A Product Journey

Rory Madden
This is going to be just a bit of an exploration because we've just been chatting outside and fascinating the history of your experiences in product, but coming at it from more of a damp side. So, I'm not sure if people out there know for us, but you will over the next 30 minutes or, so learn about a bit of his life story. So, we're going to start actually, when you were back in school, and you went viral. So, can you just tell me a bit about that?

Feross Aboukhadijeh
Yes, sure. It's the first time I realized the power of the internet, really. So, it's a cool experience to have had in college. Basically, what happened was, there was this product announcement from Google. This was back in 2010. They called it Google Instant. And the idea was, when you are doing your searches on Google, instead of just getting the little auto complete box that comes down, what if instead, you could get the actual search results page?

So, as you type each letter, the search results show up and so, they hype to this announcement really big, immediately, big deal out of it, but apparently took two years of engineering, work for them to improve their back end servers to handle the additional queries. And they announced it with a lot of fanfare. And I saw it, I thought, this is cool. But what if you could do it for videos?

So, then I found myself in this weird situation where the media started writing about, this is the future of the resume, this is how people are going to get jobs in the future? And it became part of this, media storm and everyone loved the story of the bet. And so, I had this wild experience of building something in a few hours and seeing the internet.

Think it's really cool and especially, because it took such a short time and Google said, everything took two years. And they didn't understand it was just a 100 lines of JavaScript. It was just calling the YouTube API like, I didn't do any work, really. But yes, that was.

Rory Madden
Excellent, but you mentioned it wasn't all rosy, Hacker News is infamous for not being kind. So, what happened there and what were people saying?

Feross Aboukhadijeh
So actually, in this instance, they were pretty kind. The one thing that did happen was, a commenter showed up and said, Hey, I've actually been building a similar concept and I've been working on it for a few months. In fact, my concept for this has a lot more features. It has filtering options, and it has a whole been a bunch of preferences you can set in the product. And

They seemed a little disappointed that their product didn't get the same attention that couple of our product, that I built, got. And then so, I read the thread there and one of the commenter’s replied to that person and said, well, this is the power of shipping. And he shipped and you didn't. It's harsh thing to say, but it's true. I mean, I put it out there, I posted the link and even though, it was a much worse product than this other person's thing.

It was out there first and I just think that taught me that there's a big difference between the thing being finished, and being out there and being in this indeterminate state where tinkering on it for a long time, and you never get it over the finish line and put it out there. That's when all the benefits can come from building something.

Rory Madden
Yes, I think that's a brilliant illustration of everybody always wants to wait until it's finished. You always want to add the extra feature, add the extra thing. So, shows the, you can get benefits of going ahead. You did mention though, that while you got this offer from YouTube, where were you working at the time?

Feross Aboukhadijeh
So, I was a Sophomore in college, and I had an internship, a pretty cool internship at Facebook. At the time, this was back in 2010. So, it was year five of Facebook. So, still it was pretty exciting time to be there. I got put onto the Facebook groups team and at the time, I remember thinking like, oh, that's a bummer.

I don't want to be on this team because at the time, groups was this pretty silly products where it was basically, people join groups in order to get a little message to show up on their profile. So, a lot of the groups were things like, I step on crunchy looking leaves. When I see them on the sidewalk, they join that group to see. You could see that or, they would join.

This pickle get more fans than Justin Bieber and just these joke things, it's a no one was using them for actual communication. And I got put on a team, and I'm like, Oh, this is going to be a bummer. But it turned out that summer, the priority of a company was to make a new version of groups that people would use to actually, talk to each other. And it was a team of five people, a designer, an engineering manager, and a PM and then two or three full time engineers, and two interns. And

I was one of the interns so, it was actually, one of the best experiences, probably, and the best job I've ever had. And it was an internship, because it was the priority. So, the CEO Mark Zuckerberg would come into the room, like every, into our little office and talk to us. We talked about the product all the time. And I felt even as an intern, I was this member of the team and got to contribute ideas, and it was pretty awesome.

