Warning: long post.
Not content with the vigorous debate around my post that Kashflow has a security nightmare it seems the company believes this site has libeled it and damaged its business. Software sales is a mucky business and you’re about to find out just how much.
Top bottom and sideways, Kashflow thinks I have libeled the company by saying (not exclusively – allegedly) that:
“Kashflow has no security once you get past the login front door”
“handed over the keys to the kingdom”
“created a security hole”
The company’s CEO requested that AccMan retract these statements suggesting in one email that I might phrase those statements as ‘misguided’ but in another he believes AccMan is malicious towards the company. Specifically that: “What I’d like to see is an appropriately titled new blog post, saying something like you misunderstood the technical side of the KashGuard integration, that you retract the comments that it creates any kind of security hole, that we’ve “handed over the keys” or any inappropriate levels of access to any third parties and the comment that we have no further security beyond the initial log in.” Hmmm…clearly Kashflow hasn’t read the things I’ve said about the Big Four, ICAEW, professionals in general and numerous software companies not excluding SAP, Oracle, Microsoft, Sage, IT Crunch and others
AccMan tried to engage with Kashflow as to the specifics without success, the conversation ending with the assertion from Kashflow: ‘You don’t get it.’ That’s unfortunate because while I don’t claim specific security expertise, I do rely on the opinions of those who are far better versed in these issues. To reiterate what I said at the time:
I called up FOUR developer organizations involved with saas just to check that what I thought was correct. Two laughed out loud, one said ‘weird’ another said ‘bizarre’ and one said: ‘Wow, this is freaking insane.’
For the sake of clarity, I spent hours on the phone making sure that what I was saying is correct – or at least perceptually so – an issue that Kashflow’s CEO acknowledged in this post to AccountingWeb.
What’s more curious though is that in the opening (and threatening) email to AccMan, the company’s CEO suggested that the only people who win are the lawyers so as long as AccMan prints a retraction the case would go no further. I suggested to Kashflow that its assertions put AccMan in an impossible position: acknowledge it is wrong but without providing any hard evidence beyond the words of Sunil from Freshbooks, a company that takes a different view and which acts as counterpoint in its own right and to which Kashflow’s CEO gave AccMan credit. Curious.
In a subsequent email AccMan offered Kashflow the opportunity to publish a guest post without condition as a response. Apart from libel considerations, I would be happy for the company to pose an alternative view. Given the different positions that makes a lot of sense and results in a fair outcome for all concerned. That’s what this blog is about – strong opinions, loosely held and with a right of reply. Kashflow seems to have refused that opportunity despite it would add weight to the Freshbooks position. It seems hells bent on AccMan taking a hit. Fine. If that’s what it wants. But then perhaps wiser people will think otherwise about other facts.
If you wish to claim libel then it helps that you come to court with clean hands. Kashflow’s CEO might struggle in that regard. He is after all a self confessed convicted drug dealer. Everyone deserves a second chance and Kashflow’s CEO is no different but how far does that stretch? Let’s parse a few facts:
According to the company’s website:
KashFlow has received two rounds of venture capital funding from their now chairman, Lord Young of Graffham. Lord Young is a former Secretary of State for Trade & Industry and ex Chairman of Cable and Wireless
That’s not necessarily correct. According to the Registrar of Companies, Lord Young is a minority registered shareholder at £40 out of £100 issued shares but there is no share premium account. Instead there is an ‘other creditors’ account to the tune of £93.000. One presumes that is Lord Young’s financial input but without further explanation that cannot be stated as fact.
Given the tenor of the company’s claim that it has received two rounds of venture capital funding from the chairman, Lord Young of Graffham and the supposition about borrowing then one has to ask whether the company is misrepresenting itself. Why would AccMan say that? Here’s a wikipedia definition of venture funding.
Venture capital investments are generally made as cash in exchange for shares in the invested company. It is typical for venture capital investors to identify and back companies in high technology industries such as biotechnology and ICT (information and communication technology).
