All posts in “Business”

T-Mobile Merger Delay Keeps Sprint and Dish on Edge

The T-Mobile-Sprint merger looked like it was pretty much a done deal a couple of weeks ago, when the Department of Justice gave its approval. However, it now looks like there won’t be a final answer until 2020. This will go down in history as one of the longest corporate merger attempts.

The delay will be hardest on Sprint and Dish Network. Even though T-Mobile looks stronger, it needs the deal too, as it transitions into 5G.

The good news for T-Mobile is that a recent earnings report shows continuing growth — but that also means regulators may not see this merger as necessary. However, as strong as the company is today, it simply does not have what it needs to succeed in a 5G world. T-Mobile desperately needs more wireless spectrum — something it can get through a merger with Sprint.

Sprint’s latest earnings show a company that is weaker than ever. It needs the merger with T-Mobile for survival. So the delay has cast a dire shadow over its future prospects. Sprint has plenty of spectrum, but it lacks the marketing magic to be successful in wireless.

Time Running Out

Sprint needs to be rescued, and quickly. If T-Mobile can’t do it, perhaps a cable television company — Comcast, Charter or Altice — could acquire Sprint and then be able to offer wireless services on a network it owned.

Dish Network needs to enter wireless as quickly as possible. In fact, it needed to enter wireless years ago. Perhaps Charlie Ergen was waiting for the right opportunity. This T-Mobile-Sprint merger could be that opportunity… if it ever gets done.

One way or another, Dish Network needs to move into wireless. One, offering wireless service could help slow its pay-TV customer losses. It might use the service the way Comcast uses Xfinity Mobile or Charter uses Spectrum Mobile. Two, if it doesn’t act, it risks losing the mobile spectrum it acquired years ago. Then Dish would be in even bigger trouble.

Dish Network’s Wireless Options

I have many questions with regard to Dish Network and wireless. One is whether it will enter wireless as a real competitor or just create a more valuable asset to sell.

Another is, if it moves into wireless, will it be an offensive or a defensive competitor? Will it be aggressive like AT&T Mobility, Verizon Wireless, T-Mobile and Sprint, or passive like Xfinity Mobile, Spectrum Mobile and Altice Mobile?

Perhaps Dish has something else in mind. Maybe it will create a wireless provider for the cable television industry to use. That could make sense if Sprint’s assets are up to the task.

Then again, Xfinity Mobile and Spectrum Mobile already resell Verizon Wireless, a much larger and stronger competitor. Why would they consider a lesser provider? Altice Mobile will resell Sprint. So, as unlikely as this sounds, it remains a possibility.

New Questions About the Deal

There are many new questions surrounding this merger now that Dish is in the mix. That may be one of the reasons it is dragging on without an answer.

This merger may be on again, off again because the forces pushing back are not giving up. While I still like the idea, the water is getting muddy again. Now we have to wait until next year for the conclusion of this merger attempt, one way or the other.

Who knows whether this deal will finally be approved? While I hope so — for the sake of T-Mobile, Sprint and Dish Network — it simply is not a sure thing. What roles will Comcast Xfinity Mobile, Charter Spectrum Mobile and Altice Mobile play? Who knows at this stage? Stay tuned.

Jeff Kagan has been an ECT News Network columnist since 2010. His focus is on the wireless and telecom industries. He is an independent analyst, consultant and speaker. Email Jeff.

Faulty Driver Coding Exposes Microsoft Windows to Malware Risks

By Jack M. Germain
Aug 15, 2019 9:31 AM PT

Numerous driver design flaws by 20 different hardware vendors expose Microsoft Windows users to widespread security compromises that can cause persistent malware attacks.

A report titled “Screwed Drivers,” which Eclypsium security researchers presented at DEF CON last weekend, urges Microsoft to support solutions to better protect against this class of vulnerabilities.

Microsoft should blacklist known bad drivers, it recommends.

