Asked whether customers would lose access to their data
> If they do not wish to upgrade, they can export their data before the cut-off date in September.
…they confirmed that yes, come October customers' data will be toast.
Global accounting giant Sage is facing accusations it mis-sold software after customers bought perpetual licenses for products the vendor now says must move to a subscription model for technical reasons. Earlier this month, The Register revealed Sage was advising customers with small business software Sage 50 Accounts and Sage …
Vendor-independent transferable format… er surprisingly not. It will nicely export to another Sage product… one with a subscription.
Sage were previously selling versions of this software with a perpetual license later than the versions compromised by the TLS issue. These were still available as recently as 2021. There is lots of discussion about the ease of Sage writing a patch for the older software, but it appears that they don’t need to even do that. To avoid disrupting their customers when they turn off support for the old protocols on their license server they simply need to hand customers an upgrade to the later perpetual version. Sage have yet to explain why this is not possible. The response from resellers is simply that “that version is no longer available”.
The customers will complain, but the cost of moving to a new system will keep them buying.
Most new customers will have no idea this happened.
If tricky pricing actually lost a lot of sales the software (and cloud services) industry would look very, very different.
A very small company I temped at used an invoicing software for (surprise) creating invoices for clients. I enquired as to how this software worked and was shown the intricacies of creating an invoice. The system just produced individual invoices There was no linking of these together or anything sophisticated like that. Don’t get too into it comes the next response we’re doing away with it. The software company had just thought that monthly licensing was a jolly wheeze. Previously you bought a license and it covered that version with updates/fixes being available for a small fee.
They were moving to Excel instead where they had a built a template that did everything the existing software did and more. They told the software firm they were ditching the product and they said quite pointedly it was the switch to a monthly licence that did it.
Ah... Sage. Yep, propriatary licences, export to nothing useful, and in the end could not even get it to generate my basic accounts.... so rebuilt everything in Excel, and ran on that for 4+ years. 10 years later, I pulled the templates out of the mothballs, and now Excel is managing my wife's billing... and accounts!
Clearly there is an ulterior motive, given away by "Providing temporary patches is not the most effective solution in this instance,". If the patches for the on-prem, perpetual licence s/w are temporary, then that is a clear statement that they will no longer be supporting or selling that as a product. After all, any patch they produced would, by definition be permanent since it would be rolled out to any new sales of on-prem, perpetual licenced releases. Except that they won't be doing that.
With so many companies moving to subscription"...as a Service" models, I wonder if one of the incumbents could make a killing by NOT going that route and using that as USP money-saving marketing tool? Ot are they ALL stuck in the "short term profits/growth at any cost before moving on to the next company" model, no matter the long term consequences? Have they not learned from the great Chinese outsourcing "problem"? All the eggs in one basket never work out well, That's why the saying exists in the first place.
It's clearly a (very poor) excuse to get some people to move to a subscription model, but you could in theory use a proxy.
Not that I would trust any vendor who claims to be unable to modularly upgrade their connection security stack. What happens if a game ending vulnerability is found in current versions of TLS and you're unable to patch in a replacement?
There is absolutely no reason why TLS could not be lifted to 1.2 on perpetual license products, other than using this as a lever to extort more money from their customers.
This is not like an AV or other cybersecurity service that may require daily updates (with associated ongoing operational costs) - it is a (very rare) change in protocol only.
Shame on Sage!
Not defending them, but I would imagine there are many more updates required to running Sage. Tax rules change relatively frequently, especially if dealing with cross border jurisdictions. On the other hand, none of the private, commercial or sensitive data from an on-prem perpetual licenced install should be leaving the LAN and heading off to Sage central. At most, a licence authentication before receiving the same data updates everyone else is getting.
On the gripping hand, if a licence is "perpetual", why does it need regular and/or frequent authentication in the first place?
In the past I've done IT in businesses that use accounting software - and yes, every year (or sometimes more often) there's an update to reflect tax changes etc.
There is zero technical reason for doing this. It's clearly the Adobe model, where Sage have seen how well Adobe have done by
supporting screwing over their customers - and decided (somewhat belatedly) to join in. Not just Adobe, but IIRC they were effectively the first - others have followed suit (I no longer run any MS software on my personal systems).
"Not defending them, but I would imagine there are many more updates required to running Sage"
Surprisingly few actually. VAT rates can be updated by users, what else will change? If you have complex issues relating to goods moving between jurisdictions then you are not a typical Sage 50 customer. The software in question tends to be used by the smaller organisations with straightforward bookkeeping and widget counting stock control needs. The finer points of taxation are considered by their accountants.
