Serguei Alleko Blog

Software is very diverse. There is almost as many software types as human needs. Or is it? What are the biggest markets in software, what are the software, that most people use. If we skip the specialized markets (like dentist software for dentists, development software for developers, etc), what is left for real mass market. I’m looking from prospective of a software vendors on the markets where is possible to do business

Theory first

First, let try to guess by analyzing human needs. I’ve got this list from this great post on software:

What do users need for software:

Red - means almost monopoly on the market. It’s very hard to compete with Microsoft Office. Possible, of course, by using guerilla tactics, for example providing software for free, like Open Office

Gray – means most of the services are for free. You just can’t enter this market with paid service, you have to invent some new business models to earn money there

Green - more-less normal market with competition, leaders, niche players, etc

Download Statistics

Ok, the theoretical picture looks a bit grim, but lets see if our thoughts are right. Let’s look first at Download.com Here you can find information about downloadable software, so no Microsoft, Adobe or other big vendors. Did we miss any big categories in the software, which could be downloaded?

We see Office, Security Software and free tools.

Lets look at TOP 20 of the most popular software :

1. AVG Anti-Virus Free Edition – Security
2. Ad-Aware Anniversary Edition - Security
3. Avira AntiVir Personal – Free Antivirus - Security
4. LimeWire – Free Tools
5. Avast Home Edition - Security
6. Orbit Downloader- Free Tools
7. Malwarebytes’ Anti-Malware - Security
8. FrostWire- Free Tools
9. WinRAR- Shareware Tools
10. Advanced SystemCare Free - Security
11. Camfrog Video Chat - Shareware Tools
12. Spybot – Search & Destroy - Security
13. Download Accelerator Plus- Shareware Tools
14. VersionTracker Pro- Free Tools
15. YouTube Downloader- Free Tools
16. Smart Defrag- Free Tools
17. IrfanView- Free Tools
18. GOM Media Player- Free Tools
19. BitComet- Free Tools
20. FLV Player- Free Tools

The picture is the same, the most downladed tools are  - Security (mature market) or some free system utils

Wakoopa Statistics

Wakoopa is a great tool to measure the software usage on your computers. You need to install some applicaiton, which is going to send infromation about which application have you opened and for how long to the central server. I understand, it looks like Big Brother, they have some information on privacy.

Lets see the statistics from Wakoopa.

All time most used software: (this list doesn’t show security software, because it works in background)

1. Firefox
2. Windows Internet Explorer
3. Windows Explorer
4. Opera
5. Windows Live Messenger
6. Google Chrome
7. Microsoft Office Word
8. Microsoft Office Outlook
9. World of Warcraft
10. Microsoft Office Excel

We have the same picture here, free tools, microsoft, games.

Conclusion

If you’re a new vendor or new software e-shop, there is 3 major possibility for you:

• to go to security market (while it’s still not eaten by Microsoft)
• to go to Games market (while people still play games in PC, and not on game devices)
• to become garbage collector, trying to make cheaper copies of Microsoft or Adobe software
• to go to shareware market and sell wide varaety of small tools, which are not yet available for free

In IT world Russian programmers have good reputation. Some say that all the Russians aboard either IT-guru’s or mafia. Of course it’s a joke, but it is true that during the IT-bubble, conveniently timed together with national financial default in Russia in 1998 a lot of bright engineers from the best universities of Russia have gone to Europe, USA or other developed countries.

Some might recall Dmitry Sclarov or even Sergei Brin (the last one is more representing American programmers, not Russians, from my point of view). Actually there are thousands of people, working on much less loud positions. Almost all of them owe their knowledge and skills to Russian high technical education system.  

I’ve spend the last 3 days trying to translate the description of my old education program from Russian to English in order to get my diploma officially confirmed. I was graduated in 1998 in Moscow Institute of Electronic Engineering. At the moment of graduation it still had old soviet education system. After 5 years you get an "Engineering" degree, there were no "Master" or "Bachelor" levels. My speciality was 2204 "Computer and automated systems software" (my own translation, sorry, I don’t have any idea how is it translated officially. I always say "Software design"). This is as close as it can get to the picture of software geek, spending time writing long and complex programs.