But I got a little trouble with the YouTube thing because I was star struck by this job offer from the video, early at the YouTube SEO at the time. I said, oh, yes, I'll join. Yes, that's awesome. I can just leave school. It'll be great. And

Then my manager at Facebook, called me into the room, and was like, you can't talk to the media. We have this hiring war with Google and you can't be doing this. You're going to lose us. The people are going to choose to work there. And even though you're an intern, you can't be doing this. And I had a little bit of lesson about just, when you talk to the media. You got to be a little, little careful.

Rory Madden
Excellent so, you didn't drop out of school, though, you, you ended up finishing.

Feross Aboukhadijeh
Changed my mind, yes. I said yes, and I said no, a few days later, and decided that I should probably finish my classes. And the job would still be waiting there, if I wanted it later.

Rory Madden
And after college though, you went down the entrepreneurial route and started up. So, can you talk about your first company?

Feross Aboukhadijeh
So, after finishing school, I was, I guess, the thing that always interests me is, looking at how you can combine things in non-obvious ways? So, I think, I was looking through the list of new features coming to the web platform so, what new API's and browsers getting in the next few years? And I was trying to look through that to get ideas for, what types of apps would you be able to build with these API's? And what new products experiences would those API's enable?

Stumbled upon the WebRTC API? And for those who don't know, WebRTC is the API? That lets you do real-time communications. So, you can do video chat, voice chat and also, just generally, you can do peer-to-peer, browser communications directly between people's browsers. And

I had this idea that you could, what if you could build a content delivery network CDN? But instead of it being based off hundreds of servers, and all these different points of presence, all across the world, and being very expensive to build? What if we just turned everyone's browser into a point of presence or into a CDN?

So, if I watch a YouTube video, and I've had my computer's already downloaded that video, why don't I serve that video to the next visitor who's coming along? Especially, if they're in my city, they're geographically near me or, maybe they're even on my same network at school or, at home. It would be a lot faster than getting it and cheaper than getting it from the CDN, Data Center. That was the idea. And

Rory Madden
So, you have the idea? It sounds good. So, how did you approach it from? I guess from a product perspective, what was your angle? Did you go down the customer validation route? What did you do?

Feross Aboukhadijeh
We didn't know what we were doing? I mean, I didn't know anything about, how to run a company or, how to do---

Rory Madden
Just fresh out of college.

Feross Aboukhadijeh
--- Yes, I just going for it right, and hoping for the best. We just started building it, dope right into the technology, part of it. Didn't really think, didn't really do any of the customer conversations or, the necessary groundwork, to determine if this is actually, something that people would want. And we spent a bunch of time just building it. And

I remember thinking at the time of the two of us, because it's two of us at the time building it. If anyone's going to talk to customers and validate this idea or, make or, do some sales or, make sure we're building there, I think it should be me probably, because I was a little bit more of the outgoing one. But I didn't want to do it.

Every morning I woke up. I was just like, I could code and close GitHub issues or, I can go talk to customers and get rejected and have all these awkward conversations. And I just chose to code every day for the entire year. We were building it and then that obviously, didn't go very well.

Rory Madden
So, if we had a conversation earlier, one of the forums about the role of the Product Manager, and somebody was saying, what do you do with the developers who just don't want to talk to the customers? They just want to code back-end stuff.

**Feross Aboukhadijeh **
So that was awesome.

Rory Madden
So, how did it go? Did you get customers? What happened with that company?

Feross Aboukhadijeh
So, we made a video announcing the product and how it worked? And that was basically, just me doing a screen cast of, how it worked? Posted its Hacker News? People Developers thought it was a neat idea. So, we had a, I think 1000 People put it on their blogs and on their personal sites, just to try it out. And thing is that those weren't really the real win, use cases for it. We needed---

Rory Madden
High traffic.

Feross Aboukhadijeh
--- Yes, we need YouTube or, somebody to sign up and yes, we just didn't get any paying customers from it.