It is precisely this stability and lack of need for updates that causes Sage a revenue generation problem with these products. The customer has no driving need to frequently upgrade. You could easily get 5 years out of a Sage 50 accounts product before you might be getting concerned it was getting a bit old compared to your regularly updated OS.
I think it just means perpetual license, but support could end after fifteen years. The license would presumably still activate the product, but you might not get what you wanted from it. I have, for example, perpetual licenses for old versions of software which won't get updates unless I buy new licenses or their upgrade packages, but I can still use the old version. At least until that got updated to "perpetual license until we break it tomorrow".
Clearly you don't work with accountants. Nothing happens fast in that world, especially change...
Also if your audit company uses Sage it's a big wrench/hassle to switch. Sage know this better than anyone.
Still, if you push folks hard enough eventually they will walk away. We have been Autodesk free for a decade now for the same reason.
Don't forget that these are the folks who'll push all sorts of crazy cost-cutting ideas.
Having said that I've mentioned here before the client's accountants who, having been provided with and completed user acceptance testing of a nice Y2K compatible version of their S/W running on brand new H/W insisted on not taking the risk(!) of moving from their old, non-Y2K capable version until they'd finished closing out 1999 in mid-January 2000.
The number of times I've seen "if we do _this_ we get the same/better service for less money" become "we get an utterly inadequate service for much less money, and the PM gets a bonus for saving the company money"...
Worst was the time they nickle-and-dimed down a cloud storage solution to the point we didn't have any backup/rollback service at all. We ended up having to go back entirely to on-premise storage because it turns out we were legally required to have said backups. I still don't entirely understand how that went so badly.
The audit business model depends on having one solution they can apply to every customer they have.
If someone says "we need you to switch to..." they'll lose money trying, so will just prefer you go find another auditor, if they can't persuade you to stay with their platform. Really not flexible at all, and an absolute pain to run into.
Spend the year looking at migrating to a package from some other vendor
That presupposes they haven't all taken the same route.
And, as has already been pointed out, your accountant is ultimately in charge of your fate: if they can't (or won't) easily deal with your data then any potential savings will simply evaporate.
I have had to upgrade a variety of "legacy" software apps to use more secure TLS versions.
Code changes were simple & straightforward.
Testing was more tedious / long winded than code and any associated server changes - cannot just rely on server and client comms working meaning that correct TLS version used as e.g. cannot assume if set server to only use TLS 1.2 or above that this actually happened, so lots of (comms monitoring with wireshark & similar to prove the correct protocol used by examining handshake) and working with QA have to check the whole variety of different possible calls (even though you know from code point of view that TLS version controlled by common code, have to be thorough on tests for QA pass and test everything)
So I'm not really convinced they could not patch the code.
Sure they could patch it if they wanted to but there are later versions they could provide to customers that already have support for TLS1.2 built in. Anything 26.3 and above uses TLS1.2 for licensing. Depending on how old a version a user is upgrading from they might need help importing their data but if they are within a few versions of current they the upgrade process is automatic when you open the old dataset.
Is the connection using the outdated TLS version the connection to the license server or to something else necessary for the functionality?
If it is just the license server i wonder what happens if an expert witness points out to the judge that it would be very easy and secure to just disable the license check.
It would make it an actual perpetual license that keeps working even if the license server is no longer around.
The only risk would be SAGE can no longer use this technical means to stop someone from running the software without a license.
As SAGE still has legal recourse for anyone running it's software without a license the court might think that is an acceptable risk.
Especially if they claim they are unable to meet their obligation for the perpetual license the sold in any other way.
Sage’s comment states: "The stability and security of The Transport Layer Security protocol is the core focus, not the age of it.”
In 2017 if Sage did not believe that TLS1.2 at the tender age of 9 years old was mature enough to replace the geriatric TLS1.0 in v24 for licensing purposes (not a process that should involve especially sensitive data being communicated), why in that same version did they use TLS1.2 for other communications?
“We asked why Sage can't update v24 and after to use TLS1.2 to verify software licensing” Wrong question. The question to ask is why v24 is not able to use TLS1.2 to verify software licensing?
Sage 50cloud Accounts v26.2 (published 2020) cannot use a TLS version higher than TLS1.1 (published 2006). That requires TLS1.1 being enabled by the customer something they may not want*. It should have supported both TLS1.2 (published 2008) and TLS1.3 (published 2018).
There should be no need to update it already support TLS1.2. Wonder what Sage have planned to gouge their customers when their license verification requires TLS1.3.
*I know from personal experience having added TLS1.3 to our software about 3 years ago. Due to customer requests for the software to work with only TLS1.3 was enabled.