I would like to present my work for all readers, so you can see for yourself, how exactly Russian programmers were educated. Link to official program of  "220400 - Computer and automated systems software"  in Russian and my translation "220400 – Computer and automated systems software" in English (pdf). Sorry for my English, I’ve found a lot of words I’ve never met before, I hope it’s still understandable. 

There is many critique against software development education in Russia. Hardware and software is outdated. Students often know more about current technologies, than their professors. Professor salaries are small and all good ones are working either in USA or in commercial companies. Then what are  the reasons why Russian programmers are so good? Read the program and deside yourself, but let me give you some ideas:

• Level of fundamental education was very strong. This was true about mathematics and the software design as well. Many times during my career I suddenly realized, that some part of technology I have to learn, we have actuallyalready studied in university, for example OSI model or semaphores. And please note, this was 1993-1995 years, 15 years ago!
• You had to have discipline. You have a lot of mandatory courses. In fact, it appeared for us all of them were mandatory. We had to succeed in every last one of them, if you don’t score at least 3 out of 5 in all of them, you’re out.
• Some very important qualities for a good modern  technical engineer were actually stated as a part of the program.  "Engineer must: -  Be aware of the modern studies in humanitarian and socio-economical sciences; be able to scientifically analyze social problems and processes; be able to use methods of this sciences in different types of professional and social activities; -  In case of new discoveries in science or industry to be able to review his own experience, analyze his own possibilities and adopt the new knowledge using modern information technologies; -  Be ready methodically and psychologically to change his professional field or work with people with other professions." How I wish that more people have got those qualities!
• Last, but not least, and this is also a quotation from the official requirements, "Engineer must be able to continue education and work in a foreign country". So immigration was actually embedded in our educational system

A lot of changing in the modern IT, education system and general approach to knowledge. It may well be that this programm is too old for 21 century. Those were the secret training techniques of Russian programmers and they definitely left some mark in IT-history

In my own rating of the most beautiful cities San Francisco shares the first place with Amsterdam. I’m talking about the natural beauty, the one, which makes you just walk and enjoy on normal, usual streets.

Thouse photos were taken in may 2008 in San Francisco.

I’ve been working  for many years in a anti-virus company. Of course my view on computer viruses and incidents  is biased, but this angle could be interesting anyway. 

Currently the anti-virus coverage within corporate networks is close to 100%. Within home users it’s estimated from 70% to 90%.  How exactly does infeactions happen in real life and how could they be disinfected.

Start of the infection

Modern viruses are like vampires. If you don’t invite them in your house, they can not pass the door. If, however, the undead manages to trick you and get in, then you’re in real trouble. 

In 99% of the situations the infection is coming via Internet.  Look at Virus Top list for December 2008  Almost always user has  to let the virus in yourself:

• user opens an email with a virus
• user opens a web-page with a virus

In Windows XP and Vista there are some security measures, which are trying to warn you. And it does help. Actually I believe, Microsoft has greatly decrease the possibility for external infection. But it’s sill not enough.

Even if a user has an anti-virus, it must be working. First of all, it must be ON. A lot of users turn it off because it eats the system resources. Second, anti-virus must be updated, basically every day. You have to let it to get the latest updates via Internet.  These two problems are the reasons, why home users get infected even with the anti-virus installed. I beleive if you get those two things right, you can be protected with any of the top 5 Anti-Viruses: Symantec, Mcaffee, TrendMicro, Kaspersky, Sophos.

In the corporate environment normally you have professionals, who can manage the installations of the anti-virus software. That’s why normally within corporate networks you have much less infection rate, than at home. I say normally, because it happens anyway. I’ve seen only 3 major security incidents within large corporate networks and in 2 cases the reason was that anti-virus software was not properly  installed. These are the most common reasons for IT-managers not to  install Anti-virus:

• we run those servers on VMWare, they don’t have enough resources for real-time anti-virus protection
• we don’t have anti-virus in our standard image for a workplace
• we just don’t have a standard disk image for a workplace
• we never had anti-virus problems before, so we for us performance is more important
• we hired a new guy, how didn’t have time yet to catch on with your anti-virus stuff.

You don’t have an Anti-Virus and you get a virus. This is as simple as that! As you can see, the most underlying reasons are not security related, but rather general IT-management related.

