A new service run by WSLabi (http://www.wslabi.com/wabisabilabi/home.do?) touts itself as the new eBay of vulnerability researchers (http://www.securityfocus.com/brief/542?ref=rss). From many years there has been a battle between security researchers and software publishers over the price or value of an exploit. As a researcher myself I know how many countless hours go into finding and developing material that is useful in making an exploit. I could easily turn it into a full time job. I do it for a hobby but what if someone wants to make it into a full time job? If you were only able to publish two or three really good exploits a year then you will have to get a fairly large price for you labors.
WSLabi makes it possible to ask the highest bidding price for your exploits. It is apparent that this site may encounter legal issues but these questions will have to be answered as this business model turns into a reality.
As a bonus to this story, one of the first exploits on the site is for a Yahoo! Messenger 8.1 vulnerability (ZD-00000005 – Yahoo! Messenger 8.1 remote buffer overflow). Very little information is given for the exploit but from the description it appears to have something to do with the address book. The current asking price starts at 2000 Euros which no one has taken yet. I am interested in seeing what this is but 2000 Euros is a tad bit high for my curiosity. If anyone is interested in creating an office pool for this exploit let me know. I am good for 50 Euros right now.
As a developer it is sometimes hard to know what your users want in your product or where they would like to see improvement. This is a problem that any supplier of goods has had since the invention of trade. The problem can be summed up like this. For every 1 complaint there are 10 other people out there that have the same problem and just didn’t say anything. For every 1 compliment there are 50 other people out there that feel the same way but just didn’t say anything.
I have to admit that I am the same way. How many times have you gone through your day and thought that a product manufacturer should fix a particular problem? Perhaps your cable TV signal is fuzzy on channel 3, your dryer would be much better off with three setting instead of just two, or you are very impressed with how well built your garage door is made. You constantly have these thoughts running around your head but you never let anyone know about them (at least I do). Rare is the chance that a producer of goods has the opportunity to get some real and heart felt feedback.
I know this from experience. After I released the initial iteration of Software X I was expecting to get all kinds of feedback. The software was not perfect and I knew it but it was free to my customers and they wanted it bugs and all. After about a week I was starting to get concerned. I was expecting to hear all types of bug reports but nothing. I started poking at some of my more trusted users to get at the truth. Turns out they found many of the bugs within the first ten minutes and quickly worked around them. I asked why they didn’t say anything to me about them and the standard response was they just didn’t have time or they found a solution and decided the problem didn’t warrant enough hassle to tell anyone. Since this revelation I soon found that if someone did complain I usually had a major problem on my hands and I should act as soon as possible to correct the problem.
Now to the point of my rant. As many of you know, Yahoo! has a bolg (http://blog.messenger.yahoo.com/blog/) posted for announcements and general feedback. As with many blog type applications, there is a section for reader comments. After reading the blog for several months I have seen that this service is an absolute gold mine to gauge what the community really thinks of Messenger. From what I can tell this simple and “free” application is better than any budgeted and outsourced poll could ever be. It is the thoughts of the user directly to the developers and programmers. I only wish I had this resource myself.
So what are the users saying? First they are not very happy. Second they want the chat rooms to fixed and a Mac version released. In a distant third, they would like to see some of the random logoff problems fixed (this includes me) and the Vista version shipped.
It is well known that people go to the Internet to bitch. Go to any forum about a specific product and you are likely to see more negative comments than positive just because people complain about what doesn’t work and not praise what does. Unfortunately for Yahoo! it doesn’t look like the ratio is very much in their favor. Even with the “I’m just here to bitch” crowd taken into account for it appears that 90-95% of the comments are negative. Even when there is a posting about something completely unrelated to the above mentioned problems, the comments section quickly turns into a competition to see which side can get their point across, chat room problems or the lack of a Mac client.
On the chat room front I think Yahoo! has dug themselves somewhat of a hole. In a previous post it was mentioned that the chat rooms would be fixed by May 15, 2007. They weren’t and the mob has certainly taken note.
To wrap this up I have to think Yahoo! actually has a good thing going for them in this blog. It really lets them know what their users think and where they should spend their time and money. All that is left is to listen and get some of these things in the works (for real this time). If you would like an entertaining read you should look at some of the comments yourself. I always get a laugh out of them.
