I Want to Alter the Deal

The Witcher series of games have been phenomenally successful. In fact their success has overshadowed the books that they were based on. Unfortunately for the author, he made a bad deal and now wants to alter the deal:

“I was stupid enough to sell them rights to the whole bunch,” Sapkowski said at the time. “They offered me a percentage of their profits. I said, ‘No, there will be no profit at all — give me all my money right now! The whole amount.’ It was stupid. I was stupid enough to leave everything in their hands because I didn’t believe in their success. But who could foresee their success? I couldn’t.”

Sapkowski has now made a public demand for six percent of the profits obtained for the lifetime of the franchise, which adds up to more than $16 million for The Witcher 3: Wild Hunt alone.

I especially enjoy how he admits that he was initially offered a percentage of the profits and turned the offer down because he didn’t believe that the project would be successful. So even he’s admitting that his failure to capitalized on his novels was entirely his fault.

Higher risks generally come with greater rewards, which makes sense since there needs to be a justification for taking a risk. Sapkowski played it safe and took the low risk/low reward option. Generally speaking, if you can bear the brunt of losing out on a high risk/high reward situation, take it. Sapkowski had income from his books so he may have been able to bear the brunt of not receiving any money on the series if it flopped. If you ever find yourself in a similar position, give the high risk option some serious thought.

How Not to Handle Business Model Changes

GPGTools is a software suite that makes using OpenPGP on macOS easier. I’ve recommended this tool for quite some time to the three people who are interested in encrypting the contents of their e-mail. While the tool was freely available, the development team has been warning users for over a year that the suite would eventually move to a paid model. I completely understand their motivation. A man has to eat after all. However, there are proper ways to change business models and improper ways. The GPGTools team chose the improper way.

Here is the latest update notification for GPGTools:

It looks innocuous enough but if you install it, you’ll discover that your Mail.app plugin will be a one month trial. The initial screen of the update note doesn’t indicate that this update is the one that moves GPGTools from free to paid. You have to scroll down to learn that tidbit of information. Since most users probably don’t scroll through the entire update note, they will likely be rather surprised when their free app is now telling them that they have to pay.

Another issue with GPGTools’s transition is that there is no English version of the terms of distribution. Since GPGTools is based in Germany, this might not seem odd but everything else on the site is translated into English. If you’re going to toss a license agreement at somebody, you should provide it in every language that your application supports.

The final major problem with the transitions, which has fortunately been fixed now but you can read about it by digging through the announcement thread on Twitter, was that there was no information about the license being sold. When you went to buy a license, the site originally didn’t tell you if the license was per computer, per user, or something else. Now the site states that the purchase covers one person and activation on up to three computers (a limit that I find more restrictive than I prefer).

I’m not one to criticize somebody when they make an effort to profit from their endeavors but GPGTools’s transition from a free suite to a paid suite should be a valuable lesson on how not to perform such a transition.

If you’re ever in a situation where you want to begin charging users for something that you have been providing for free, here are a few rules.

First, don’t foist the change on users out of the blue. Announce your intentions early. Moreover, give your users a firm date as soon as possible. GPGTools’s development team kept saying that the change would come eventually but never provided a hard date.

Second, if you’re going to change the business model through an update, make sure that the update informs users in a very obvious manner. That information should be the first thing in the update note. It wouldn’t hurt to put that part of the note in big bold letters so it jumps out at the user. An even better solution would be to release another free version that told the user that the next version would be the one that transitioned over to a paid model. When the next update was released, have the app clearly tell the user that it will transition the software over to a paid model.

Third, make sure you tell the user what they’re purchasing. The link to buy the software should inform the user if the license is per user, per computer, a monthly subscription, or something else.

Fourth, make any license agreements available in every language that the software supports. If the application is translated into English, then the user should expect an English version of any license agreements to be available.

If anybody is wondering if I’m going to buy a license for GPGTools, the answer is maybe. I haven’t been enamored with the GPGTools development team. Its biggest problem has been a lack of timeliness. Mail.app doesn’t support plugins so the GPGTools plugin requires a fair bit of hackery and often breaks between major macOS releases. GPGTools has often been months behind of major macOS releases, which means that there has often been months where the tool simply doesn’t work if you’re running the current version of macOS. I’m willing to overlook such an issue for a free tool (you get what you pay for) but not a paid tool. So the GPGTools development team will have to demonstrate an ability to have working versions of its software available when new versions of macOS are released before I’ll purchase a license. I also find the three computer limitation too restrictive. I’d rather see it bumped up to at least five computers or better yet unlimited computers (merely make it a per user license agreement).

If the GPGTools development team does resolve these issues, I’ll likely buy a license. It’s only $23.90 (for the current major version, it is implied that a new license will be required for the next major release), which is reasonable. And while I don’t use encrypted e-mail very often (not for lack of want but for lack of people who also use it), I do like to throw money at teams that make quality products and GPGTools, minus the issue noted in the previous paragraph, has been a quality product.