Infection is spreading

Once in, a vampire can use a formidable array of superpowers – inhuman strength, speed, invisibility, mist, hypnosis, etc, etc.  In corporate networks normally there is not much protection inside the perimeter. Once run on a PC with domain admin rights, a virus can copy itself to any other computer, put itself in the autoexec-batch file from Windows Domain Logon, attach itself to a lot of Microsoft Office files. Almost always if some of the computers do have the anti-virus protection, they can resist. Viruses are deleted at the moment they’re entering the protected computer. But in a network with thousands of computers even a small fracture of unprotected PCs can easily jam connections or servers. All computers must be protected.

Fortunately, vampires are not just savage killers, they’re sophisticated creatures (at least according to Bram Stocker). They don’t just kill, they suck your blood slowly and trying to convert you. The same is true about modern computer viruses. They don’t destroy your files or wipe your hard drive. They’re slowly and carefully trying to use your resources for some commercial purpose. Making your computer a zombie, sending spam, starting DDOS-attacks, stealing passwords. That’s why there is still a possibility to clean the computer and eliminate the infection.

Cleaning the infection

Just let professor Van Helsing to do his job and he’ll succeed. Currently modern anti-virus programs are very powerful tools. They’re self-protected, they’re smart and they can do their job good. In most situations it’s enough to install the Anti-virus, get the latest updates and perform the scan of the whole hard drive. 

Here lies the biggest issue for the corporate networks. Anti-virus vendors provide their own solutions for the remote protection. Microsoft Windows contain useful technology like RPC. Other vendors also have solutions like Novell Zenworks.  However you need to know where to install!

The problem is that all those systems are quite democratic: “if computer comes and asks for service, the system provides is”. An opposite approach would be totalitarian: “the system must know everything about all computers and enforce the service”. In case of cleaning the infection from the corporate network you need to be a dictator and install the anti-virus on all computers. These are the major obstacles you find on your way:

• not all computers in the company are online during the day
• nobody knows how many computers are really there, not stolen, broken or thrown away
• nobody cleans the list of registered computers in Active Directory, there are always a lot of very old ones
• often central IT department sends a bunch of PCs to a local IT-team and they connect them when they need
• often the names of thousands of computers have flat structure, like PC2022345,  you don’t know where they’re located

You don’t have to be despot in normal life. If you’re talking about the business needs of your company, a democratic approach works just fine. But if you’re at war, you need to change it.

I found the approach which works the best to clean this mess:

1.  Start with list of registered PCs from Active Directory, put them in one group called “Not Clean“
2. Try to ask the customer to remove obviously old names. It’s not always possible, because there are hundreds of them
3. In most cases you can remove names, which don’t have IP-address in the Windows DNS anymore. This means they haven’t been online for a long time
4. Put all those computers in the list in your Anti-virus control Center and try to install the protection on all of them
5. When the initial installation finishes, move the computers with successfully installed anti-virus to another group, called “Clean“
6. Repeat steps 4 and 5 next day. And the day after next. And further. Your goal to move everything from “Not Clean” to “Clean“.
7. If there are some computers still left, try to find their location and clean them manually

In this situation the biggest problems are again, not security related, but IT-related. In order to perform the cleaning you don’t have to be an anti-virus expert, you just need to have good understanding of Windows infrastructure and networking.

Conclusion

The solution against viruses is just simply installation of Anti-virus. When you get infection, in most cases it means you didn’t have protection. If you need to clean the infection – install Anti-Virus. It sounds a bit boring, doesn’t it?

If you want to know how to receive money via online transactions, you have to know, how to pay it back.

Why refund?

There are different reasons for paying customer their money back:

• (obvious) Customer is not happy about the product. In different countries there are different periods, when customer has right by law to return a product and ask for a full refund. Normaly in Europe it ranges from 7 till 14 days. Software companies normally extend this period as an additional bonus.
• Customer got confused with payment and paid twice or paid the wrong amount. This is especially applicable to a complex payment methods like iDEAL or bank transfers.
• Your shop is a victim of a fraud. Somebody has purchased some products with stolen credit card numbers. In theory it’s insured by the credit card company, and even if it’s not, the customer can initiate a charge back. But you don’t want this, because too many of such incidents and you’re considered a “bad shop”

In all those situations it’s always better to pay this client back the whole amount and focus on the other clients. People do appreciate if you give them money. Even if it’s their own money and they are really frustrated about the services of your company. There is a magic in a small amount of cash coming to you.  I’ve got a lot of crazy, rude and loud clients on the phone, demanding satisfaction. I’m yet to meet one, who wouldn’t calm after I promise him some money.

