Because they can, I suppose. I emailed Verisign, Thawte and Comodo to ask about the disparities in price. I only received a reply from Comodo:
This [difference between their price and the reseller price] is simply due to Retail Vs Wholesale solutions we offer. Our Resellers commit to a specific program which enables discounted prices allowing them to make margins on the product as they see fit. Whether that be reduced prices, or make a cash profit from the sale.
All 3 companies have had major price hikes in the last few years. With so little competition, why wouldn’t they? So what is Microsoft’s role is in all of this? One would have thought that they would want to keep certificate prices low to encourage their wider adoption. I emailed Microsoft’s PR people to ask about pricing and whether they had any financial interest in Verisign. Here is the response:
1) Why does Microsoft “insist” on VeriSign certificates?
Microsoft Windows Quality Labs only recognizes files that are signed with a Verisign Class 3 Certificate of Authority (COA). Windows Quality Labs is evaluating recognizing other COA’s. There is a USD $399 offer for Class 3 COAs for those partners (IHVs, OEMS, ISVs) - who plan to submit solutions for Microsoft certification. More details are available at http://www.verisign.com/code-signing/msft-organizational-certificates/.
2) Does Microsoft have any comment to make on the disparity in price?
VeriSign also offers a USD $99 Organizational ID certificate. This provides authentication for organizations to Microsoft Windows Quality Labs, providing access to various services, such as creating submission IDs for products to undergo Microsoft testing. This certificate is not valid for signing drivers or executable files.
Information pertaining to Microsoft Investments can be located at the MSFT Investor Relations site, under Investments/Acquisitions: http://www.microsoft.com/msft/default.mspx.
Steve Bell, Senior Product Manager - Server Certification Programs, Windows Server
After a bit of surfing I found this page which says that Microsoft invested in Verisign in 1996. I don’t know how much they invested, but it certainly puts things in a rather different light. So Windows authenticode certificates are effectively controlled by just 2 companies, at least one of whom is part-owned by Microsoft[3]. Companies are in business to make profits, but it seems to me that these companies are using their effective monopoly to take advantage of the situation. I only see the situation getting worse as Windows displays ever more scary warnings for unsigned software. Perhaps this is something government regulators should be investigating. Let’s hope that Verisign don’t buy Comodo as well.
[1] Only Verisign certificates are recognised for some of the Microsoft certification programs, for example x64 Vista driver signing.
[2] You need to register with Tucows to login.
[3] Assuming they haven’t sold their Verisign stock. I am not aware that Microsoft owns any Comodo stock. I haven’t been able to find any further details by Googling.
Fraud can be a very big problem for online software vendors. Fraudsters can easily use throwaway email addresses that can’t be traced back to them (e.g. Hotmail) and IP addresses aren’t difficult to hide. Not only does the vendor lose the payment when the fraud is reported, they also often get hit with a chargeback fee. This is pretty outrageous when you think about it - the credit card companies are charging vendors for the fraudulent transactions that they themselves have failed to detect.
Thankfully I have had relatively few fraudulent transactions in the last 3 years of running my own business. However some more mainstream B2C businesses aren’t as lucky. Below are the experiences of one software vendor I have corresponded with [1]. It makes for scary reading. The vendor wishes to remain anonymous for understandable reasons.
I tracked one of our recent chargeback emails to a forum were they had been openly selling stolen credit card information for $2 each. If you do have a popular product that may be prone to chargebacks then it is a small nightmare unless you have a fraud system in place as there are 1000s of credit card info out there with full contact details. There is not a day goes by that we don’t get at least 3 stolen credit card purchase attempts.
We use WorldPay and they have a quick check on cv2 code and if the country, postal address and postcode match. But almost all of these purchases pass the simple fraud checks. You cannot even rely on IP checking as the fraudsters are pretty smart and use proxies, or even hijack PCs to make purchases from the same country the credit card is issued. PayPal is not quite as serious, but we do still receive quite a few hijacked account purchases also.
WorldPay fraud checking is next to useless. Even the ones they warn on are usually legitimate. They have recently released a new backend, but they have made the problem worse as they seem to warn if the IP address isn’t from the same country. The problem with that is we get a lot of sales that don’t match, from military based in different countries. Our whitelist used to let them go through automatically, but now we have to manually capture the payment.