I have v25 perpetual essentials, it's not the cloud version. I think I have come up with a way to get around the issue as on one of the Sage KBs, it did say that if you installed Sage on a none internet connected PC then you are unaffected.
If you go into Sage and look under Tools / Activation, there's a refresh license choice. Don't click on it, just make a visual note.
Go to help, about and under account number, take a note of the number.
Open resource monitor and under network, make a note of all the sage executables that are running off to the internet
disconnect the computer from the internet (eg, unplug the cable / wifi etc)
open regedit and search for the account number. I found it under HKEY_CURRENT_USER\Sage\Line 50. Delete the AccountNumber key (see note later)
with the computer still disconnected, open sage. The 'refresh license' option before is now gone, under help / about the account number is no longer there and so far as I can tell, it thinks it has never been connected and 'might' continue to work after September. I wound the clock forward a month and never had the 3 day warning to reconnect.
Note:- if you reconnect to the internet and open sage, the deleted registry key is replaced and the 'refresh license' reappears. This is to be expected as Sage has ran off to the server. I suspect that if this works for you, you then add the deny firewall rules with the path to the Sage executables
The VAT MTD won't work, but that's an easy work around as you export the VAT to a CSV and use bridging software. I did it for the first time last quarter and all worked flawlessly.
But as a standalone Sage, mines been fine for the last few weeks since I made the above changes. It may not suit everyone or work on network versions or higher versions, but it's here as a suggestion.
I have no clue about Sage software, but reading your reply, it seems you're saying that the only "functionality" of this TLS connection is to validate the users license?
That makes this whole story even worse!
Surely it could be argued that if they are (effectively) taking the licensing server offline, they are breaking the contract made when you purchased the software, and should therefore provide a patch to officially do what your post describes.
If VALVE decided to block steam, or media companies stopped users access to bought music/video/books, (and assuming the company hadn't gone bust) I'd expect a class action lawsuit.
To clarify, either there is an old licensing server that only supports TLS1.0/1,1 that is being turned of or a licensing server with wider capability is having TLS1.0/1.1 disabled - that seems fair enough.
The Sage 50 Accounts software up to version 26.2 is not capable of using TLS1.2 for licence authentication.
At least some versions of the software from around 2017 onwards do use TLS1.2 for other communications - but not the license authentication bit, that is still locked down to older version of TLS, thus the software is dependent on the old protocol being available at the license server.
Other than why perpetually licensed software needed to have the licence frequently checked, the big question here is why, when Sage added support for TLS1.2 to the software, did they not make that apply to all communications.
"...as I couldn't believe they'd get away with borking programs"
At this point they haven't. Sage appear to be doing their best to try to buy off the impacted customers who complain with full or partial refunds and discounts on other products but its obvious that financially those users who didnt need anything other than the product they already had a license for are going to be worse off long term. The simple fact is that people were sold licenses which they understood to be perpetual, right up to 2019/2020. They have committed business processes to that software, have historic records that they must retain and be able to report on for a number of years for tax and other reasons. Some have committed large amounts of money to integrating other software to integrate with the Sage software. There are also still unanswered questions as to how Sage got into this position which is relevant to their responsibility for fixing it rather than using it as a sales opportunity.
In the EU you are entitled to a no cost fix for a defect in goods at the point of purchase. I had an HP SAN andd they wanted a valid support contract to download a software fix, I argued the above and they caved in. Threaten them with court action. Then move away Sage line 50 is a POS, you will be glad you did.
"In the EU you are entitled to a no cost fix for a defect in goods at the point of purchase."
We were in the EU at the point of purchase, but we are not now, so do we still have that right?
Is that why they waited until 2020 to go down this path?
Same with QB for Windows to QB for Mac. Was told that QB for Mac was not available for UK customers, and that cloud-only was the answer. I abandoned that idea, virtualised a Windows box to run QBW for a while longer, but since then... I'm without a decent macOS accounting solution. It's not ideal really...
We have a work on an old laptop that is perfectly fine. We don't need its updates and its all safe. Yet the arseholes purposely disabled the activation servers so despite owning a license for it and a valid key, it can no longer be activated. We said "Fuck it, if you want to play that game we'll just use a fucking key gen you arseholes" and so we do. Nothing will ever change unless we all walk, which we won't. Its getting ridiculous now when you can buy a top of the range BMW with heated seats and heated steering wheel. Only to find they don't work unless you pay for the monthly subscription that activates them. AND both are on different subscriptions. So one for the steering wheel, one of the seats.