The insecure drivers problem is widespread, Eclypsium researchers found, with more than 40 drivers from at least 20 different vendors threatening the long-term security of the Windows operating system.

The design flaws exist in drivers from every major BIOS vendor, including hardware vendors Asus, Toshiba, Nvidia and Huawei, according to the report.

The research team discovered the coding issues and their broader impacts while pursuing an ongoing hardware and firmware security study involving how attackers can abuse insecure software drivers in devices.

“Since our area of main focus is hardware and firmware security, we naturally gravitated into looking at Windows firmware update tools,” said Mickey Shkatov, principal researcher at Eclypsium.

“Once we started the process of exploring the drivers these tools used we kept finding more and more of these issues,” he told the E-Commerce Times.

The driver design flaws allow attackers to escalate user privilege so they can access the OS kernel mode. That escalation allows the attacker to use the driver as a proxy to gain highly privileged access to the hardware resources, according to the report. It opens read and write access to processor and chipset I/O space, model specific registers (MSR), control registers (CR), debug registers (DR), physical memory and kernel virtual memory.

“Microsoft has a strong commitment to security and a demonstrated track record of investigating and proactively updating impacted devices as soon as possible. For the best protection, we recommend using Windows 10 and the Microsoft Edge browser,” a Microsoft spokesperson said in comments provided to the E-Commerce Times by company rep Rachel Tougher.

Measuring Caution

Attackers would first have to compromise a computer in order to exploit vulnerable drivers, according to Microsoft.

However, the driver design flaws may make the situation more severe, Eclypsium’s report suggests. They actually could make it easier to compromise a computer.

For instance, any malware running in the user space could scan for a vulnerable driver on the victim machine. It then could use it as a way to gain full control over the system and potentially the underlying firmware, according to the report.

If a vulnerable driver is not already on a system, administrator privilege would be required to install a vulnerable driver, the researchers concede. Still, drivers that provide access to system BIOS or system components to assist with updating firmware, running diagnostics, or customizing options on the component can allow attackers to use those tools to escalate privileges and persist invisibly on the host.

To help mitigate this vulnerability, Windows users should apply Windows Defender Application Control to block known vulnerable software and drivers, according to Microsoft.

Customers can further protect themselves by turning on memory integrity for capable devices, Microsoft also suggested.

Probably Low-to-Moderate Risk

Security firms stimulate sales opportunities based on vulnerabilities. Reports such as the Eclypsium disclosures are sales vehicles, contended Rob Enderle, principal analyst at the Enderle Group, and it is not unusual to see the results overstate the problems.

“In this instance, they are highlighting vulnerable drivers, which could allow someone to escalate privileges and take over a system. Generally, however, the attacker would have to come in through the compromised device, and that means they’d have to have physical access to the system and, with access, there are a lot of things you can do to compromise a PC,” Enderle told the E-Commerce Times.

The possibility of the user getting tricked into installing malware also exists. That would take advantage of this driver vulnerability, but the attacker would need to know the vulnerability was there first to make this work, he noted.

“Given the hostile environment we are in and the fact we have state-level attackers, any vulnerability is a concern,” Enderle cautioned. “However, because the attack vector is convoluted, and an effective attack requires knowledge of the PC, the actual risk is low to moderate.”

It is certainly worth watching and making sure driver updates both address these vulnerabilities and are applied in a timely way, he added.

Widespread Impact

The driver design flows apply to all modern versions of Microsoft Windows. Currently, no universal mechanism exists to keep a Windows machine from loading one of these known bad drivers, according to the report.

Implementing group policies and other features specific to Windows Pro, Windows Enterprise and Windows Server may offer some protection to a subset of users. Once installed, these drivers can reside on a device for long periods of time unless specifically updated or uninstalled, the researchers said.

Its not just the drivers already installed on a system that can pose a risk. Malware can add drivers to perform privilege escalation and gain direct access to the hardware, the researchers cautioned.

The drivers in question are not rogue or unsanctioned, they pointed out. All the drivers come from trusted third-party vendors, signed by valid Certificate Authorities and certified by Microsoft.

