Category Archives: General Observation

Cooking The Goose

iStock_000017259425SmallHere is a fact you won’t see on any company’s forward looking statements: “Nearly half of Americans would have trouble finding $400 to pay for an emergency

If you are an owner or stockholder in any company, this should terrify you.

The entire premise of capitalism is based on a strong middle class capable of purchasing goods and services.

The facts are clear: the middle classes around the world are under severe pressure and, here in America, $400 away from disappearing completely.

Meanwhile, Big Business continues an all-out effort to get that last $400 as if nothing was wrong.

It’s no coincidence that Big Business ranks very low on American’s confidence scale while Small Business ranks very high:

BigBusiness

We can argue all day about who is at fault, but that’s not going to change the outcome. The system is spiraling out of control, meanwhile Big Business is allowed to pay legal bribes to politicians to make sure there are even less controls and even more tax breaks for them.

This unchecked system has allowed behemoths like Amazon and WalMart to monopolize vast portions of our economy, suffocating the goose that laid the golden egg. Enjoy it while you can, because the end is only $400 away.

GOPD Drops Software Ownership Claims

On April 15, 2016, Prop Solutions filed a Federal Copyright Complaint against GOPD and others claiming that Prop Solutions was the sole owner of software GOPD was distributing to independent office supply dealers.

On May 17, 2016, GOPD filed a Counterclaim asserting they were the sole owner of the software, or in the alternative, that GOPD was a joint owner in the software.

The case then entered the discovery phase where documents and testimony were produced.

On March 3, 2017, GOPD filed a Motion for Voluntary Dismissal of the May, 2016 counterclaims that GOPD owns all, or even some of the software.

GOPD has given up on trying to get a court to declare that GOPD owns all or even some of the software currently being distributed to independent office supply dealers.

Is buying from Amazon always a good deal?

amazon2016-1My business monitors prices across the office, janitorial, food service, safety and industrial markets in the United States and Canada. Every week I review the rejects from the latest pricing scan of the Amazon site. Every week I encounter a fresh batch of wildly misrepresented, contradictorily described and confusingly packaged products on the Amazon site. These are not bizarre products, but everyday common supply type items.

The most common problem is the ever changing unit of sale. On some items, the quantity you receive for your selected item depends on the seller you choose. On other items, the quantity is just deceptively wrong and unless you bother to read the reviews you can get taken to the cleaners.amazon2016-2

amazon2016-3

Poor Ms. Satterfield is blaming herself for Amazon’s misleading data. This is understandable considering the harsh consequences for daring to question Amazon. There have been multiple high profile stories regarding individuals being “banned for life” from Amazon for simply returning products. No one knows exactly what triggers this “lifelong ban” but the fear is real for those who feel they cannot live without Amazon. These ill-informed people continue to pour their hard earned money into the Amazon void.

Amazon2016-4.png

amazon2016-5-pngThen there are just the out-and-out scams. Apple recently sued an Amazon supplier over fake iPhone chargers, claiming that 90% of the products Apple bought undercover were counterfeits. Apple goes on to say Amazon.COM directly sold counterfeit products.

It’s not just the obvious scams and phony Apple products either. Do you really believe you are getting a genuine top quality $400 HP toner for $25?

amazon2016-6

Don’t think that Amazon Business customers fare any better. The same data is shared between the two supposedly separate sites.

Regular office supplies can cost you an arm and a leg on Amazon Business! These “Amazon Prime” eraser caps list price at $1.25 and are commonly sold for a dollar or less. Amazon Business customers pay SEVEN TIMES this everyday price!

amazon2016-7

The poor Amazon customers have become so accustom to getting ripped off, they now just accept it as “okay.”

amazon2016-8

Well it’s not okay. Getting taken is not inevitable. While Amazon may be suitable for some purchases and can offer some great deals, it’s the notion that *EVERYTHING* is a great deal on Amazon that can get you into serious trouble.

These are just a few examples of the hundreds of issues with Amazon data that I have personally found. These examples were taken from one day’s scan, and they only took a few minutes to find. If you are a business customer buying on Amazon, you have a choice. Waste time and money by constantly being on guard for fraud, scams, rip-offs and overcharging, or bypass the headaches and hassles and just choose to buy from a reputable source.

My name is Rick Marlette. I have worked in and around the office and supply industry for over 40 years and have been employed as an independent pricing consultant to the supply industry for the last 18 years.

All is NOT Well

Hear, speak, and see, no evil  RM

ECI’s Andrew Morgan pretty much lost it over my Disaster in Dallas post. Now, he has changed the story from one of his original emails describing the incident shown below.

