* Posts by MJ71

17 publicly visible posts • joined 20 Jul 2022

Sage accused of strong-arming customers into subscriptions

MJ71

Re: Sage have started blocking people today, but not because of TLS

Its all about maximising the sales opportunity. If Sage turn off everyone at the same time their sales team / customer service will be bombarded by lots of very cross people, many of whom will have been in discussion with Sage previously and already made it clear that they do not wish to pay a substantial monthly fee to continue to use the facilities that they previously bought a perpetual licence for.

Switching off a few at a time is quite cleaver in one sense because it gives Sage time to focus on a few opportunities each day without blocking the whole sales department.

It also seems like a blatant abuse of their position given that they are potentially causing those users substantial stress and costly disruption. I assume from your post that they were not able to swiftly restore your licence to the system?

However tenuous as an excuse to sell subscriptions, the whole obsolete TLS excuse as a reason for turning off the old licence server does have some seed of truth because those TLS standards are indeed obsolete. Sage had said all along that they want to turn off the old systems that are insecure. Based on what they have said to you today, they are intentionally disabling licences though – that’s very different. They can’t argue that disabling the license is resolving the security vulnerability because the server is still on and its still talking to the client’s system.

There have been suggestions previously that the number of remaining perpetual licence users was so small as to not be relevant to Sage in terms of risk or loss. This strategy could suggest that there are still a reasonable number out there.

Keep hold of any evidence. Perhaps things will fall into place for a collective legal action.

MJ71

It does not surprise me that you have had no response from them, they are either very confident of their position or have just made a decision that for the small number of businesses who will actually find time to make a claim against them, the risk of losing and having to pay out is a small price to pay if they succeed in bullying the majority into a subscription.

Their initial response to enquiries from customers with impacted versions is to quote them on moving to a subscription. If you don’t roll over then the next steps are free initial periods sometimes combined with offers of refunding the perpetual license you already have. Clearly you wont be needing that any more, you have your shiny new subscription version, the cost of which one assumes will rise at least by inflation every year, for as long as you need to use it.

If you make clear that you do not feel inclined to part with more money and would prefer to continue to use the perpetual license that you already paid for, and thought being described “perpetual” would work for as long as you had a compatible OS to run it on, they lose interest. Its all about sales… moving people to subscription and making Sage shareholders happy.

TheRegister might not appreciate me cross referencing other forums but it would be worth posting your question about legal action to the discussion here where there are lots of other Sage customers who are not very happy.

https://www.accountingweb.co.uk/any-answers/sage-50-cloud-wont-work-unless-you-update

MJ71

Comments on Sage’s statement

The article refers to a Sage representative saying “We are contacting all impacted customers with options available to them, under no circumstances is anyone obliged to move to our fully cloud solution Sage Accounting”

Indeed, no one is obliged to move to the *fully* cloud solution (Sage one?) that’s a different product.

The on premises subscription replacement for Sage 50 Accounts is now confusingly known as Sage 50cloud Accounts (it has some cloudy functionality but still installs directly on your on premises PC/server). This is the version that would be the natural replacement for businesses who are about to have their software turned off.

You are not obliged to upgrade (which means paying for subscription), but if you want to have easy access to your historic data built up in your perpetually licensed software, and you want that access to be through the front end you are familiar with, without resorting to ODBC to extract it into a spreadsheet or rely on reports that some say will work past the cut off, then you either need to join the subscription method or need to migrate to another system. If you migrate then you also need to find a way of exporting all that historic data that satisfies your needs as a business and ticks those HMRC boxes for historic data retention. That is highly disruptive and could be very costly especially if you have other processes interacting with the Sage application that would also need to be replaced or updated. The situation is not helped by Sage failing to give an exact time impacted versions will stop working. Their notice currently says that the old versions (some of which are not very old) will stop working *By* September 30th 2022, so could be tomorrow, could be in a few weeks... not like you have anything urgent that you use the software for is it.. oh you do? Oh...

There has been talk here of Sage being too tight to bother incorporating TLS1.2 into the product earlier. The situation is even sillier that that. TLS1.2 is reported as actually being present and active in some of the versions being turned off, Sage just didn’t use it for the license verification process. Oversight or tactical?

How easily could Sage solve this problem and honour the spirit of those perpetual licenses they sold directly or via resellers as recently as 2019? possibly 2020? It would seem very easily. There is a v27 of the non-subscription version of Sage 50 Accounts that is more recent and not therefore impacted by the TLS version issue. Sage could therefore enable their current non-subscription customers to continue to get the benefit of the licenses they bought buy offering them a free upgrade to that version.

MJ71

Re: Nice try

According to the article TLS1.2 is already in some of the versions impacted by this issue, Sage just didnt use it for the license process.

MJ71

Re: Not Fit for Purpose

It seems to be worse than being entirely "without TLS1.2". Some of the software now at risk had TLS1.2 built in, it just isnt being used for the licensing aspect that they want to now turn off!