The number of fraudulent purchases changes depending if you make a new release etc or if your software is hard to find an easy crack. It can be from 1% to 15% depending, as you may have a single user trying to hit you on certain days.
We were forced to make our own fraud checking system. At least we had all the information at hand as we make users sign up to our site before making a purchase and we log all activity from a user, but to get that information we had to lose many thousands of pounds in fees. Since implementing our own fraud check (as fraudsters do tend to use amazingly similar criteria each time) we have reduced it to on average 1-2 a week, which are almost impossible to catch.
I think the level of fraud has to do with the type of users we sell software to. They are the sort of people that know exactly where to find cracks/keygens. Our software does have pretty good protection and online activation, so it is not so easy to get an easy “working” crack/keygen for it. We also have large volume sales over the past few years, so we have more information than most developers would see.
The credit card companies can’t really lose, especially with “no card holder signature” sales. Chargebacks cost on average 15 Euros. I have even contacted the likes of PayPal telling them that sales are fraudulent, and quite a lot of times they do not care.
We get to see all our sales, I would hate to think what is happening at these merchant services like Regsoft etc. How many sales are being refused that may be legitimate? I tried paying a programmer once who accepted payments using Regnow from my PayPal account and they refused it. My account was verified and had been in good standing for many years. It wouldn’t have been so bad but the person I was paying did not have a clue it was refused.
So, if you have a successful consumer product that fraudsters might be interested in, be prepared to expend a significant amount of money and effort dealing with online fraud. And don’t expect the payment processors and credit card companies to give you much help. I guess the credit card companies don’t have much incentive to reduce fraud. As long as they can keep pushing the cost of fraud onto the vendors and the fraudsters don’t bring the whole system down, the credit card companies seem quite happy. Why wouldn’t they be?
[1] I have spliced together the contents of several emails and edited it for continuity and brevity.
There are a few certainties in life: death, taxes and harddisk failure. I have no less than 6 failed harddisks sitting here on my desk patiently awaiting their appointment with Mr Lump Hammer. 2 Seagates, 3 Maxtors and 1 Western Digital. This equates to roughly one disk failure per year. Perhaps this is not suprising given that I have about 9 working harddisks at the moment spread across various machines. Given the incredible tolerances to which harddisks are manfactured, perhaps it is a miracle harddisks work at all.
As an analogy, a magnetic head slider flying over a disk surface with a flying height of 25 nm with a relative speed of 20 meters/second is equivalent to an aircraft flying at a physical spacing of 0.2 µm at 900 kilometers/hour. This is what a disk drive experiences during its operation. -Magnetic Storage Systems Beyond 2000, George C. Hadjipanayis from Wikipedia
We all know we need to back-up our data. But it is a chore that often gets forgotten at the most critical periods. Here are my hints for preparing yourself for that inevitable ‘click of death’.
There are lots of applications for backing up individual files. So many in fact, that no-one has any hope of evaluating them all (marketing tip: don’t write another back-up application - really). I also worry that data stored in their various proprietary formats might not be accessible in future due to the vendor going out of business. I find the venerable DOS xcopy adequate for my needs. I run it in a scheduled Windows batch file to automatically synch file changes on to my usb harddrive (i 
every night. Here it is in all its glory:
The exclude.txt file is used to exclude subversion folders and intermediate compiler files:
\.svn\ .obj .ilk .ncb .pdb .bakWhich of the above do I do? Pretty much all of them actually. At least I try, I haven’t yet automated the offsite backup. This may seem rather excessive, but it paid dividends last month when gremlins went on the rampage here in the Oryx Digital office. I had 2 harddrive failures in 2 weeks. The power supply+harddisk+network card on my old XP development machine failed then, while I was in the process of moving everything to my new Vista development machine, one of the RAID-1 disks on the new machine failed.
Things didn’t go quite according to plan though. The new RAID-1 box wouldn’t boot from either harddisk. I have no idea why.
Also the last couple of weekly Acronis image back-ups had failed and I hadn’t done anything about it. I had recent back-ups of all the important data, but I faced a day or more reinstalling all the apps I had installed since the last successful image. It took several hours on the phone to Dell technical support and much crawling around on the floor before I could I get the new RAID-1 box to boot off one harddisk. I was then able to rebuild RAID-1 using the spare harddisk I had on standby for such an eventuality. Nothing was lost, apart from my sense of humour.