How to refund?

So how easy is to pay money back technically? It depends on the type of online payment you use.

In most situations, you’re going to use some information from your PSP (Payment Service Provider). They all are trying to provide you the best services they can, but sometimes you have limits. A lot of financial information is provided to you on “need to know” basis. You can’t have the credit card numbers of your clients unless your company is PCI-certified  You don’t get the bank account number if you initiate some automatic bank transfers, etc. This make your life a bit harder. Let me explain in details how do you make a refund with different payment methods using Ogone as a PSP and Rabobank as  a bank.

Refund with credit cards

Normally its the easiest part. Even if you don’t have the credit card number of the client, your PSP does. And It can initiate the charge back with one mouse-click. 

click for bigger image

The money appear on the client Credit Cards account in a couple of days.

Refund with iDEAL

An a nutshell, iDEAL is bank transfer.  The money go directly from the account of the client to yours. PSP doesn’t have access to your bank account. So it’s only you or your bank can do it. Postbank does  provide a button for the refund of an iDEAL transaction, but, surprisingly, it does nothing!

I’ve hidden the private data of the client

Nothing happens if you click on “Terugboeken” (Pay back). It’s just a registration of the refund for your accounting (according to Rabobank support). You have to perform the refund yourself. 

In order to perform a refund, you have to know 2 things:

• account number of the client
• his name

Fortunately in the situation with iDEAL you can get this information from your PSP:

OK, I had to hid it again, but there was a real account number and name of the client

With this information you can go to your online banking client and perform the transaction manually.

Refund with bank transfer

If you think it’s complicated with iDEAL, wait for the next one, bank transfer. You can ask your customer for a bank transfer directly, by giving him the instructions to pay certain amount to a certain account or, better, you can ask for a permission to make a charge on the account of the client. I don’t want to go to deep into details of bank transfers, I really hope they will die soon as an online payment method. But in any case, your PSP doesn’t give you the account number of the client!

click for bigger image

Please note that there is a button for refund. But it also is not doing what it supposed to do. Instead PSP is trying to help you as much as they can. It sends you per email a fax template, which you can fax to your bank in order to refund this bank transfer. So much for online!

You basically have to ask your customer for a missing account number. Which he finds strange, he gave it to you during the payment, why don’t you have it when it’s time to refund. But we have to live with it. Bank transfers are only for the clients who don’t have credit cards or online banking service. Those, who have paid in the old-fashioned way for 50 years and don’t trust the computers. Again, I hope not for long!

Conclusion

To summarise, refund operations with credit cards are the easiest, PSP provides all required infrastructure to perform it. iDEAL is a bit harder, banks should realy keep up with automatising of their iDEAL back-office. With bank transfer is a huge pain to make a refund. 

And again: refunded customer is a happy customer. And happy customer is a way to more customers!

In my previous post I’ve described 3 major modern online payment methods. Let met give more attention to the most modern one – iDEAL.

iDEAL is one of the online payment methods which are using online banking with special tokens. Currently such methods are deployed by different European Banks. Of course each bank has it’s own authentication method for e-banking and it would be a nightmare to support online payments for every bank.

Fortunately the banks are trying to consolidate their efforts at least on country level. Currently I know only Netherlands and Belgium (Bankcontact\Mister Cash)  having such systems.

How does it work?

The system is a bit more complicated for a user, than paying with credit cards.

• Step 1. You select products in your e-shop and click on “pay”
• Step 2. Normally you select your bank from the list

(sorry for the Dutch text)

• Step 3. You’re transferred on a page of your bank where you perform the authentication and pay.

Please note that the system automatically picked the amount of the payment and the name of the e-shop. You only need to use your card to authenticate yourself and click on “Pay”

• Step 3.  iDEAL system transfers information back to the site of the merchant and the e-shop starts the process of delivery of goods – online or offline.