Potentially Most Worthless Form of Protest Ever

When a bunch of triggered snowflake conservatives started burning their Nike products to protest the company’s decision to make Colin Kaepernick its mascot, I foolishly asked if there a more useless way to protest a company than destroying your own property? The question was meant to be rhetorical but a trigger snowflake liberal stepped up to the plate to prove that there are more useless forms of protest through his act of protesting by shooting himself in the arm:

Mark J. Bird, 69, was charged last month with discharging a gun within a prohibited structure, carrying a concealed weapon without a permit and possessing a dangerous weapon on school property, court records show. He was found bleeding from a self-inflicted gunshot wound to his arm about 8:15 a.m. on Aug. 28 outside a bathroom in the Charleston campus K building.

[…]

One college employee told police that he held Bird’s hand to calm him down as others tried to stop the bleeding. While waiting for authorities to arrive, Bird said he had shot himself in protest of President Donald Trump, police noted in their report. The report did not elaborate.

I’m sure Trump is all broken up over the fact that some college professor, whom he would probably tear apart on Twitter if he was even vaguely aware of his existence, from Las Vegas decided to shoot himself in the arm with a .22 pistol. I expect Trump to announce his resignation this week due to the power of this professor’s protest.

The real icing on the cake though was this:

Inside the bathroom, campus police found a $100 bill taped to a mirror along with a note that said, “For the janitor,” according to Bird’s arrest report. On the floor of the restroom was a black-and-white, .22-caliber pistol and one spent shell casing.

$100 to clean up blood? Obviously this professor has no idea how expensive it is to cleanup a scene contaminated with blood. You don’t just run a mop across it and call it a day. The scene has to be sterilized because human blood can carry some really nasty shit.

I will probably regret this but I’ll ask anyways, is there a more useless way to protest than shooting one’s self in the arm with a small caliber handgun?

Don’t Trust Snoops

Software that allows family members to spy on one another is big business. But how far can you trust a company that specializes in enabling abusers to keep a constant eye on their victims? Not surprisingly, such companies can’t be trusted very much:

mSpy, the makers of a software-as-a-service product that claims to help more than a million paying customers spy on the mobile devices of their kids and partners, has leaked millions of sensitive records online, including passwords, call logs, text messages, contacts, notes and location data secretly collected from phones running the stealthy spyware.

Less than a week ago, security researcher Nitish Shah directed KrebsOnSecurity to an open database on the Web that allowed anyone to query up-to-the-minute mSpy records for both customer transactions at mSpy’s site and for mobile phone data collected by mSpy’s software. The database required no authentication.

Oops.

I can’t say that I’m terribly surprised by this. Companies that make software aimed at allowing family members to spy on one another already have, at least in my opinion, a pretty flexible moral framework. I wouldn’t be surprised if all of the data collected by mSpy was stored in plaintext in order to make it easily accessible to other buyers.

Why Connecting Things to the Internet Doesn’t Give Me Warm Fuzzies

The tend in seemingly every market is to take features that function perfectly well without an Internet connection and make them dependent on an Internet connection. Let’s consider two old automobile features: remote door unlocking and engine starting. Most modern vehicles have the former and many now come equipped with the latter. These features are usually activated by a remote control that is attached to your key chain and have a decent range (the remote for my very basic vehicle can reliably start the engine through several walls). Tesla decided that such a basic feature wasn’t good enough for its high-tech cars and instead tied those features to the Internet. Needless to say, the inevitable happened:

Tesla’s fleet network connection is currently down, which means that owners of the EV brand of cars aren’t able to sign into the mobile app. Unfortunately, this means that they can’t remote start or remote unlock their cars, and they’re also unable to monitor their car’s charging status.

In all fairness, this isn’t an issue unique to Tesla. Any product that makes features dependent on an Internet connection will run into a service outages at one point or another. Your “smart” coffee maker’s service will eventually go down, which will force you to walk over and press the brew button like a goddamn barbarian instead of kicking off the brew cycle from an app as you continue lying in bed.

When these Internet dependent features really bite you in the ass though is when the service provider goes out of business, especially if the product itself cannot operate without the Internet service. There are a lot of current “smart” devices that will soon end up in a landfill not because they mechanically failed but because their service provider went bankrupt. While the features that became unavailable when Tesla’s service went down weren’t critical for the functionality of the vehicle, no longer being able to remotely unlock doors, start the engine, or check the charging status would really degrade the overall user experience of the company’s vehicles.

Don’t Believe Everything You Read on the Internet… or in a Book

The Internet is a platform for everybody, and I mean everybody. From scientists to conspiracy theorists. From medical professionals to witch doctors. From professional chefs to idiots who don’t know that the ingredients they’re recommending are toxic:

Holmgren’s idealized Little House lifestyle led to online fame and eventually helped her land a book deal. Which is fine. Holmgren’s Tales from a Forager’s Kitchen: The Ultimate Field Guide to Evoke Curiosity and Wonderment with More Than 80 Recipes and Foraging Tips hit shelves earlier this year. And amazingly, she had more to say than would fit in that subtitle—upon its release, Holmgren and her forest-find-decorated home were featured in publications like the Star Tribune.