Dell offered to replace the defective harddisk under warranty, but I declined on the grounds that there is far too much valuable information on this disk (source code, digital certificate keys, customer details etc) for me to entrust it to any third party. Especially given that Dell reserve the right to refurbish the harddisk and send it to someone else. What if they forgot to wipe it? My experiences with courier companies also haven’t given me great confidence that the disk would reach Dell. And I didn’t want to receive a reburbished disk as a replacement. It just isn’t worth relying on a refurb given how cheap new harddisks are. So the harddisk has joined the back of the growing queue to see Mr Lump Hammer.
The availability of cheap harddisks and cheap bandwidth means that it has never been easier to backup your systems. No more fiddling with mag tapes. Of course it is possible that your harddisk will work perfectly until it becomes obselete, but I think it would be very unwise to assume that this will be the case. Don’t say I didn’t warn you…
Further reading:
What’s your backup strategy? (the prolific and always worth reading Jeff Atwood beats me to the punch)
[1] RAID-1 is built in to some Intel motherboards and is available as a relatively inexpensive extra from Dell. You may have to ask for it though - it wasn’t listed as a standard configuration option when I purchased my Dell Dimension 9200.
[2] Since I wrote this article I installed the latest version of JungleDisk on my Vista box. On the 3 occasions I have tried to use it it hung Vista to the point where I had to I had to cut the power in order to reboot. I have now uninstalled it.
I expect that anyone reading this blog has had hundreds, if not thousands, of emails like this:
NIGERIAN NATIONAL PETROLEUM CORPORATION
CORPORATE HEADQUARTERS,LAGOS
STRICTLY CONFIDENTIAL.
FROM THE DESK OF: DR WALI AHMED .
LAGOS-NIGERIADear Sir/Madam ,
After due deliberation with my colleagues, I decided to forward this proposal. We want a reliable person who could assist us to transfer the sum of Thirty Million United States Dollars (US$30,000,000.00) into his/her account.
..etc
Or
My father (Late) DR EDWARD HOSANNA the former Deputy Minister of Finance under the executive civilian president of Liberia, but was assasinated by the rebels during the civil war and properties destroyed, but I narrowly escaped with some very important documents of (US$7.5M) Seven Point Five Million U.S Dollars deposited by my late father in a high financial company here in Dakar-Senegal under my name as next of kin.
..etc
(picking two at random from my inbox).
Needless to say, it is a scam. Basically, they ask for a sum of money (e.g. to bribe an official) with the promise that you will get a much larger sum once the transaction is complete. But each payment results in a request for a larger payment, until you run out of money. It is often known as the ‘Nigerian 419 scam’, as many of these emails originate from Nigeria and they are an offence under article 419 of the Nigerian criminal code. It is a variant on the spanish prisoner scam, which dates back to the early 1900s. It is hard to believe anyone would fall for this scam, but they do in their thousands. Advance fee fraud (e.g. 419 scams) was estimated to cost at least £275 million in 2005 in the UK alone, with average individual loss to victims over £31,000. Greed and stupidity are indeed a dangerous combination.
So what can we do to hit back? Not a great deal. The governments of poor and corrupt countries probably don’t care that much about gullible and greedy westerners being cheated. In fact, the scam may be in their interests. We can report the scammer’s email to their ISP, in the hope that it will be shut down before they can con anyone. But they can easily get another. We can play along a bit and waste the scammer’s time (perhaps with highly entertaining results). But it wastes our time as well. However another idea occurred to me while listening to a BBC radio report from Nigeria.
Apparently many Nigerians are incredibly superstitious, even the highly educated ones. Rumours of penis stealing witches and killer phone numbers are taken very seriously. So now I occasionally respond to 419 emails with a curse email from a little used email account. My email starts with some impressive looking pig Latin. It then tells them that reading the above has activated a curse and that they will suffer increasingly bad headaches until they renounce their wicked ways. If they are sufficiently superstitious I figure this might be enough to start a headache, which will get worse the more they worry about it. Hopefully they will either find an honest way to make a living or a psychosomatic feedback loop will cause their head to explode like a scene from the film Scanners (warning: very gory). I have no idea if it works - but I think it is worth a try. I haven’t included the text of my email as I don’t want it to appear on Google. Make up your own curse. Be inventive.