Pluses of iDEAL system

• It’s very secure. It uses direct connection with your bank with 2-factor autentication.
• It could be done online, sitting on your chair.
• It’s more automatised than just “wire transfer”, because customer doesn’t have to type correctly the bank account of the e-shop, amount or any special “number”, which e-shops are using to recognise the transaction. This data is filled automatically, which really helps with human errors

Minuses of iDEAL system

•  First and the biggest disadvantage – customer has to leave your site and go to another – the website of the bank, which supports iDEAL. It creates a huge field for customer errors. People forget to click on “pay”. People pay on “pay” twice. People forget to click on “OK” and close their browser. Basically you lose some control on what the customer is doing during the purchase.
•  Second is coming from the first – the payment process is asynchronous. With credit card you start a transaction and finish it (successfully or unsuccessfully) within one process. With iDEAL you have a number of processes, which your e-shop starts, by sending customers to the bank payment page and then we must wait till the customer comes back
  Customers may come back in a couple of minutes (that’s how long it’s required to pay with iDEAL). They may come couple of hours later in a different order. They may not come at all or come two times. Your e-shop software has to maintain a table of current “open” transactions and wait for possible outcomes. 
• Every transaction is actually a bank transfer to your account. If your Payment Service Provider is not using some buffer bank account, you end up with hundreds of small transactions, which your accountant has to book. 
• The services from the banks. supporting iDEAL system, are sometimes not “ideal”.  We’re using the one from Rabobank, it doesn’t have a possibility to initiate a charge back. But paying back to your customers it’s a separate big topic, which I’m going to cover later

Conclusion

The rest of the world is still considering iDEAL as a “new and innovative system”, and it does have some glitches. But I belive that such systems will eventually be the payment method of the future. It will replace Credit Cards as e-banking is replacing paying your bills at a brick-and-mortar banks.

Pioneers sometimes pay more than their followers. It’s harder to be the first in any field, and in any industry as well. To be The First of course means  you’re also The Best, at least at the beginning.

Pioneers invest heavily in R&D, infrastructure and they find methods to do what they do cheaper. The followers could profit from it and do it better and more effective. At some point you can see that pioneers are still busy with their old infrastructure at the moment when the followers are going further.

It’s not a secret, that in 19-21 century the USA is a pioneer in a number of industries. Americans did something first and let other learn from their successes and mistakes. This happened with railroads, this happened with mobile telephony, this also is happening with online payments.

The Past

How can consumers pay for products before Internet era. There was, of course, cash. There were bank transfers, there were different types of cheques. And there were a credit cards. Which of those method were suitable for online payments.  You can’t send cash or a cheque online, via a web-form or email. There were no online banking services. So we’re stick with:

• Credit Cards

You only need to transfer a number per Internet and “virtually” give permission to a e-shop to charge you. Almost no authentication, only identification (for difference between those to click on links).  The major plus is – very easy procedures. Client fills the number in a form, “one click” and payment is done, the rest is up to the merchant.

The Present

Presently there are dozens of different online payment methods available. I’m going to focus only on business transactions between a consumer and official business – e-shop. So, I’m not going to cover Pay Pal,  Western Union, etc. Those are designed to transfer money between individuals without legal entities and sometimes without even bank accounts. Let us assume that the e-shop is a corporation, which pays taxes as a business and can register itself as a merchant with all rights and responsibilities, provided by government and financial institutions.

Online payments were changed a lot by online banking. Almost all banks in the world now allow to perform transactions online. It requires a person to log in (Now we do have authentication, good!) and perform some operations manually. Not exactly “one-click payment”, but it could be done from your arm-chair.

Here came the “Pioneer problem”. Who was the first in providing online banking? USA, of course. At that moment the philosophy of information security  told us, that one factor authentication (currently known as weak authentication)  is enough.  Most of the banks required only user name and password to access those services. This created the whole generation of computer viruses, designed to stole those passwords. It was so insecure that people didn’t wanted even to integrate in with e-shops. How do you automate the process of online payments with password? Give your password to the merchant?

Europe was a bit late and had luxury to learn from American mistakes. Banks started to develop tools with Two-factor authentication (or Strong Authentication). All people need to use a special device, which looks like a small calculator.

Here you can find some information about such services in a Belgian ING bank

They have some strong crypto inside, which helps you to generate one-time passwords. The procedure is more complex, but it’s so secure that Payment Service Providers started to help merchants to automate it. Now with some magic and some web-services customers can pay via Internet in e-shops.