Both Microsoft and the third-party vendors will need to be more vigilant with these types of vulnerabilities going forward, according to the report.

Signing Software Not Always Reliable

Code signing certificates are used to sign applications, drivers and software digitally. The process allows end users to verify the authenticity of the publisher, according to Chris Hickman, chief security officer at Keyfactor, but there is risk involved in fully trusting signed software.

“Opportunistic cyberattackers can compromise vulnerable certificates and keys across software producers, often planting malware that detonates once a firmware or software update is installed on a user’s system. Therein lies the greatest security risk,” he told the E-Commerce Times.

Eclypsium’s discovery that design flaws in software drivers include numerous hardware makers and software partners drives home the threat businesses and consumer software users face, Hickman said. That attack vector is like this spring’s Asus hack.

“Attackers can exploit code and certificates to plant and deploy malware when businesses run standard — and usually trusted — updates,” he noted.

Code signing is no guarantee that malware can not be introduced into software. Other steps must be taken prior to signing the code, such as code testing and vulnerability scanning, Hickman explained.

Once the code is signed, it will be installed as it was signed, regardless of the contents, so long as the code signing certificate is from trusted source. Hence security and care and control of code signing certificates should be as important to DevOps as the other forms of ensuring legitimate code is produced, he said.

Response and Fixes

All of the impacted vendors were notified more than 90 days before Eclypsium scheduled the vulnerabilities disclosure, according to Shkatov.

Intel and Huawei notified Eclypsium that they publicly released advisories and fixes. Phoenix and Insyde do not directly release fixes to end users, but have released fixes to their OEM customers for eventual distribution to end users.

“We’ve been told of fixes that will be released by two more vendors, but we don’t have a specific timeline yet,” said Shkatov. “Eight vendors acknowledged receipt of our advisory, but we haven’t heard if patches will be released or any timeline for those. Five vendors did not respond at all.”

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software. Email Jack.

Spotify for Podcasters Hits the Open Road

Spotify on Tuesday launched Spotify for Podcasters following a year-long beta involving more than 100,000 podcasts from 167 countries.

Spotify for Podcasters is a discovery and analytics dashboard designed to let podcasters track performance through data such as episode retention charts, aggregate demographics about listeners, and details on follower growth. Podcast data is updated daily.


– click image to enlarge –

Podcasters can use timestamps in their episode description so listeners can start playing the podcasts from precise moments. Timestamps cannot be longer than the episode they point to. They currently are clickable only on mobile devices. Podcasters also can add links to their episode descriptions.

Spotify for Podcasters users can download a .CSV file with their data.

“Data allows a podcaster to better hone their content and attract both advertisers and more listeners,” noted Rob Enderle, principal analyst at the Enderle Group.

“It is critical to building a podcasting business if you know how to use it,” he told the E-Commerce Times. “You can get a better sense of your audience and use that to attract advertisers and refine your content.”

The dashboard is available globally but currently is rendered only in English.

[embedded content]

Spotify’s Definitions

There is no industry standard definition for podcast metrics. Here’s how Spotify defines key metrics:

  • Starts measure any listener who clicks on a podcast episode. There is no minimum time limit;
  • Streams encompass podcasts streamed for more than 60 seconds;
  • Listeners are unique listeners who started an episode in a podcaster’s catalog;
  • Followers are listeners who hit “Follow” on their podcast or on Spotify;
  • Average Listen shows how long people listen to a podcast episode. It’s based on the data of at least 50 percent of listeners.

The most comprehensive data on listeners comes from podcast hosts like Simplecast, suggested James Cridland, editor of podcast industry newsletter Podnews.

That’s because Spotify and Apple provide data only on their own app’s users, he told the E-Commerce Times.

Gunning for Top Position

Apple dominates the podcast business, with 63 percent of the market, according to Andreessen Horowitz. Spotify comes in second place with nearly 10 percent.

