I got into a very particular conversation about max bids with SimpleAuctionSite and how they protect the auction houses from seeing or obtiaing the max bids. The answers I got back didn't leave me warm and fuzzy. They were standoff-ish even as I repeatedly said I would be interested in helping ensure that no one could exploit their software, should something come up.

I can understand the hesitation but I was not asking for much, only a high level explanation of how they do it and I could not even get that.

I liken the request to that of online poker sites publishing their shuffling algorthim. If you are proud of it, and its better than anyone elses, show it off and explain why its better, more safe and give some confidence behind it.

As a security analyst if someone uses their software I would be interested in evaluating that to determine if some one could unethically circumvent the system and obtain max bid information and then publishing the results of that and then HELP them get the problem fixed.

It would be helpful if I could simple see what is provided to the auction house for administration of their auction(what code might have exploits in it) and how the software is implimented into the companies website, so i can see what database exposure their is to data table they might not be allowed to see.

Additionally, something that no one else seems to mention (NOW KEEP IN MIND I AM NOT SAYING THAT THIS IS HAPPENING IN ANY CAPACITY), is that since companies such as this take a percentage of auctions, their is motive their to shill up their auction houses bids. Theoretically it is possible that this can occurr so it can not be excluded from the thought process.

I am not limiting myself to SimpleAuctionSite and im not singling them out although they do appear to be the biggest? or am i wrong about that?

I would be interested in evaluating any software an auction house uses. If you run auction software and would let me take a peek that would be appreciated. Contact me via email please.

Kevin

Go Kevin!!!!!

Kevin, I didn't get a chance to ask this during the National diner when they were presenting but I'm wondering if the database(s) for the auctions listings, client information and most importantly the bidding activity is stored on Simples servers or can the software be hosted privately? Who owns the DBs & data?

Are AHs provided with the option to export data or take a backup and save it locally? Having admin access to these DBs wouldn't take long to see our max bids.

That was the exact question I asked and was most curious of.

At first he said "you own the database and we own the code". That is a direct verbatim quote from a phone conversation.

He later changed that and said he didn't say that so its open for debate or not. Knowing how the software is architected will answer that.

I firmly believe he does not remember saying that as he was a little huffed about the fact I thought the price was high and did not think how much or frequent or how much money i make from the software should dictate my pricing model.

We later debated that via email.

How it's designed makes all of the difference. Any takers?

Kevin

I'm a computer retard!

I'm a computer retard!

I'm in the boat right next to Peter so if this next question is ignorant please help me understand why.
Could they be reluctant to give this type of information out for fear that it could then be used to hack or somehow exploit the software by bidders or others?

I'm in the boat right next to Peter so if this next question is ignorant please help me understand why.
Could they be reluctant to give this type of information out for fear that it could then be used to hack or somehow exploit the software by bidders or others?

Possibly.

The cost of writing it might have been fairly high, and/or they may consider their software to be a trade secret of sorts.

Hardly anyone will easily give up the source code. To the point that most license agreements (That long thing you check off as agreeing to when installing software) Expreessly forbid accessing it in any way.
And I think many of the larger companies consider removing source code from the company system or premises to be a firing offense.

It's compiled, which means put in a form the computer can use it that wouldn't make any sense to nearly anyone. It can be decompiled to get back to the original program, which is what they forbid. I've been told it's not necessarily easy, but possible.

I could be wrong about any of that, but I think I've got it right in a general sense.

Steve B