In Morgan’s latest story (here) I am of course uninformed by, and unconnected to, the ECI elites. I’m just mean ol’ Rick out to get the poor and defenseless ECI. This sounds familiar.

In case you forgot, this was the same excuse provided by Morgan and crew the last time I dared to criticize their pathetically transparent OPSA fraud. Rick just doesn’t understand. Rick is just a United mouthpiece. Rick does not have all the facts. Rick is a liar. Rick’s a meanie. Rick did not consult with us. Rick is not agreeing with us. And on and on. This pat-answer bravado from ECI can all be boiled down to: “We here at ECI are better and smarter than everyone else and are above all forms of criticism.”

While I may not be better or smarter than the ECI elites, I do know bullshit when I see it. The problem with these ECI spokesmodels is that they have become so encased in their own propaganda that they actually believe it themselves. So let’s have a look at what they have to say. You decide who is telling the truth.

In Morgan’s most recent story, (here) he states that a ransomware virus was detected on the DDMS hosted environment and traced back to a legitimate user.

In one of Morgan’s original stories (below), he states that “we are taking the DDMS hosted environment offline.” He goes on to tell DDMS customers, presumably all of them, that two days of orders “will likely need to be re-entered.”

One user, at one dealership, took the entire DDMS hosted environment offline resulting in the loss of two days of business. These are Morgan’s own words. Let that sink in for a minute.

Now, attempt to reconcile these statements with this bit of propaganda from Morgan’s latest spiel: “security and data protection is a top priority for ECI.” You can’t reconcile these two contradictory statements outside the ECI bubble. The event he so willfully describes is clearly a massive security failure caused by a catastrophic lack of priorities.

Was DDMS hacked like I said in my post? According to Morgan, yes it was. Was data compromised like I said in my post? Again, according to Morgan, yes it was.

Morgan wants to split hairs on this one issue claiming the hackers did not carry away your data so there was no data breach. But: “theft or loss of digital media” is the definition of Data Breach according to Wikipedia. In Morgan’s own words, there absolutely was a “loss of data.”

This is only what ECI is admitting so far: DDMS hosted was hacked, shutdown and there was a substantial data loss. What else happened? Who knows? We may never know. I do believe what the few dealers willing to talk about it have to say about the DDMS system. These are long time users of the DDMS system, not clueless presenters. Dealers, who by the way, are terrified of what Morgan will do to them and their businesses if he finds out they are talking to me. I have to be really careful. Morgan is obsessed with finding out who these dealers are. How dare they, after all.

This all confirms the broader point I made: “The ECI bankers only care about making money.” They don’t care about security and they don’t care about your business. You are just an asset to be stripped and flipped to the next banker in line. How many has it been now? Four or five? I lost count. A flip is due any day now, so keep that in mind.

Here is one of Morgan’s original stories regarding the incident:

Dear DDMS Customer,

We wanted to update you on the emergency maintenance being performed on the DDMS hosted environment this weekend.

As a recap of previous communications:

On Sunday we informed you that we were taking the DDMS hosted environment offline for emergency maintenance purposes. As part of our proactive monitoring procedures, ECi detected a potential security threat in one of our datacenters. ECi security and operations staff quickly responded and instituted emergency maintenance procedures to protect your data and ensure business continuity. Immediately upon discovering the potential issue, our IT staff isolated the case and at present we do not believe any dealer’s data within DDMS has been breached. ECi staff continues to work around the clock to resolve the issue.

At this point all systems have been restored and services are functioning.
If you encounter any issues with the hosted environment, please log onto the Support Portal or call Support and choose the option “Hosted”. For other inquiries, such as end-of-month or OPUS loads, please select the “DDMS” option on the Portal or when calling Support.

Due to the nature of the maintenance, orders placed on Saturday (5/28) and Sunday (5/29) will likely need to be re-entered. The ECi team will be proactively sending these reports to you to facilitate this process.

ECi is committed to supporting you and your business. We will continue to evaluate our policies, procedures and control mechanisms to ensure that your systems are safe and secure.

Sincerely,
Andrew Morgan
President, Distribution Division

All is Well

Hear, speak, and see, no evil  RM

Below is ECI’s Andrew Morgan’s somewhat long winded response to the Disaster in Dallas post:

August 24, 2016

Dear Valued ECi Customers:

We are writing to set the record straight regarding the security and protection of our DDMS/DDMSPLUS hosted systems, your business management software and your data.  Please be assured that the security and protection of our dealers’ systems and their data is a top priority for ECi —thousands of dealers around the country trust us to protect their most valuable information, and this is not a task we take lightly.  ECi employs industry-standard best practices, tools and technologies to protect your valuable data and business systems and works diligently to try to stay one step ahead of those that seek to compromise our systems.