Spotify claims more than 200 million listeners across more than 75 countries worldwide, and says its podcasts’ reach has nearly doubled since the beginning of this year.

Spotify earlier this year announced the acquisitions of Anchor, which offers a podcast creation app, and podcast content creator Gimlet Media.

Those buys enabled it to “become the leading platform for podcast creators around the world and the leading producer of podcasts, said CEO Daniel Ek.

Over time, more than 20 percent of content on Spotify will be non-music content, he predicted, and Spotify’s goal is to become the world’s No. 1 audio platform.

Spotify, which is available for both iOS and Android, has “beaten Apple in a number of different countries as a way of listening to podcasts,” Podnews’ Cridland noted.

Show Me the Money

Video is roughly a trillion-dollar market, while the music and radio industry is worth about US$100 billion, Spotify’s Ek observed. “Are our eyes really worth 10 times more than our ears? I firmly believe this is not the case.”

Podcasting will lead the way for growth in the audio sector, he said.

Ads on podcasts totaled $479 million last year — 53 percent higher than the $314 million spent in 2017, IAB found. They are expected to top $1 billion in 2021.

Podcast listening, which drove that growth, increased 7 percent in one year, the firm said. More than half of Americans aged 12 and over have listened to podcasts. Further, podcast listeners continue to respond well to ads.

Spotify wants “to ride this wave to revenue,” Enderle remarked.

Podcasting ad revenue lags behind attention, and podcast monetization is in the very early stages and remains disjointed, according to Andreessen Horowitz. Still, it has doubled each year for the past few years, and investments in podcasting companies have shot up. Last year, a record number of venture capitalists put money into such firms.

With more than 450,000 shows in its catalog, Spotify may have a content advantage, which is at the core of listeners’ engagement.

All About Ads

“Spotify can already serve ads to listeners based on what genre of podcasts they listen to, and you can suspect they may do more of that,” Cridland said, “but crucially, Spotify is trying to increase app usage time without increasing their costs — which is why podcasting is so attractive. Spotify has to pay to use music. Podcasts, however, come free.”

That low-cost aspect of podcasting also might appeal to the corporate world.

“The decision maker who may not have time to read your report might want to listen to you talk, or watch, if you have a video,” suggested Michael Jude, program manager at Stratecast/Frost & Sullivan.

In fact, Frost may disseminate its analysts’ reports as podcasts in the future.

Podcasts “apply to any company that wants to communicate with an audience of customers or prospects, or anyone else,” Jude told the E-Commerce Times. “If all you want is the essential information, that’s a good option.”

Companies can “do centralized curation and archive, and send podcasts to people on their smartphone,” Jude said. “You can even do video podcasts this way.”

Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology. Email Richard.

ClickSoft Buy Signals Important Directional Shift for Salesforce

What’s the big deal, I thought? Last week Salesforce announced it was paying in the range of US$1.35 billion for ClickSoft, a private field service automation and workforce management company.

At first, I attributed it to a slow summer news cycle that was driving attention to the deal at a time when many people in the industry are off trout fishing near the Continental Divide or elsewhere. I was in the Hudson River Valley exploring history so that colored my thinking.

Face it, ClickSoft at $1.35 large is about 10 percent of the Tableau data visualization buy a few months ago. I didn’t think it was that big a deal. Also, ClickSoft and Salesforce have been partnering in field service since 2016, so the acquisition signals something much more evolutionary than revolutionary. Then it dawned on me: That’s the point.

Ask this: When in the lifecycle of a disruptive innovation are customers likely to need services of all types — including field service, but also customer service and support? The need diminishes over time as a disruption is increasingly well understood and customers can figure things out for themselves. To crystallize this, no one calls frustrated to not be able to locate the “any key” on their keyboards any more.

End of an Era

We’ve moved on, and product prices and service modes have commoditized in tandem. You can’t lower prices along the commoditization curve if you can’t control costs, and one of the biggest costs is labor. So today, products increasingly are well designed and made precisely to ward off every possible need for a service call, and what isn’t obviated is automated with bots and intelligent systems.

