Recently in Commerce Category
I brought this up a while back when Apple first announced the store, but now that analysts are estimating possible revenues of $1+ billion in 2009, I think it's worth repeating.
Once you've gone to the trouble of setting up all the infrastructure necessary to sell, deliver and update applications—why stop with just the iPhone? You've done the hard work, everything else is just incremental costs. The Macintosh is the obvious next step, but there's no reason not to provide Windows applications as well. The market potential dwarfs that of just iPhone software.
The initial folks who stand to lose are places like Kagi and Digital River, who currently provide payment and (in some cases) delivery services for small software vendors. But they don't provide marketing, automatic updates, signed applications, and FairPlay copy protection. Apple is going to roll right over them; but they won't stop there.
See The iTunes Trojan Horse: Selling Applications for more thoughts on where Apple might go.
Once Apple has set up iTunes as a software store for the iPhone and iPod Touch, there is no reason they shouldn't leverage that functionality and presence to become the dominant software reseller for both Macintosh and Windows platforms.
iTunes has got to be the most inappropriately named application on the planet. Sure, you can play music, but it also synchronizes your photos, sends contacts to your phone and iPod, synchronizes your calendar with different services, let you buy games for your iPod, and now; will let you buy applications for your iPhone and iPod Touch. it is this last feature which particularly interests me.
IPhone applications will only be available via the iTunes store, to which the only interface is the iTunes application. All applications have to be approved by Apple, and all applications are digitally signed. This means that when you install an application on your iPhone, you know that it hasn't been modified from time the application developer first gave it to Apple. That's a very nice feature from a security standpoint, and one that is also available to programs written for the Mac OS Leopard operating system.
When Apple started selling music, the record companies didn't take them seriously, and never really saw what was coming. As a result, they lost control of the market for their music, and Apple gained the ability to become the number two music reseller in the United States. The only reason that Apple wasn't able to do this to the movie industry as well, is that the movie industry had been forewarned, and limited Apple's access to their content.
When I look at everything that Apple has to do in order to become a software reseller for the iPhone; I wonder whether they're really going to restrict their software to just the iPhone. The hard work in selling software for the iPhone has nothing to do with the iPhone itself. Apple has to set up marketing, digital signing, software evaluation, developer tools, download servers, software upgrade mechanisms, alpha and beta test processes, policies for handling sales and variable pricing, and all the other features that are expected of an online software store. After having gone to all this trouble, why is Apple going to stop with just selling software for the iPhone? Why not use the same software store to sell software for the Mac? For that matter, Windows Vista, also has digital signing support. Given the vast numbers of computers, both Windows and Macintosh, that have iTunes on them, Apple automatically has a huge distribution mechanism for software, and a pre-installed application for marketing, advertising and downloading that software. On top of that, because of the digital signing, Apple can advertise the software is being safer to download than the software that is downloaded off of other download sites.
If I worked at Kagi, Digital River, or one of the other companies that currently handle software sales and distribution (but not marketing), for independent software developers, I would start looking in my rearview mirror. Because iTunes is coming up fast, and has pulled out to pass.
(As a side note, this article was written using MacSpeech Dictate after only five minutes of training. It has worked extremely well, and I'll be writing a review shortly.)
If you think legal circles don't have much love for "business method" patents, try bringing them up in software development circles. Far too many of these are things which anyone, sitting down to deal with a particular problem, would immediately come up with. We can hope that the Bilski case may change things, but I wouldn't anticipate anything earth shattering. As the article points out, the very concept of "business patent" is pretty vague; it's hard to ban something you can't define. Like porn, it's one of those "I know it when I see it" things.
However, if you'd like to help put an end to nuisance patents, there are a number of organizations you can support. Here are a few:
- End Software Patents: End Software Patents
- EFF: Patent Busting Project
- Peer to Patent, Community Patent Review
- Patent Troll Tracker
- Lawmakers gear up for patent system overhaul | Tech News on ZDNet
- Patent reform--or else | Tech News on ZDNet
- PUBPAT > How to Find Prior Art
- Prior art - Wikipedia, the free encyclopedia
- Patent Business Methods (USPTO)
My Del.icio.us links on patents:
The February 2008 issue of Baseline Magazine has an article entitled "The Rhythm of Identity Management". It doesn't appear to be online as I write this, but you can find another article about it here on Dark Reading: "Credit Union Authenticates 'Bio-Rhythms'. The concept is simple. Different people have different patterns (cadence) to how they type. These don't have to be unique, they just have to be identifiable and unpredictable (given anything else you know about someone). The concept was used in WWII to identify enemy troop movements by tracking the movements of the telegraph operators (as identified by their typing patterns).
A company named BioPassword is now selling this as a security mechanism, fulfilling the "what you are" leg of security. That's good news for banks, because they are supposed to provide "dual-factor" authentication, and this gives them a way of doing that without requiring the customer to own some piece of hardware which either won't work with their computer, or will get lost along with their TV remote.
Unfortunately, along with trivia about your second cousin once removed, and other odd security mechanisms, this lip-service to "dual-factor" isn't providing any additional security at all.
Here is my letter to Baseline's editors:
I find it ironic that in the same issue where TJX is taken to task for putting costs before security, Forum Credit Union makes the very same choice.
The traditional legs of security are "something you know," "something you have," and "something you are," but it turns out that's not quite enough—none of those three may overlap. Going with typing cadence as a security mechanism adds the "something you are" leg, but what works in a corporate environment does not necessary apply when your user is on an unsecured computer in their home. You have to assume that any information entered onto the remote computer is potentially available to a hacker. When that is the case, any non-changing information can be trivially abused, and the whole reason cadence analysis works is because it doesn't change. In essence, "something you know" has become "something your computer can know", and in that context, typing cadence is just another static password.