Assuming you believe Wikipedia to be correct than according to the last filed accounts, Kashflow cannot make that claim.
According to the last accounts filed at Companies House Kashflow is technically insolvent to the tune of some £22,000. AccMan cannot provide direct conformation because of copyright restrictions but would instead direct readers to view the company’s record at Company’s House. That position could have changed in the time between the last filing and the date of this post but: given AccMan has talked about vendor viability as something any buyer need review, this is an issue over which potential buyers might wish to seek assurances.
AccMan has no issue with Lord Young but given he was cited as the person pushing for a libel charge in the CEO’s email, it is perhaps interesting that AccMan has received no email from either he or his lawyers on this issue. I assume that as a person with a long and distinguished career, Lord Young has better things with which to trouble his time. If not then I am happy to hear from Lord Young on this issue.
In earlier conversation, the company’s CEO claimed that Lord Young gives him more than his fair share of rope upon which to hang himself and that if it was any other investor he might find himself restrained from making certain statements. Either way I would be interested in Lord Young’s personal perspective on the CEO’s aggressive stance against what is after all a blog.
Then there is the question of Kashflow’s own issues: For example Sage took Kashflow to Trading Standards for claiming false statements. Forget the PR value of David v. Goliath: It seems Kashflow backed off from that position claiming:
A long-running spat between Kashflow and Sage has subsided, with an agreement by the SaaS vendor to remove pricing comparisons with Sage from its website. The resolution followed the intervention of Newcastle Trading Standards, which was contacted by Sage at the end of 2008
Then there is the feud between Kashflow and MYOB:
Duane Jackson, Managing Director of KashFlow is today speaking out about what he considers to be under-hand marketing tactics and threatening legal tactics by its much larger competitor and rival Mind Your Own Business (MYOB).
And then there is the issue about whether Kashflow is diligent in its selection of third party partners. AccMan’s original post on the topic was aimed at questioning the veracity of Kashflow passing access control to Atlas Computer Systems. A check on the Data Protection Act website reveals there is no recorded entry for that company. That’s not to say Atlas is not registered but then it is interesting that several of Kashflow’s API partners are not showing as registered on a search of that site. Including a payroll partner.
All of which leads me to believe that while Kashflow is trying hard to change the accounting game, it is less than solid in its approach to third parties. That’s a pity because despite the hubris, Kashflow has served as a beacon for the SME saas industry. Its perceptual appearance is perhaps best summed up in this email I received from a dis-interested person I contacted (and who I will identify if Kashflow decides to pursue this matter through the courts):
Let me get this straight:
- a company signs up for kashflow and can only generate superusers
- they then hand over one superuser to kashguard who in turn issues not-so-super-users
- users get to the application via kashguard
Which means
- kashguard has superuser access to ALL of kashflows customers
- all customer data and transactions now also flow through kashguards systems
Is that roughly correct?
If so, I wouln’t entrust any of them with my kids piggy banks.
Pure madness.
But then I might be wrong. As another said:
…as some of our indian developers would say, it “works as per design”.It’s not per se a security risk, more a functionality limitation that IMHGO makes the product useless for anything but a one person company.Now, allowing third party API access through that creates a new issue, namely that Kashgard now has the real power, and the customer completely hands over security management to them. It’s like giving your car keys to your 14 year old son and his partying friends
“If a reporter is giving you a hard time, is being unreasonable, you have my permission to tell them to go fuck themselves”
But then perhaps Kashflow’s CEO will enjoy being compared to Safra Catz. Either way I will be at SoftWorld filming those who are in attendance. Assuming Kashflow’s CEO is there, I’d love to capture him on video giving me a hard time.
PS – AccMan has more up its sleeve on this one….much more but it is perhaps best to let this one die down for the time being.
PPS – let’s get back to normal programming – much more interesting than a spat between a blogger and a software vendor. I’m sure we’ve all got better things with which to occupy our time.