Rory Madden
Just out of, I know, it's probably, delving a little bit into the too technical. In university, we were researching peer-to-peer phone metrics and the mathematically, they said, in high congestion areas account work, because every node gets overwhelmed. Did you have that problem where you never got enough traffic to validate it?

Feross Aboukhadijeh
We never really got enough traffic to validate yes, and also, it works only in Chrome and Firefox at the time. And so, it was, I think, at the time, less than half of the around, half the browsers and so. And they couldn't enter the Chrome and Firefox, couldn't talk to each other either because this was really early days of WebRTC. So yes, the whole thing was a little too early.

Rory Madden
So, with that, and with the current climate, you ended up getting acquired. You didn't have customer’s products. How did you get acquired?

Feross Aboukhadijeh
So, the timing, it's just luck, honestly. So, Yahoo at the time had a new CEO, Marissa Meyer. She joined Yahoo to try and help turn it around. Her plan was to try to inject new energy and start up energy into the company. And so, she decided to go on this acquisition spree. Basically, during that time, and we were lucky enough to be one of the--- I think she was acquiring a company every week, during the first year that she joined. And we were just three people at the time and it was more of---

Rory Madden
This aligned with the strategy that Yahoo were doing?

Feross Aboukhadijeh
--- Yes, video was one of their big strategies. One of their big things they wanted to focus on, which is really unfortunate, by the way, because they had this thing called Yahoo video before, and the previous CEO actually decided to axe it. And it was the number two video site on the internet after YouTube. And they decided that it was user generated content. So, how could you ever make a business out of that?

So, they shut it down, deleted all the content. And then they were like, oh, we need to do video, let's build a new video site. And it's anyway. So, we were basically, interesting to them because we had done a lot of the JavaScript video player stuff with pure CDN, and

They were like, oh, these folks will be able to help us make a really fast video player, and make it modernize it so, that it works better on mobile and that thing. At the time their mobile player was particularly, 19 seconds to just show the play button on 3G. So, it was needed to be basically, rewritten with mobile assumptions in mind. And that was what we were hired to do basically.

Rory Madden
So, you mentioned Facebook was the best job you've ever had. So, I'm assuming then this doesn't count as the best one. So, how did your time at Yahoo go?

Feross Aboukhadijeh
So, there're actually a lot of talented people at Yahoo, a lot of good people. But I think, what happened was the, some of the benefit of the startup energy got, that they were trying to do by bringing in these startups, got deluded because the team that we joined was like, 20 or, 30 people already. And we were three people. And so, we had all these ideas of how to change things? And we kept running into organizational resistance.

So, as an example, we wanted to use a new JavaScript tool to build our video player. And the reason, why I wanted to use it? Was because it would let us build a really light weight player, but they were insisting on using their Yahoo proprietary thing. So, there's just this--- if you actually want to accomplish the goal of making this player fast, we need to actually change the tooling. That's one of the requirements. And

Then you run into basically--- we got subsumed by their culture rather, than being able to change it, as much as we like, hoping to, I think? And also very young like, we would probably--- I don't know, I had a little bit of like, maybe there's a reason they're doing things the way they're doing them. And who am I to---

Rory Madden
Try to ask a question.

Feross Aboukhadijeh
--- didn't change things too much. So yes, and I mean, there was a lot of interesting product, things I observed. While there was one really great story was, the video player at the time right before we joined had too many buttons on it. It was really complicated. It had like, these very confusing to use. And

The mandate that came from Marissa was like, let's simplify it. They told the PM's basically, you can put two buttons on the player. That's it two buttons. Don't show me anything that has more than two buttons, because it's too confusing and too complicated. And so,

They took that directive and went back to the drawing board. And they're like, ok, what two buttons can we put on the player? So obviously, you need a play button right in the middle. And then they're like, let’s have another button with everything in it. So, you hit that button and then open up everything. And then you get all the buttons under that menu. And

Rory Madden
There a different Product Manager for each of the insisting that they got in there.
Feross Aboukhadijeh
I think there were definitely people fighting to have their button, their button outside so, that people would actually find it. But I think they took that too little, too literally, because that's actually the player that they shipped, it was literally two buttons. And I remember, I wasn't a PM, I was an engineer, but I care a lot about the product side of things.