If the hacker is able to obtain the user's name and password by sniffing keystrokes, then obtaining the timing of those keystrokes is a trivial addition. BioPassword's solution is simply a Flash-based plugin that gathers the typing information. It has no security hooks in the operating system to ensure that nobody else is listening to, or simulating, the input stream. (In any case, it's unclear that such checks would be sufficient on a compromised machine.) A remote hacker can record the timing and then just play the keystrokes back on their own machine, even introducing artificial jiggle should it be necessary.
The reason most USB Tokens and Key Fobs are secure is that they generate one-time passwords synchronized (on a per-device basis) with a server in the back-office. The hacker can get the password, but it's only good for a single use within a 60 second time-span.
BioPassword sounds like a reasonable solution in a corporate environment, where machines are kept secure. In the outside world, it is secure only so long as it remains obscure.
I believe Form Credit Union would do well to reconsider whether $20 is really too much money to spend truly securing a customer's bank account.
Kee Hinckley
CEO/CTO Somewhere, Inc.
Okay, actually they already have one, but it's an expanding business, I'm sure they'll want more.
The following message (quoted in part) showed up in my mailbox today.
- Received line is in a DNSBL list.
- IP address is in Russia (which I might or might not have been blocking)
- Direct to MX (message left their mail server directly, no initial mail application).
- Message passed through two countries to get to me (Russia and France)
- Sender domain doesn't match the IPs (combined with #3 that gives us extra bad points)
- Hosts in SMTP From, From:, Return-Path and Message-ID from and message-id don't match received headers (extra points)
- and so on...
| Hello, I am writing to inquire if you might be interested in part-time employment in the field of accounting/clerical services. | We'd like you to handle some money for us. |
| Elbrus Financial, Co., a major Russian investment bank and asset management company, | Organized crime syndicate. |
| is looking for chargeable and determined individuals | I particularly like the “chargeable” part. That's not what they meant, but it is probably accurate both financially and legally. |
| to fill the specialist and associate positions within the Receivables department of our Transactions/Finance group in the United States. As a specialist or associate, you will be in charge of monitoring and processing funds transfers initiated by our US clients and reporting to the Receivables department manager in Russia. | People will send you money, and you'll send it to us. |
| We are looking for numerate individuals | I had to look that “numerate” up, but they got it right. Then again, they probably looked it up too. |
| who are also capable team-players, | Who won't cheat us. |
| preferably with some college education and/or previous accounting/clerical experience. | So we can butter you up by telling you that you can have the job even though you are underqualified. |
| ... Our mission is to provide investors with reduced emerging market risk and superior returns through broad diversification and conscious risk-taking. | You'll be taking the risks, of course. |
| To learn more about our company, please visit us online at www.Elbrus.com | We've got a .com domain, so we must be real. Let's see, they say they are based in Russia, their mail also says they have offices in Lithuania and Cyprus. The domain is registered in Israel, the domain servers are in the US, and a DNS lookup of the web site shows that it is currently (these things tend to move around every hour or so) hosted on someone's PC via a Comcast Cable connection in Chelmsford, Massachusetts (US). |
|
...[Extensive detail on how you'll manage incoming email and money transfers, and what cut you'll get.]...
You will never be required to cash a check, make a remittance before the funds are cleared into your account or engage in any other financially risky activity. ... It should also be understood that being a foreign entity, Elbrus is not subject to the US IRS supervision. You will be the sole person liable for reporting the commissions that you receive as your personal or business income. | You just make good with the IRS and you'll be fine... (of course, we won't mention federal statutes about transferring money in and out of the country, not to mention money laundering laws). |
| You can apply for the position online at: http://elbrusfinancial.com/?menu=par Please note that only applicants under serious consideration will be contacted. Please use the following vacancy code: EL-SEP07. |
Look, we have two domains. We must be real! This one is actually registered in Russia. DNS in the US. Web site hosted on half a dozen cable modems. |
Haven't you always wanted to join the Russian Mafia? Go for it! :-)
P.S. It occurs to me that I ought to expand on this for people who don't know what's really going on here. It's really quite simple. In order to run scams selling non-existant, stolen, or counterfeit goods, you need to have a U.S. address that will receive the money--otherwise it sets off everyone's fraud alarms. So they are looking for people who will receive the money and then forward it on to them. That's generally called Money Laundering.
There's also an equivalent come-on for people to handle receiving goods bought with stolen credit cards. In those cases they want people who will receive packages and then forward them out of the country. That's usually referred to as Receiving Stolen Goods.
P.P.S. There's another scam running that this is even more likely to refer to. It relies on the fact that American banks will credit checks before they have entirely cleared. You're sent a check and asked to deposit it. You then transfer 90% of the money offshore. A few weeks later, the check is discovered to be a forgery and you owe the entire amount to the bank. (See Spam-scam crackdown nets $2 billion in fake checks).
Technorati Tags: commerce, crime, email, phishing, scamming, social, spam, technology
In essence, Amazon has created a web service which can be included in Mashups just the way any other web service is. At the same time, they are attempting to solve the micropayment problem. (They aren't really "solving" it, they are simply providing it at the at the provider-to-provider level, where presumably they will add up to a single large payment, as opposed to the consumer level where people are unwilling to plop down money in advance of (possibly) making small payments in the future.)
I've always had a little trouble figuring out what Amazon was up to with their hosting services. It didn't seem to play to their overall corporate direction, image, or strengths. This, however, makes good use of both those services, and their commerce capabilities. I expect we'll see Google and eBay/Paypal make similar moves.
Technorati Tags: amazon, commerce, developer, mashup, micropayment, fps