To provide some background, over the Memorial Day weekend, through ordinary event logging, ECi discovered a piece of unauthorized code on the DDMS hosted environment.  We traced this to activity by a legitimate user of the system who inadvertently spread a virus often referred to as “ransomware;” the code sought to block user access to certain files unless a “ransom” was paid.   In an abundance of caution, ECi’s IT Security team immediately initiated its security protocols, deactivated access to DDMS/DDMSPLUS, reset all data backups, ran security validations and worked around the clock to have the software up and running again in time for the opening of business Tuesday morning.  ECi also engaged a nationally recognized IT security firm to independently test the DDMS/DDMSPLUS hosted environment to assist in remediation.  We are happy to report that they concluded no data was breached as a result of this incident.

Recently, Rick Marlette of OP Software, LLC published a false and misleading article regarding the above incident. Marlette has made a habit of authoring defamatory articles in various media about ECi and his other enemies that we have largely chosen to ignore.  However, this article caught ECi’s attention because it was so replete with lies, misrepresentations, falsities and scare tactics that it might naturally cause angst among the dealer community and distract you from your business if it went unanswered.

First, don’t believe for a minute that Marlette is an unbiased “reporter” fighting for the welfare of the dealer community; he’s a typewriter bully with an axe to grind with ECi and his article is another self-serving attempt to damage ECi’s business.  Second, Marlette cites no sources in his article, provides no proof of any of the alleged activities, and seeks to capitalize on fear-mongering by offering conjecture, speculation and “what ifs” without any facts to back it up.  Third, he has not spoken with anyone on ECi’s leadership team regarding the incident to try to validate his claims.  His article refers to such things as “reports are starting to trickle in,” “it appears that …” and “I was told by a reputable source.”  If he really has credible sources to support his claims, why does he not cite any by name?

Marlette’s article also makes unsubstantiated claims about DDMSPLUS and PCI compliance, another subject about which he clearly lacks any credible knowledge.  DDMSPLUS utilizes a vault solution so that credit cards are not stored in the system nor does credit card data ever flow through the system.  By doing so, DDMSPLUS is purposely “out of scope” from a PA-DSS perspective and therefore allows dealers to be PCI Compliant.  PCI still requires dealers to meet the standards for PCI compliance regarding their own organization, but this is a typical solution that many software providers implement to ensure credit card security. It has been endorsed by numerous independent consultants that focus on PCI compliance and security.

We all know people like this and we fully expect that he will now try to engage ECi and our dealers with more lies upon being presented with the facts.  We want to be clear up front that this will be our only public response to this nonsense.  He has already wasted enough of the industry’s time with his calculated untruths.  We sincerely hope that if anyone wants the facts about data security and system integrity as it pertains to ECi’s software systems that they will contact ECi. Don’t get caught up in the fear-mongering of industry bloggers who seek to perpetuate lies and falsities about systems they know nothing about.

We have set up an email address – security@ecisolutions.com – to which you may submit any questions regarding your system’s security and our team will provide a prompt response.

Sincerely,

Andrew Morgan
President, Distribution

Disaster in Dallas

Mature adult businessman smashing laptop on fire with hammer

Well it happened. Reports are starting to trickle in regarding the extent of the ECI hacking earlier this year. It appears the hackers got everything, credit cards included. We know for certain that DDMS cloud based systems got hacked, and you can bet that was not all.

I’m going to believe what I was told by a reputable source that DDMS is not PCI compliant. I’m also going to believe that ECI’s stunning answer to this problem was to convert to DDMS Plus, which they claim is PCI compliant. They failed to mention that, along with a multitude of other deficiencies, DDMS Plus will not even take credit cards.

So what does this mean to the typical cloud based DDMS dealer? Here is a warning from one of the many websites dedicated to PCI compliance about what can happen if you get hacked and are not PCI compliant:

Should you experience a breach and fail to prove your continued compliance with the PCI standard you will be forced to cover chargebacks, have your ability to process credit cards suspended, and escalation into a higher compliance tier, and tens of thousands in annual compliance auditing costs.

Now the question has to be what else did they get? Is your raw sales data already out there on the Darknet? Your customer name, every item they bought and the price, for how many years now? Do the hackers know the value of what they have?

My Analyst was the invention of Wilbur Reid who, after promising dealers the moon and stars, left SPR in disgrace when the inept SPR IT department could not hold it together. Then, in yet another stroke of brilliance, SPR dumped My Analyst, the dealers and all that confidential business data on the evil empire that is ECI. There you go dealers, the bankers will take care of you.

Well guess what? The bankers took care of themselves and the dealers are left holding the bag. Does this sound familiar? What started as an SPR scam to increase their profits may end up putting hundreds if not thousands of dealers out of business. Think Mason with ALL your sales history data and you’ll see what I mean.