So, I was hassling the PM and saying, can we put the full screen button at least on the outside, because I know that without any data, I just know that's the button, that a lot of people are looking to find. Especially, when it's embedded in a little article and it's a little tiny player. That's the only button you want is, to just make it so, you can actually see the video. And it was like, they finally instrumented it. And

Then they found that the full screen button was only being clicked on 1% of the time. And they're like, oh, it's fine that it's in there. But I was like, No, it's because it's in there that's moving, clicked on 1% of the time. If you move it to the outside, it'll get clicked on more, and people won't be frustrated. And it was totally just intuition. I didn't have any data but then we finally, did an AV test and moved it to the outside. And then it got clicked on 14% of the time. And then I was like, yes, obviously

Rory Madden
Did you cycle through every button?

Feross Aboukhadijeh
Just a full screen, yes.

Rory Madden
Cool. So, you built your company, what was the timeframe from when you set up a company to getting acquired?

Feross Aboukhadijeh
It was, I think, like eight months from beginning to end. So, we got well, yes, it was pretty fast.

Rory Madden
And did you have a functioning product at that point? Were you able to bring your code into Yahoo or, were you saying that they're basically no, you just have to use our tools.

Feross Aboukhadijeh
So, yes, at first, I thought they were going to use the technology, but then it turned out that they had bigger product problems that they needed to fix first. I mean our tech would have potentially made the videos faster and reduce CDN costs and stuff like that. But that wasn't even like, the first problem they were trying to solve. They had like, ton of more important problems, such as getting people to even care and visit the site in the first place. Yes, so they would have been wrong to focus any engineering effort on cost reduction. Yes, so it didn't really go anywhere.

Rory Madden
So how long did you spend at Yahoo working on the video?

Feross Aboukhadijeh
So, I spent a year total, the first six months was basically, working on the video player. And then towards the end, I worked on--- I was trying to get more into the product side of things, actually. So, there was a Hackathon. They did a company-wide Hackathon. And I had an idea for a product and I built it at the Hackathon, and then presented it to the company, it was.

So, Yahoo had just acquired the rights to all the Vivo videos, the Vivo music, video content. So, they were one of two sites on the Internet that was allowed to show Vivo content in their own video player, was YouTube and then Yahoo, had the rights. And they were planning to just put them into a section on their new video site.

So, there's like, a tab for music videos. And I remember thinking like, well, that is no different than YouTube. And everyone already knows about YouTube. So, what's the actual draw here that's going to differentiate it from YouTube? So, I had an idea for a music video based, music player.

So, whenever you play a song, it plays the video in the background. And then when its full screen, it takes up your whole browser and the UI's on top of the video and hovering over it with transparency so, you can see the video behind it. And you can dismiss the UI's and see the video if you want to full screen it. And

Then the other highlight feature of it, I don't know whose here has seen VH1 pop up video, does anyone remember that? Yes, Ok. So, this is a thing where, while you're watching the music video on MTV they would on VH1, they would put these little pop-ups, little factoids that would show up and annotate the song, and tell you inside facts about.

How the music video was made or, mistakes that were made there during filming or, just the things that the true diehard fans wanted to know about. And I found a song fact database and then integrated that in, and came up with this cool thing and demo did the Hackathon. And it won the popular vote. So, I tried to turn that into a product. But it wasn't too successful getting it out the door while I was there.

Rory Madden
Ok, so, you did then, after six months of that, I guess, you decided that was enough. What was the next or, why I guess and then?

Feross Aboukhadijeh
I got basically, I got frustrated with the process of getting the product out the door there. All the reviews, all the different things I was just fired up and ready to go and didn't understand the process, and didn't want to learn the process, and was just too young, I think or, too mature. I don't know, you couldn't figure it out.

So yes, it died before being released. And that frustration led me to just be like, all right, I'm done working at companies. I just want to go off on my own. And do you know, projects that are fun and that I think should exist.