Summarising. there are 3 types of online payments available:

• Credit Cards
• Bank transfers
• Payment methods based on modern online banking, like iDEAL, Bancontact/Mister Cash, etc.

The Future

In order to try to predict the future let me show, which methods are used by our clients in Netherlands on our e-shop:

iDEAL is winning and will continue it’s growth.  Currently such systems are local to an European country (actually to a bank) and not compatible with each other. But I hope that with introduction of SEPA Single Euro Payments Area this type of payment will be accepted in all EU-countries. 

Conclusion

At the end let me summarize 3 types of payment with their pluses and minuses

There are still some difficult es with those new payment methods, I’ll cover them in later posts. Europe is  ”the pioneer” this time and I’m sure USA will come a bit later with better solution.

Credit cards are good for online purchases. Everybody knows that. They’re popular, they’re fast, they’re convinient for the client. A lot of Payment Service Providers are dedicated mostly to credit cards only.

But actually, for merchants, credit cards are the worst and least secure method for online payments.

1. The authentication is week
2. Third party (the “MasterCard itself”) is in the loop
3. It’s quite costly for a merchant.

Let’s go through those points in details

Weak authentication. 

Credit card owner need to supply only an openly known number – the credit card number (sometimes with another openly known number – CVV code). Not even a password! That’s why there are so many fraud with credit cards. In Europe, some Credit Card issuers trying to add a simple password authentication – 3-D Secure. But it’s still just a password, and it’s weak.

Third person in a loop – Credit Card Acquirer

A shop always work with a Credit Card Acquirer. In fact, you can say that it’s “MasterCard” or “Visa” itself. It’s a person, who’s handling the money. Shop gets it’s money from an Acquirer. And later, it’s a problem of Acquirer to get the money from a customer. This is the main idea of the credit cards.

Let’s image you’re selling fish on a North Pole and your customers come to you without cash, but only with credit cards. How do you know, that they survive the next storm to pay you for your products. You don’t. But you’re sure, that MasterCard survive. And pays you this money. 

Sounds actually quite positive, why did I put it as a negative point. A huge rich person, working as a intermediate with your money transactions – this can’t be good, and I’ll show you in a moment why.

Credit Card transactions cost money

Of course, responsibility gives power and power brings money. Credit Card Acquirers ask for a lot (relatively)  of money for their services. It’s almost always a percentage, 2-3% of the value of the transaction. It’s much more than costs for more modern iDEAL for example.

For this money a Credit Card Acquirer takes responsibility for the money and ensures, that debts are paid, no matter what. And we’re talking about a very unpredictable debtors – remember weak authentication? A lot of credit cards are stolen, there is a huge possibilities to cheat.

If you’re a Chinese hacker with a computer virus and got your hands on a bunch of credit cards from the Internet? You can buy a plasma TV or a lot of books from Amazon. Or, you can spend all those money in a e-shop of your friend. Your friend and you gets pure cash (MasterCard pays for all stolen cards).

What can MasterCard do with it? Of course, it’s illegal, and police can find it and prosecute the bad guys. But Mastercard has millions and millions of shops around the globe, how it can work in this environment. It can’t.

That’s why they change the rules. Only “Good e-shops” are allowed accept Credit Cards from their customers. “Bad e-shops” are not allowed that. What are a “Bad e-shop”? It’s a shop where a lot of goods are bought with stolen credit cards. Sounds like the e-shop is a victim, not a criminal. Doesn’t matter, we’re not in a court yet, we’re in business. In business there is no presumption of innocence. If you’re “Bad”, Master Card doesn’t want you.

So, actually, the responsibility for the money is now with the e-shop! MasterCard of course makes advices on how to protect your shop against fraud. For example, don’t accept strange transactions from Chinese IP-addresses with credit cards, issued in USA, etc

A big rich dept collector is not responsible, merchants are. It’s good to be big and rich!

I’ve tried to use several versions of Wordpress, starting with 1.5.something. It always looked like a “very old’ software.

The kind of software were made by programmers. Not coders, not designers, but good old “programmers”, “hackers”. Persons, who can master the whole cycle of program production by themselves.

Version 2.6 looks a bit different though. I think they got now a usual (for 21 century) team of desiger-programmer-tester.