Had to do the same with some older (old enough such that it was all bought as actual physical boxed copies with install media and, in one case, a hefty printed manual) software I still use from time to time. It all still works just fine, does what I need it to do, and so far I've not felt any need to spend more money on obtaining the later versions with fancy new features I don't particularly want/need, wrapped in fancy new UIs that I definitely don't particularly want/need. I just want to be able to keep using the stuff I've already bought and spent countless hours gaining experience in, allowing me to use it effectively for the work I want to do. Hardly an unreasonable ask from an end user perspective, though I can see why some less ethical companies aren't quite so keen to just play nice and let users continue to use older versions indefinitely when they've got the ability to, oops, sorry, turn off activation/licence verification/etc systems and force users into upgrading whether they like it or not...
IMO, any company selling software with eternal/perpetual/lifetime/etc licences, but which also requires any form of online checks as part of the install process or at any point thereafter, should be required to provide an official means of removing said checks as soon as the software is no longer being supported - it shouldn't be left to end users to either just meekly go and buy a newer copy of the same thing, or take a risk with finding an unofficial hack which doesn't also introduce a bunch of crap onto their system.
Mind you, so far my experiences with activation workarounds has been rather more positive than my experiences with some legit bits of software, when it comes to shoving unwanted crap onto my systems, so sometimes it's hard to tell who the bad actors truly are when it comes to interfering with your ability to use your system properly.
And finding out who the bad actors are becomes more blurred if you've been into the cracking scene for years. Not as a cracker but someone who uses the key gens etc. Because you know all the key gens are fine and safe, yet every arsehole AV software flags them as being infected when they are not.
"Lets band together and flag any key gen software as being infected. That way we can "fight piracy" by lying to our user base. Fuck em they were gonna use a key gen. Yes I know they are only using it as we turned the activation servers off now & yes I know we're not losing money as its software we no longer make, but fuck them, we demand their money"
Ah yes, AV software, there's a whole other barrel of laughs awaiting a discussion. When you're pushing a product which its users need to have implicit trust in, then making it deliberately give wrong answers is foolish, because as we know all too well, users tend to have a limited tolerance for having to carefully read alert prompts before they just become conditioned into clicking "Continue", "Accept" etc., so if they get that conditioning through running stuff they *know* is good, then the chances of them letting something genuinely dodgy through goes up...
Many years ago (getting on for 25) the book-keeper at a small business I did some work for asked if I could help him move his Sage accounts onto a new PC, as his current one had developed a fault and needed replacing. I took a look and even spoke to the Sage Helpdesk - and reckoned the time it would take to switch (and the cost that Sage wanted to make the switch) was likely to be more than going to a new accounting package. TBH, I reckoned he could have run those accounts on a spreadsheet, they were so straightforward (but the MD had come from a much bigger company wanted a "proper" package with full audit trails). I declined to get involved as I knew it wouldn't be straightforward and it wouldn't be worth the hassle I'd get; in the end, they forked out to Sage...
Safe, it’s the most awful pos I’ve ever had the pleasure to install for people.
Meant to be targeted at small business but Server Essentials isn’t supported.
Constant issues when changing printers, never got the cloud part working satisfactorily and when it worked the cloud part went down and broke it all again.
Stuck on v24 due to other issues and only managed to get to that due to the digital tax thing.
This and other recent stories have convinced them that’s it’s the end, paying a fortune a month for antiquated software etc.
They have just subscribed to Xero and tasked the accountants to start the transfer, good timing Sage and bye bye
Intuit forced all perpetual license owners of QuickBooks Desktop (the PC application as opposed to the cloudy app, QuickBooks Online) onto a subscription basis when HMRC demanded we file VAT directly from our accounts package (Making Tax Digital) a couple of years ago. We still have the data on our in-house servers despite paying monthly for the right to use the program.
Now QuickBooks have announced that QuickBooks Desktop is being discontinued and after February 2023 we won't even be able to access our own data going back 25 years. The export options are raw ledger information, impossible to interrogate or unwieldy PDF reports with truncated descriptions.
We have been begging Intuit to free the program into a read-only perpetual license without support but they have outright refused this, even if we offer to pay for it on an ongoing basis. "Move to QuickBooks Online" they say. QuickBooks Online is missing many of the features of Desktop. I won't be moving to QBO I can assure you.
"Sage" and "up to date software" are mutually exclusive terms.
The Sage 50 Cloud product is horrible and nothing more than Internet SneakerNet, and there are programming bugs they haven't patched in a decade or more.
Everybody wants that sweet, sweet recurring subscription cash. That's how they're managing to eat the entire accounting industry.
I'm waiting for someone to opensource a good accounting package that will kill Sage dead.