Rory Madden
So, back to the peer CDN approach.

**Feross Aboukhadijeh **
Yes, so, I left and I did basically--- what I did was? I took the peer CDN concept and I made an open source project. So, that I could, I wanted that idea to see the light of day. So, it turned into this thing called Web Torrent, which is basically, Bit Torrent in your browser. So, you can watch videos and do basically, peer-to-peer network, meet up of all the browser users.

Rory Madden
Why did you decide to open source it versus, why not do another peer CDN type of thing and turn this into a product? So, I guess open source is a product but a commercial product.

Feross Aboukhadijeh
I think, I just thought it would be more successful as an open source project like. Certain things are better executed as open source. For example, most people, most companies and organizations wouldn't want to use a programming language. That wasn't open source.
If you think about it, like there's been no successful commercial programming languages, and there's other examples of this too. I think text editors, there's some maybe that's a bad example, because there's some with a Torrent or, with a peer-to-peer network, it just felt like, maybe this should just be a community thing. And it would be more successful than in doing it as a company, and just felt right to do it that way.

Rory Madden
Did you meet? There's quite a passionate open source community around, I guess, The DAT Project, The Beaker Browser, WebTorrent, all these things. So, was that part of the appeal as well, that philosophy of the code being free?

Feross Aboukhadijeh
Yes, I just always thought it would be fun to become part of the open source world and to be one of those, like, magicians that make the libraries that power all of our software. And it always seemed like, something that I don't know. You couldn't do like it was. I always used people's open source libraries, but I never thought I could be the person making the libraries. And that was, I always thought that would be something, would be fun to try one day. And then yes, that was the opportunity that I took to do that.

Rory Madden
And you got hooked.

Feross Aboukhadijeh
Yes, I got hooked, yes.

Rory Madden
So were you working at this time or, were you just full time coding on these open source projects?

Feross Aboukhadijeh
Full time coding on open source projects, yes. I just live frugally. Had a little bit of savings from having, worked at Yahoo? And then I did this thing where I would basically, go around to--- I want to go to Europe, Ok. What conferences are there? And then I would go and talk about Web Torrent or, whatever open source project at the conference. And there was a little community of JavaScript people who were building these libraries at the time. And it turns out, like, if you don't have a job, then whenever some conference asks you to come. You always have a completely open calendar.

So, you can just say, yes and you can have this cool time just going around, and finding where you're going to be? So, I did that for like a year or, two and met a lot of cool people, and just became really ingrained in the open source world.

Rory Madden
So Web Torrent is one of your big projects. What are some of the other ones?

Feross Aboukhadijeh
So, while building Web Torrent, one of the most annoying aspects as an open source maintainer was getting pull requests from contributors who were well meaning and trying to help, but they didn't follow the code style, standards for the project. They would just come in and we have a very controversial coating. I have a very controversial coding style, where I don't put semicolon at the end of my lines in JavaScript. So, yes, it's bold. But yes,

So basically, people would come in and they would use semicolons and that was obviously unacceptable. We can't accept that code. They're optional in JavaScript. You should remove your semicolons. Delete them all. No, but seriously, it's important for people to have the code, should look like it's written by one person, even though it's written by many people.

One problem was that, the Web Torrent was actually split up into a bunch of separate open source packages, as one does in JavaScript land. There's often 1000s of these dependencies. So anyway, we had a few dozen, and I didn't want to duplicate that configuration across every project. So, I wrapped it up into its own package called Standard and put it, made every Web Torrent dependency use Standard. And

I called it standard as a joke, actually, because it was like my personal coding style. But I was like, what's the most hilarious name I could give this that would be amusing to me, to watch people's reactions? And I was like, I'll call it JavaScript Standard Style, because it's my style guide, right. So, I named it that, as a joke. And then people liked it. So, even though it was it was, here's what ended up happening, right?