Field service is just customer service for business-to-business-complex-systems, and that has taken some refactoring as well, most exemplified by mobile systems that use virtual reality to show technicians where to look and what to do on a service call.

Salesforce has had this kind of capability for some time now, thanks to the aforementioned relationship with ClickSoft and other bought and built field service software. So why buy the company now?

Simply put, I think the buy was a defensive move that prevents any other company from buying ClickSoft and preventing Salesforce from fielding an increasingly important facility.

Go back to who uses services and when in the lifecycle of a disruptive innovation you’re likely to see service bloom, and you might get an inkling that Salesforce is reading the graffiti and making the following determination.

We’re nearing the end of the 5th industrial revolution, what I call “The Age of Information and Telecommunications.” This is not to say that any of that technology is going away — just that it is commoditizing to the point that it becomes part of the economy and not the driving force. Previous eras, which I documented in a recent book, included textiles, steam power and steel-making, petrochemicals, radio and cars.

The list is long, and in every case the prior disruptive innovations clustered (e.g. steam, steel, railroads, coal mining were reinforcing) and drove the economy for as much as 60 years. Eventually commoditization took hold, and those things all became parts of the economy, though no longer the driving force.

So if you look at the ClickSoft acquisition, you don’t see a tech company building out its portfolio (though it is). Instead you see a tech company getting ready to serve the next great disruptive innovation rather than being the disruptive innovation.

Perhaps the most perceptive photo accompanying a story on the acquisition was displayed on digitalcommerce360. It shows a technician with a mobile phone and a laptop servicing what look like solar panels. If ever there was an industry that’s taking off it’s the nexus around sustainable energy.

Coincidental proof: The top two fastest-growing occupations, according to the U.S. Bureau of Labor Statistics, are solar photovoltaic installers and wind turbine service technicians. Now, installers are not service technicians, but I think the analogy holds because part of installation is making the stuff work.

Importantly, those top jobs garner $42,680 and $54,370 per year respectively. The third-fastest growing job category is home health aids, which averages just $24,200 per year. Disruptive innovations drive good paying job growth, and neither of the jobs mentioned require a college degree. More proof.

My Two Bits

What does the Salesforce acquisition of ClickSoft say about Salesforce? Well, Marc Benioff has been talking about a 4th Industrial Revolution for some time now — something I believe he picked up at Davos.

Some people refer to “Industrial Revolutions,” but I go with “Ages” because they’re more descriptive. The point to me is that so much of CRM was developed to help tech companies lift their customers over a big disruption caused by technology. Today the disruption is adjacent, and it is sparking another Age or Industrial Revolution.

Salesforce saw this a while ago, though I doubt it understood that sustainability would be the thing that received the torch in an unending relay race. So buying ClickSoft in such an environment makes all the sense in the world, no matter who is on vacation.

The opinions expressed in this article are those of the author and do not necessarily reflect the views of ECT News Network.

Denis Pombriant is a well-known CRM industry analyst, strategist, writer and speaker. His new book, You Can’t Buy Customer Loyalty, But You Can Earn It, is now available on Amazon. His 2015 book, Solve for the Customer, is also available there. Email Denis.

The Apple Card Difference: Security

Apple sent emails to a small number of customers last week, inviting them to apply for the company’s new Apple Card, and a privileged few have become the first to enroll in the program.

The rollout is limited to qualifying applicants in the United States.

The Apple Card, which is a virtual Mastercard issued by Goldman Sachs Bank USA’s Salt Lake City branch, will roll out generally later this summer.

“Given the digital nature of the card, we’ll see a lot of A/B/X testing to let Apple catch any issues early before a mass rollout,” noted Ray Wang, principal consultant at Constellation Research.

