I have an older version of sage - v 21 (2015) - works perfectly well, but Sage on their website state this will fail 30 September, or shortly thereafter.
I have no 'home' screen, so no banner has popped up. A phone call to Sage has them confirming that this above version will be impacted.
However, the Sage platinum business partner who sold me the product stated on their own website that only versions 23.2 to 26.2 were impacted.
I contacted the sage reseller who (Friday or yesterday) contacted sage, who have confirmed that it IS ONLY versions 23.2 to 26.2 that are impacted.
Anyone from Sage like to comment?
Anyone from the Editorial team like to challenge Sage direct given this is attracting the most ever views on this forum for a long time?
Replies (24)
Please login or register to join the discussion.
The silence from the Editorial Team is absolutely deafening - given not just the scale of the problem, but the volume of comments/suggestions (near 500 on just one thread) necessitated by Sage alternating between misleading statements and threats.
How hard can it be to challenge a public company to make public their position - and to question any obvious anomalies in it?
"Anyone from the Editorial team like to challenge Sage direct given this is attracting the most ever views on this forum for a long time?"
An editorial taking sage to task is completely warranted imho - i doubt accounting web would want to get involved in such a spat mind - so i suspect they are deliberately not rocking the applecart here.
All your queries and more are probably fully addressed on the thread below- would be surprised if this is not then longest thread accounting web have ever had .
all i know if that the route sage have taken has come directly from the "executive team" specifically the head honcho themselves. IMHO age are bang out of order on every level plus summit - albeit i would concede if peeps need updates to their packages - eg to keep vat mtd compliant i can see why sage would have specific extra costs in that regard. Most peeps though who have their beef simpy wnat to be left to run the original software they bought and were promised would work.
https://www.accountingweb.co.uk/any-answers/sage-50-cloud-wont-work-unle...
Re: "all i know if that the route sage have taken has come directly from the "executive team" specifically the head honcho themselves."
ThisIsMoney.co.uk, part of the Daily Mail group ran an article earlier in the year about Steve Hare.
https://www.thisismoney.co.uk/money/markets/article-10554651/Sage-boss-S...
There is a comment in that article attributed to Mr Hare about working for a private equity firms and noting how they never accept barriers. This was clearly something that impressed him.
I am slightly uncomfortable with making this issue personal when a number of people must have colluded and agreed on the course of action for Sage to be in the position they are now in, but ultimately there is a hierarchy and individuals with the power to say that the conduct is completely unreasonable and needs to addressed should stand up, take responsibility and set out restoring customer’s confidence in the business.
Technical question that someone might know the answer to:
Can sage work through a proxy server? (Does it have a setting somewhere to point at a proxy server - normal in a corporate network - or does it have to have a direct connection out onto the internet? Or possibly it will use the system proxy without any ability to override it?)
If it can work via a proxy server then it should be possible for sage to provide a way to keep the software working albeit they'd (probably) have to supply a signed certificate and the private key to anybody who wanted to use a proxy to convert from the deprecated TLS version inside their network to the current TLS version exposed by sage licence servers.
(This wouldn't require any changes to the existing sage software at all)
Sorry, I cannot answer that, although when I mentioned to Sage they couldve easily patched the TLS issue for all users they said that us perpetual users who hadnt paid for support were entitled to no support!
They dont appear to care a jot for reputational damage.
Yes, but the difference between patching the code and proxying the connection is that nobody at sage has to work out how to build the old version of the software and link in a new version of a library - that might have been changed in incompatible ways. Effectively you'd be MITM the sage connection - sage talks to a proxy server - which could be a special purpose app - which then talks to the sage server and no software changes are needed at all to the sage software.
Unfortunately, sage is a bit of a victim here too - there's absolutely no reason why the old version of TLS isn't adequate for this purpose but unfortunately "security researchers" will "discover" sage exposing it to the internet and then report "security issues" even though, in this particular case, there is no security risk at all to anybody.
Unfortunately, sage is a bit of a victim here too
Seriously, no, they are not.
Sage chose to use a method for licence authentication, with a perpetually licensed piece of software, that committed them to have a server available to respond to license authentication requests.
Having established that method they then, through negligence or intention, chose to use an encryption protocol long after it was obsolete, in more recent versions of their software using current versions of that protocol within the same software for other purposes.
I accept the point about security researches making a fuss when it isn’t always justified, but this is a situation that Sage have created for themselves.
None of this prevents Sage from being honest, respecting the spirit of the licenses already sold and saying “really sorry but because we made these decisions you are going to have the inconvenience of upgrading to this later version. Here is your free of charge upgrade”.
Instead, Sage have used this as a justification to accelerate their long standing objective to migrate everyone to subscription. From what has been written today it now seems that they expanded the targets for that migration to those not even affected by the issue.
None of this prevents Sage from being honest, respecting the spirit of the licenses already sold and saying “really sorry but because we made these decisions you are going to have the inconvenience of upgrading to this later version. Here is your free of charge upgrade”.
Agreed.
But as someone who has, for my entire career, avoided getting promoted on the "management track" but been quite senior on the "technical track" I'm aware of the dilemma that issues like this cause. Unfortunately, the option of "just do nothing, it will keep working" isn't available but for mostly "political" reasons, not technical and the poor sops who could actually do something about this are at the mercy of management decisions. They have probably told senior management that "something must be done" but unfortunately they have little influence on the choice of "something."