Here’s the problem: Forager’s Kitchen also includes recipes that use raw morel mushrooms. There’s a smoothie in there made with raw elderberries.

Both of which are toxic if served uncooked.

The Internet gave Holmgren a platform and according to Shitty Pages she has risen through the ranks and is now an “Instagram influencer” (whatever the fuck that is). Thanks to fame that the Internet enabled her to accrue, she was able to publish a physical book. It just so happens that following the advice in her book could lead to some discomfort. So, yeah, thanks Internet!

I’m rather sad that this book is being recalled. I think a lot of people would benefit from direct experience in not believing every idiot thing that they read.

Nothing But the Best

What’s the worst that could happen if the programmer for your pacemaker accepts software updates that aren’t digitally signed or delivered via a security connection? It could accept a malicious software update that when pushed to your pacemaker could literally kill you. With stakes so high you might expect the manufacturer of such a device to have a vested interest in fixing it. After all, people keeling over dead because you didn’t implement basic security features on your product isn’t going to make for good headlines. But it turns out that that isn’t the case:

At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they’re implanted in patients.

Because updates for the programmer aren’t delivered over an encrypted HTTPS connection and firmware isn’t digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients.

Killing people through computer hacks has been a mainstay of Hollywood for a long time. When Hollywood first used that plot point, it was unlikely. Today software is integrated into so many critical systems that that plot point is feasible. Security needs to be taken far more seriously, especially by manufacturers to develop such critical products.

Altering the Deal

I’ve never understood the business model of relying entirely on one other company for revenue. It might sound like a good idea at first, especially if the other company is being especially generous, but if the other company changes the deal, you’re shit out of luck:

Apple is shutting down an App Store affiliate program that shared a small percentage of revenue generated by third-party links to purchase apps or in-app content.

[…]

Apple’s decision comes as a sucker punch to outlets like mobile gaming news and reviews site TouchArcade, which has long relied on the App Store affiliate program for a significant chunk of its revenue. As TouchArcade editor Eli Hodapp writes in a despairing post, the loss of the “reliable” affiliate revenue stream could very well kill the site, which will now lean more heavily on Patreon donations and Amazon affiliate links to stay afloat.

“I genuinely have no idea what TouchArcade is going to do,” Hodapp writes. “It’s hard to read this in any other way than ‘We went from seeing a microscopic amount of value in third-party editorial to, we now see no value.’ … I don’t know how the takeaway from this move can be seen as anything other than Apple extending a massive middle finger to sites like TouchArcade, AppShopper, and many others who have spent the last decade evangelizing the App Store and iOS gaming.”

Maybe deciding what TouchArcade will do if Apple cancels its affiliate program is something that should have been considered earlier. Especially since not too long ago Apple changed the terms of its affiliate program to reduce the amount of money affiliates received.

Threat modeling isn’t an exercise that should be performed exclusively by a company’s security team. Security threats are just one kind of threat that businesses face. Loss of revenue sources is another threat that must be considered.

Incoherent Screeching

Shortly after Cody Wilson won his day in court the gun control crowd started screeching incoherently. Failing to understand the reality of the situation, which is their modus operandi, they started demanding that judges, politicians, and anybody else involved in the government stop the distribution of files for printing firearms on 3D prints. The latest futile attempt to stop Wilson was made by several attorneys and a federal judge in Seattle:

A federal judge in Seattle has issued a temporary restraining order to stop the release of blueprints to make untraceable and undetectable 3D-printed plastic guns.

Eight Democratic attorneys general filed a lawsuit Monday seeking to block the federal government’s settlement with the company that makes the plans available online. They also sought a restraining order, arguing the 3D guns would be a safety risk.

A judge issued a restraining order? Oh no, whatever shall we do? I guess those 3D printer files are lost to the world now. Game over.

I wonder if these gun control fanatics are actually stupid enough to believe that. While a judge may issue a restraining order that prevents Defense Distributed, Wilson’s company, from offering the files they are still available via the most censorship resilient website on the Internet, The Pirate Bay. If you know anything about the history of The Pirate Bay, you know that there is no way in hell that any judged in the United States will get those files removed from that site. Even if they could do that, those files are being hosted by a number of people so anybody with the magnet link can still get the files. The genie is out of the bottle.

The Question to Stop 3D Guns

You find some wonderful words of wisdom on Twitter:

If we don’t scream and yell, any person will be able to start printing 3D guns this Wednesday, August 1st.

As opposed to what we can print now, which are apparently only 2D guns!

Jeff sessions can stop this.

Oh, my sweet summer child.