That's the standard of how, you know, when you're reading a code base? It should appear as if a single mind authored it. If that's the goal, that's the standard, I think. So anyway, there're lining tools out there for this and I made a linter configuration, and added it to the project. But then that helped a lot because then people could test their code before submitting it. But
So, people started using standard to end the debate. And the other thing they loved about there was no way to configure it. So, you either use it or, you don't. And so, once you use it, then there's no developer coming in and saying, you know, sneaking in a change to the configuration while they send in their own pull request, because they don't like that rule. So, they sneak it in, and then the team, and then there’s this fight, where different developers are changing the rules, right. It was like, that's it. It really did.

Rory Madden
Are you seeing less semicolons now, since releasing this package?

Feross Aboukhadijeh
What do you mean?

Rory Madden
At the end of the javascript line?

Feross Aboukhadijeh
Yes, no one says it anymore. No one sends that, yes.

Rory Madden
Okay, so, how long did this period stretch that you were just working full time on these open source?

Feross Aboukhadijeh
So, I did that from 2015 until 2018 or, 2019 timeframe.

Rory Madden
You were able to self-sustain?

Feross Aboukhadijeh
Yeah, so I had a couple of websites that I made. Just few websites I made that. I threw Google ads onto that, were making me a little bit of money here and there. But yes, I basically, live really frugally during that time. And it's easy to do when you're single and you've low living standards. I don't know

Rory Madden
You're really setting the stereotype of a developer.

Feross Aboukhadijeh
I don't know. No, it was fine. I was living in the US and it wasn't that bad. I'm making it sound worse than it was.

Rory Madden
Then like, few years back, I can't remember the exact time, you tried a few experiments around trying to monetize open source. So, do you want to chat through those in the back? Well, one of them received a bit more backlash than the other's.

Feross Aboukhadijeh
So, at the time when you start doing open source with live experience, this is a common thing. I think a lot of open source maintainer’s experience. And I experienced it, which is when you start you're so excited to put your first project out there. Usually, the initial reaction is no one cares. No one even knows about it, right. And

So, then when you get like somebody who opens an issue, it's amazing, because you're like, oh my God, even though they found a bug or, they're complaining, it's incredible that someone cares. You feel like, I made a thing that someone else is using and even you start looking at, who they are and what company they're at? And oh my God, it's so cool. That's my code is being used by this company, right. It's this phase of excitement. And so

I felt that for the first few years, it was more, and more people were using the different libraries. I was putting out. The enthusiasm was growing. The number of issues and pull requests were growing. And I felt like, this is so cool. And then at some point, it reaches a tipping point. For me, it reached a tipping point.

I think around like 2017, where the number of issues that are getting opened, is more than you can actually close, the more that you can actually keep up with. And I felt like, what I ended up feeling, was a to-do list that was globally writable. Anyone can add items to my to-do list by opening an issue on GitHub and saying, that this thing doesn't have a feature. It should have or, it has a bug that it doesn't work in this certain case. And

I would wake up and I'd be like, Oh, I guess, I have 15 issues. I got to fix today and I just work on it, and then did that again. And I was like, some point I realized, I'm just working for free, for all these companies. And then I'd look at sometimes where they worked. And I'm like, hey, they're making a lot of money. And they're just sending me these issues, and I'm just sitting there unemployed just like, building features for them. And then at some point, I was like, maybe I shouldn't do this anymore.

So, I mean, it's, that's what you sign up for when you do open source. So, it was just, I thought it wouldn't be great if there was some way to do this as a full-time job. If there was some way to actually, make a living doing this. And I also thought it would be great if kids could say one day when they grow up, they want to be an open source maintainer. How cool would that be?