I wish this "ET phone home" issue was more in the public conscience. Your smart fridge, smart washing machine, smart kettle, smart door bell, smart tv, smart tractor, smart cnc machine, etc are all also at the mercy of a similar problem in the future, even ignoring issues of the company providing the "phone home" server going bust, getting taken over or shuting down servers, etc. There ought to be a legal obligation on companies to provide sufficient information to allow third parties to (chose to) take over these roles if/when they decide to EoL something and that requirement should survive companies being taken over etc. Like everything else, the companies have vast budgets and can bribe^Wdonate to politicians and those of us who would love to be able to "take back control" are voices that cannot make ourselves heard.
MartinJones wrote:
There ought to be a legal obligation on companies to provide sufficient information to allow third parties to (chose to) take over these roles...
Yes - 100% agree.
This is getting slightly off topic but I had the same thought yesterday evening. This going to become a serious issue over the next few years with cloud connected products. There will perfectly good equipment that cannot be used because the manufacturer has gone out of business, then there will be other businesses who take a commercial decision to stop supporting older products either because its inconvenient (Google "Hive security products cease") or because they know that the decision will drive consumers to replace those devices. Either way the consumer looses out and there is unnecessary waste in making the new product.
Getting back to Sage, the additional issue is that consumers were not knowingly buying into a product that was dependent on an ongoing support service from Sage. I also remain very suspicious about the decisions relating to the persistent inclusion of obsolete TLS specifically for licence authentication, combined with the schedule for support of that to be withdrawn. If Sage have nothing to hide in that respect can they provide a clear time line of when decisions were taken and why TLS for licence authentication was not migrated to TLS 1.2 for the new versions being released 2018 onwards?
Morning all,
Thanks for flagging this. It's not the editorial team's intention to ignore the issue - there's approximately one of us covering tech and plenty going on (MTD what?) I'll drop my contacts at Sage a line and report back - in the meantime keep the comments/feedback on this coming.
All the best,
Tom
To be fair to Tom, he did at least try ... https://www.accountingweb.co.uk/tech/accounting-software/some-sage-perpe... ... although I can't see that he/we learned anything knew from the attempt OR that Sage have even minutely changed tack.
Sage Line 50 - so they've finally pulled the plug and expect everyone to stump up the £190 per month when they were on a 'perpetual' licence before. Anyone else affected and want to find solutions?
I was aware of changes, but thought it didn't apply to me. They only switched mine off last week.
Whilst talking to Sage customer relations, I overheard another conversation in the background of someone calling the lawyers in on Sage.
The link quoted here takes me to the Jan22 post rather than a solution - can't read all 600 messages - is there a solution?
I have a temp work around, but nothing that will replace the perpetual licence of multi-company, multi-user.
Can't believe that an industry body like FSB isn't taking a strong interest and getting some sort of class action together on this...
OK - so there is a solution?
The people I have spoken to on other forums have said that there isn't a solution, so this is a surprise. As I'm an MD and not an accountant, I only found this forum today from a journalist, and he thought there wasn't a solution.
So I can get my sage to work, in full, for multi company, multi user, with just a minor inconvenience? What if one user needs to have his computer connected to the internet for use it via Chrome Remote Desktop? Is that going to work?
And I can get my V25 data to work with it?
The principal contributors to the solution on the Any Answers forum referred to were Arrowhawk and TRFDevon who take the main credit, although others contributed, which means that the workaround is spread around a number of postings. I have tried to pull it together in the listing pasted below. You should probably read their postings. Pages 12 and 13 are the main ones I recall.
In his article, Tom Herbert mentioned that Sage would not issue patches to overcome this issue because of the fear that it would affect their control of licenses. The bad news for them is that the perfectly legal workaround (it doesn't breach license terms to make modifications to your own Windows setup) does break that control.
This is a solution that seems to work for many people, including me (I'm on V24 and others using it are on V25 - one user of V23 told me it didn't work with his software) . Try it at your own risk and keep notes of anything that you delete.
Disconnect from the internet
Close Sage on all devices (if networked)
Click Start, type regedit and search for the account number (press F3). It is usually under
HKEY_CURRENT_USER\Sage\Line 50
Delete the AccountNumber and InfractionShown keys.
Close regedit
In Windows firewall, or whatever alternative you have installed, block internet access for:
C:\Program Files (x86)\Sage\Accounts\SBDDesktop.exe
C:\Program Files (x86)\Sage\Accounts\Sage.exe
C:\Program Files (x86)\Sage\AccountsServiceV25\sg50svc_v25.exe
(Substitute your version for V25 if you are using another)
Go to C:\ProgramData\Sage\SDK Licence\ and rename the SDK Licence folder to "SDK Licence-OLD".
The above will suffice if the firewall rules are in place before Sage removes your license from the server. If a connection has been made after removal you need to make a further step.
Go to C:\Program Files (x86)\Common Files\InstallEngine
This folder may look empty on first checking, but the files are set as hidden protected operating system files and Windows will block you from deleting them. Get around this by renaming the folder to InstallEngine-OLD which will stop Sage seeing the files.
I don't have a networked Sage setup, but my contacts who do tell me that this procedure will ensure that all of the networked machines work together.
After you have created the 3 windows firewall rules given above, go back in and click on "scope" and add these two ip address ranges to the "Remote IP address" section for each rule.
0.0.0.0 - 192.167.255.255 and 192.169.0.0 - 255.255.255.255
This will work for those that have an IP adress range starting with 192.168. (That's most of us)
For those on 10.x.x.x or 172.x.x.x type ranges you will have to adjust accordingly.
Sage Line 50 - so they've finally pulled the plug and expect everyone to stump up the £190 per month when they were on a 'perpetual' licence before. Anyone else affected and want to find solutions?