Sage denies misleading customers over perpetual licensing, users not happy

MJ71

Re: final reminder....Sage switch off on 11 Oct.

"they're a £1.8bn turnover listed plc"

That's exactly why they should be held to account. Back to my analogy of the corner shop selling potatoes. Just because Sage is a very large business and the issues relating to why perpetual licence holders are being short-changed are complex compared to mislabeling a bag of potatoes, that should not make it immune from liability.

I'm not sure that it wont make a difference to them longer term. I would be reluctant to recommend Sage products now for small business use unless there was a specific feature that the client needed, going back a few years we would rarely have recommended anything else. Accounts packages are often decided on, or shortlisted, by clients accountants or IT team, no one who has been involved in this saga over the past few years is going to forget about it in the near future.

Sage will be able to claim in their next set of results that the percentage of subscriber/cloud income is up in line with company objectives - well done directors. You can't measure the public reputation of a business in annual results and over time that matters as well.

I think it’s a strategic mistake. The problems are causing the old versions to not work and trying to force people to upgrade when it might not be convenient. Had Sage just been patient and continued to support perpetual (patching the TLS issue) and subscription, whilst simply stopping the sale of perpetual product, over time I guess most people would have moved over to the new structure without too much trouble as an when it was convenient to them and they needed a new feature.

MJ71

RE:

A Sage spokesperson told The Register: "Customers who have an active support contract with Sage – whether it is perpetual or subscription – are entitled to the latest version of software, at no extra cost. Customers are not required to change their contract to a subscription to upgrade. If they have an active contract, there is no cost to upgrade."

Sage have been using this line about customers having a support contract being provided with updated versions as a defense before. They try to use it as a means of shifting the blame to the customer, its your own fault, you should have taken out a support contract shouldnt you... Some customers have still reported difficulties in obtaining this upgrades. I now believe I understand the situation better.

There are at least two types of Sage support agreements. A basic one (support but no upgrades) a more costly one, "SageCover Extra" that does include the upgrades. Neither is currently available to buy for perpetual product and its not clear how many customers retained cover by continually renewing. Basically, if I have understood this correctly, the ONLY sage (perpetual) Accounts Line 50 customers that are entitled to free upgrades, without moving to a subscription model, are those that still have a current subscription to SaveCover Extra.

Does anyone actually still have that? Anyone??

MJ71

Re: Imagine; two centuries ago; when your mother bought a fine china bowl

Some might say that it was generous to use an analogy of a fine china bowl against Sage 50 Accounts, but your point is well made.

The law and processes for governing these sorts of issues doesn’t seem to be keeping up with current times. This is going to present increasing difficulties for consumers of cloud and subscription based services, but what is remarkable about this case is that Sage are, as you say, climbing through the window and smashing the existing bowl upon which the customer has become dependent.

I recently discussed this situation with an MP and the potential for serious impact to businesses if Sage carried out their threat and caused software to fail. Sage claim that they have contacted all impacted customers but the number of people still arriving at forums only just having discovered there is a potential problem casts doubt on that. This software is mostly used by small businesses who work under pressure at the best of times and will be substantially disrupted by suddenly loosing access to accounts data with all the implications of that. Unable to pay suppliers (you don’t know what you owe), unable to chase customers for money (you wont know what you are owed), unable to complete statutory procedures and reporting to HMRC… The difficulty is that the only potential recourse currently is for individual businesses to take action against Sage, dealing with complex technical and legal issues to fight a defendant backed by substantial wealth who will be able to present plausible arguments to defend their position. Even if if the customer wins, with the perpetual licence being so far as I understand classed as goods rather than a service, they may only win a refund on the cost of that purchase if the court says it has unreasonably failed, which is trivial compared to the replacement cost of the subscription.

I used the analogy previously of a bag of potatoes. Sage apparently defined their perpetual license as being for 15 years. Some users have had about 4 years use of their software. If you had a shop that sold a bag of potatoes advertised as 15KG and on inspection it was discovered that they actually only put 4KG of potatoes in the bag, the council’s local trading standards would take an interest. There seems to be no equivalent protection in place for businesses. The attitude seems to be that if you don’t like how a vendor behaves then move to a different one, which is clearly not always straight forward.

MJ71

When I questioned a Sales Sage rep about this the last time they gave a similar statement to TheRegister they said that it was possible to have the upgrade and remain on a perpetual licence, but only if you had a support contract. I asked therefore if we could take out a support contract to obtain the upgrade. They refused saying that Sage had not offered support contracts for perpetual licenses for some time!

MJ71

Well done TheRegister for staying with this saga.

This TLS issue with threats of switch off has been used by Sage over many months to coerce users to enter into subscription agreements who already own perpetual software that was costing them nothing to run previously.

Sage have known about the TLS issue since at least 2018. It should be clarified that some of the versions at risk are nowhere near 10 year old, versions at least as new as 2018 are impacted, possibly more recent.