Let’s don’t forget that your cost is in there too. So now your competition knows exactly where to strike, exactly where your vulnerabilities are. This takes the reckless disregard of confidential business data to an unprecedented level.

I’m going to go look on the Darknet for your data. I’ll let you know what I find.Understand that if I do find it, there is nothing I can do to keep others from getting their hands on it. Frankly, as valuable as this data will be to your competitors, and the fact that it could very well cost you your business, it’s hard to place all the blame on SPR and ECI.

SP Richards DataGate, The Trojan Horse

Hacker spy your data file

Recent filings in the SP Richards’ (NYSE:GPC) DataGate Federal lawsuit have detailed what any hacker or security expert would call a Trojan horseIn computing, Trojan horse, or Trojan, is any malicious computer program which is used to hack into a computer by misleading users of its true intent.

Many dealers do not understand or appreciate the significance of data theft and how it has skyrocketed into a multi-billion dollar criminal enterprise. All of today’s professional hackers are after your data, including purchase history (buying habits). Simply your name and address is valuable to hackers and can be devastating in the wrong hands. All the security experts agree: Always shred anything with your name on it.

So what about your business data? Do protect your customers’ data? Do you protect it like your business depended on it?

The top criminal hackers aren’t generally interested in personal info on 1,000 companies or individuals. These professional hackers are after tens of thousands or hundreds of thousands of records. Allowing your sensitive business data to be uploaded to a central depository is putting a big red bow on it and saying, “Here it is hackers, come and get it.”

And that may have already happened earlier this year when ECI was hacked. You didn’t hear much about it, you never do. Of course they claimed nothing was compromised. The truth is that it is usually impossible to tell exactly what happened, what the hackers got, and what data was compromised until it shows up for sale on the Dark Net.

If you think ECI is going to protect you, better think again. Hackers have successfully penetrated some of the most sophisticated networks on the planet. ECI is child’s play to these professional criminals. Let’s also don’t forget that ECI is owned by bankers and has been for a very long time. Bankers don’t make software, bankers make money.

Who do you think is going to be held liable when that big customer of yours finds their data has been compromised and traces it back to you? It’s not hard to trace the source of data breaches any more. Many companies and individuals, including myself, are starting to add traceable identifiers to any personal or company contact info provided to others. This lets us know when our data has been compromised and by who.

The reason? Proving someone has been careless with your data, especially when they lie about it, is worth a lot of money. Home Depot has settled their data breach for $13 million dollars. It cost Target $39 million. And the list goes on. AvMed, $3.1 million. Stanford, $4.1 million. Sony, $15 million. LinkedIn, $1.25 million. Everyone is taking data security seriously today, and those that don’t are going to pay big time.

Whatever you do, don’t lie to your customers about it. Never tell customers you don’t share their data with third parties if you participate in one of these ECI/SPR data schemes. Because you ARE sharing sensitive customer data with third parties, and with NO restrictions – read the contract. If you lie and claim you don’t share sensitive customer data, when in fact you do, you can be held doubly liable when it all goes bad.

Don’t make the mistake of assuming that purchase history data is somehow exempt and not considered sensitive data. Of course it is sensitive data! Advertisers will pay top dollar for your buying habits so they can bombard you with targeted ads. This is considered by most as an invasion of privacy. Deliberately exposing your customers to this invasion without their permission is asking for trouble.

Then there is the competitive disadvantage of sharing your customer’s data. Would you approach your rival’s biggest customer, perhaps a bank or healthcare provider that would be especially sensitive to data security? Would you make it known to this large customer that their current supplier is exposing them to exploitation by providing their complete and detailed purchase history, unrestricted, to third parties? Would you also let this large customer know that their current supplier has likely lied to them regarding this data sharing?

What about government agencies? Do you have any government business? Do your government customers know you are sharing their buying habits and perhaps other sensitive data, unrestricted, with third parties? This one I would be especially worried about. Depending on the agency and terms, you could face hefty fines and even criminal charges if they find out you are not protecting their data.

Don’t buy the excuse that “we only sell your data aggregated.” While that could be true, you on the other hand, as the dealer, are providing complete details on ALL your customers’ purchase history to a third party without restrictions. Just because they say they aren’t selling your complete customer lists and detailed purchase history doesn’t change the fact that they have it. It also doesn’t change the fact that when that third party gets compromised, you will be the one held liable for the mishandling of your customers’ sensitive data.

While I understand that there is a value to some of the services being offered in exchange for your data, is the potential harm worth the value? This is the whole point of a Trojan horse. It’s pretty to look at, but inside is a deadly payload designed solely for the benefit of the hacker.