The Virtual Apple Card

The Apple Card will run on iPhone models iOS 12.4 or later with Face ID or Touch ID, except for the iPhone 5s. It also will run on the Apple Watch, on iPads, and on Macs with Touch ID.

Customers can set the Apple Card as their default payment card for various Apple services.

The card shows items purchased, organized in color-coded categories such as “food and drinks,” “shopping” and “entertainment.”

It uses machine learning and Apple Maps to label transactions with the names and locations of businesses where purchases were made.

Purchases are authorized with Face ID or Touch ID and a one-time unique dynamic security code.

“The principal claim to fame of this card is that it’s totally electronic, but many credit cards are going that way anyway,” said Michael Jude, program manager at Stratecast/Frost & Sullivan.

“It’s possible to buy apps right now that virtualize your conventional credit cards for use with your smartphone,” he told the E-Commerce Times.

Apple does not receive information about where customers shop, what they buy, or how much they pay.

Goldman Sachs will not share or sell data to third parties for marketing and advertising.

The Titanium Apple Card

Apple also has designed a titanium Apple Card for shopping at locations worldwide where Apple Pay is not yet accepted but Mastercard is.

This titanium card bears no CVV security code, expiration date or signature. All of that information is stored in Wallet, which has a hard-coded virtual card number that is autofilled for online purchases.

Apple-designed titanium card

Customers will get 1 percent Daily Cash for purchases made with the titanium Apple Card.

The titanium Apple Card can be activated using an iPhone that supports the Apple Card.

Consumers can lock the card if they do not carry it, so that it cannot be used to make purchases. They can unlock the card at any time using the Wallet app.

“Security provides a big differentiator, with biometric verification on the device, one-time dynamic security code generation, and contactless payment,” Constellation’s Wang told the E-Commerce Times.

Fraud Protection, Cash Back

Customers are not liable for fraudulent charges after notifying Apple.

There are no fees associated with the Apple Card, but interest on late or missed payments will continue to accrue at the regular interest rate charged.

Initial credit limits and annual percentage rates apply. The APRs range from 13 percent to 24 percent as of Aug. 2, based on the applicant’s creditworthiness.

Customers get a 1-3 percent cash back reward — called “Daily Cash” — for purchases made. The cash is calculated and returned daily to their Apple Cash Account as soon as purchases settle.

The Daily Cash reportedly can be transferred to a consumer’s bank within one to three days for free. An instant transfer will cost a maximum of US$10.

Consumers can spend the cash as they like, apply it to their Apple Card balance, or send the cash to someone else through iMessages.

“Cash back isn’t a new benefit in the card payment space,” noted Eric Smith, research director at Strategy Analytics. “Apple has to get users to break the habit of using existing cards, and needs to provide incentives for them to do so — hence no annual fee and a straightforward cash back.”

Over time, Apple might extend Daily Cash into travel purchases or other areas, Wang suggested.

Cash back and the freedom from fees will provide consumers more incentive to make purchases of Apple products directly from Apple and from stores that accept Apple Pay, Smith told the E-Commerce Times.

Pushing Apple Pay

“In the long run, the Apple Card provides another incentive for merchants to accept Apple Pay once [the card] reaches critical mass,” Smith observed.

Only half of Apple customers use Apple Pay, Wang pointed out. With the Apple Card, Apple has “created an offering that includes a physical card, a digital wallet, cash rewards, and personal finance management tools to spur adoption.”

Apple Card users will not earn reward points, which might be a problem.

“If cash were best, Discover would be king, but they aren’t, so it likely isn’t,” said Rob Enderle, principal analyst at the Enderle Group. “I expect Apple may have to alter this in the future.”

On the other hand, the Apple fan base “has historically been willing to take an Apple offering over alternatives that are better, so it may not be the problem for Apple that it would be for others,” he told the E-Commerce Times.

Apple customers “are locked into Apple, which is expert at mining money from its users,” Enderle noted. The Apple Card “will make it easier for the firm to do that, and I doubt many realize yet what this will cost them long term.”

Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology. Email Richard.