Sage are quoted as saying “We have been clear with our customers as to what versions of the software were impacted” – No, Sage, you have not. You initially stated that all versions 26.2 and below were impacted. That incorrect information was in place for months. You have now corrected that (after hastily updating your website in September when you were caught out by users on another forum) to clarify that only versions 23.1 to 26.2 are impacted. Innocent error or maximising sales?

Sage also included more up to date TLS versions in some versions of the software for communications other than licencing, still leaving the bit that deals with licencing on the obsolete version. Sage have yet to explain why they did that. Could they have been keen to have a future justification to disable as many non-subscription versions as possible?

If Sage are genuinely offering free upgrades to customers who have support contracts without forcing them into a subscription then that demonstrates that they have a version of the software available to fix the problem for the other impacted users. This is in essence fixing a problem that Sage knew about when some of this software was sold and in any case they had had at least four years to plan a work around for the initial design flaw of the licence process being seemingly hard coded to be dependent on technology that would inevitably change.

Sage accused of misselling perpetual licenses it knew would soon be obsolete

MJ71

Re: Workaround?.....

"...as I couldn't believe they'd get away with borking programs"

At this point they haven't. Sage appear to be doing their best to try to buy off the impacted customers who complain with full or partial refunds and discounts on other products but its obvious that financially those users who didnt need anything other than the product they already had a license for are going to be worse off long term. The simple fact is that people were sold licenses which they understood to be perpetual, right up to 2019/2020. They have committed business processes to that software, have historic records that they must retain and be able to report on for a number of years for tax and other reasons. Some have committed large amounts of money to integrating other software to integrate with the Sage software. There are also still unanswered questions as to how Sage got into this position which is relevant to their responsibility for fixing it rather than using it as a sales opportunity.

MJ71

Re: Workaround?.....

To clarify, either there is an old licensing server that only supports TLS1.0/1,1 that is being turned of or a licensing server with wider capability is having TLS1.0/1.1 disabled - that seems fair enough.

The Sage 50 Accounts software up to version 26.2 is not capable of using TLS1.2 for licence authentication.

At least some versions of the software from around 2017 onwards do use TLS1.2 for other communications - but not the license authentication bit, that is still locked down to older version of TLS, thus the software is dependent on the old protocol being available at the license server.

Other than why perpetually licensed software needed to have the licence frequently checked, the big question here is why, when Sage added support for TLS1.2 to the software, did they not make that apply to all communications.

MJ71

Re: Defect at the point of purchase

"In the EU you are entitled to a no cost fix for a defect in goods at the point of purchase."

We were in the EU at the point of purchase, but we are not now, so do we still have that right?

Is that why they waited until 2020 to go down this path?

https://gb-kb.sage.com/portal/app/portlets/results/viewsolution.jsp?solutionid=200910142529173

MJ71

Re: Purely commercial, not technical decision

"Not defending them, but I would imagine there are many more updates required to running Sage"

Surprisingly few actually. VAT rates can be updated by users, what else will change? If you have complex issues relating to goods moving between jurisdictions then you are not a typical Sage 50 customer. The software in question tends to be used by the smaller organisations with straightforward bookkeeping and widget counting stock control needs. The finer points of taxation are considered by their accountants.

It is precisely this stability and lack of need for updates that causes Sage a revenue generation problem with these products. The customer has no driving need to frequently upgrade. You could easily get 5 years out of a Sage 50 accounts product before you might be getting concerned it was getting a bit old compared to your regularly updated OS.

MJ71

Re: TLS

Sure they could patch it if they wanted to but there are later versions they could provide to customers that already have support for TLS1.2 built in. Anything 26.3 and above uses TLS1.2 for licensing. Depending on how old a version a user is upgrading from they might need help importing their data but if they are within a few versions of current they the upgrade process is automatic when you open the old dataset.

MJ71

TLS1.2 at the age of 9 thought too immature for a license authentication process?

Sage’s comment states: "The stability and security of The Transport Layer Security protocol is the core focus, not the age of it.”

In 2017 if Sage did not believe that TLS1.2 at the tender age of 9 years old was mature enough to replace the geriatric TLS1.0 in v24 for licensing purposes (not a process that should involve especially sensitive data being communicated), why in that same version did they use TLS1.2 for other communications?

MJ71

Re: Asked whether customers would lose access to their data

Vendor-independent transferable format… er surprisingly not. It will nicely export to another Sage product… one with a subscription.

Sage were previously selling versions of this software with a perpetual license later than the versions compromised by the TLS issue. These were still available as recently as 2021. There is lots of discussion about the ease of Sage writing a patch for the older software, but it appears that they don’t need to even do that. To avoid disrupting their customers when they turn off support for the old protocols on their license server they simply need to hand customers an upgrade to the later perpetual version. Sage have yet to explain why this is not possible. The response from resellers is simply that “that version is no longer available”.