Because the thing that's cool about open source is when you solve a problem once, you sell it for the whole world. I mean, no one has to solve that problem again, right. You put it out there, and it's like, you're doing a service for the world, because it's like Wikipedia or, something you're writing an article you're doing. It's like, you're contributing to the commons. That's how I felt about it. And

I wanted to find a way to do it but in a way that I didn't feel like, I was being taken advantage of or, just overwhelmed by all this inbound requests. So, I started thinking, Ok, if I could make money from this somehow? If I could do a Patreon then it would change things for me. So, there were a few maintainers, I was one of them, and a few others who were experimenting with Patreon around this time. And

The perks we would provide would be like, I would send people stickers. it was very punk rock. It was like, if you pay $10 a month, you get an envelope of Web Torrent stickers or, standard stickers that I'd send to you. And I literally was hand addressing the envelopes and doing all that. And it was great for a while, but then what I realized was most of the people paying are actually other developers or, other open source maintainers who really should be paying is the companies that are using the software that they depend on. And it was so much work to get them $10 at a time to build up a living, doing that it just---

Rory Madden
Didn't scale.

Feross Aboukhadijeh
--- It didn't really scale didn't really scale. Yes, and I also felt weird because a lot of the people paying were other open source maintainer that would do this thing where we'd support each other. I would pay them $10 a month, they'd pay me $10. And then Patreon would just take the 10% fees from that transaction. We were just bleeding money to Patreon. And it was like, what are we doing here?

So then I realized that the trick is the actual, the next thing I wanted to try was going directly to companies and saying, you should support this because you use it at your company, first of all, and that wasn't that effective, then I realized, well, you can actually treat this as a marketing expense. So, put your logo on the readme or, put the logo on our website, and then treat that as a marketing expense to recruit developers and that was actually more effective. Because
It turns out that companies are willing to do that, much more than they are willing to do. It's hard to justify sending a donation to somebody as a business expense. It just doesn't work. But you can say, oh, it's a marketing expense, and then it works better. So yes, that actually works. And then I think, they also need to learn things like, you need to be able to send them an invoice, and you need to be able to do this back and forth process. And that is something a lot of maintainers, I guess don't want to do because they just find that idea.

Rory Madden
Just becomes a distraction as well. What you want to do?

Feross Aboukhadijeh
So, yes, I did it for a while and it was it was a distraction. And then, if you weren't actively getting more deals and trying to find new people to sponsor you, then you slowly go down to an unlivable amount of money again, yes. But I think you asked about the thing, I tried that went really badly.

Rory Madden
Go on.

Feross Aboukhadijeh
Yes, so I had one of the things I realized was that, if you try to go to companies, it's a lot of work to convince them. And a lot of maintainers don't want to do that work because they're just. It’s not what they signed up for? They just want to code, right. It's a different skill set. The other problem is a lot of open source projects are behind the scenes. So, they're not known by developers.

I'll give you example, a UI component library, right, so something like, material UI or, chakra UI or, whatever people are familiar with using these design frameworks? These design systems, most designers and developers have them open in a tab all day long. So, they know about this. They may not even describe themselves as, I'm a React developer, or, I'm a--- it so, they associate with it, and they know about it. And those projects have actually pretty easy time getting sponsorships, because they have this---

Rory Madden
High profile.

Feross Aboukhadijeh
--- Yes, but if you're like, the thing that library uses or, you’re two or, three levels deep, you know, you're just some utility library. Good luck, getting anyone to sponsor that, right. So, I wanted to try to solve that problem. My idea was to don't throw tomatoes at me, but it was to show ads in the terminal, as you install the package. So basically, you would install, you do your NPM install whatever. And then, if during the install process a little banner would appear in ASCII, it would tell you about this package, is brought to you by so, and so. And yes,

So, I found a couple of companies that wanted to try this experiment out with me. There was basically, a Console log, and it was very inoffensive. There was no tracking, there was no analytics, they didn't even get numbers on how many people would see their ad? It was just going to put a Console log in there. And people hated it. Hacker News, hated it. People said, this is the one space in my entire life that does not have everything.

Can you please not make this a norm? And they objected and there're a lot of people who didn't even use the library, I added it to. They were just coming in and trying to just destroy this concept. So, that it wouldn't take off. So, then what happened was actually, really funny customers of these two companies that agreed to work with me, were contacting the companies. And saying, the fact that you even thought this was an experiment worth running, makes me want to cancel it. So please cancel my service.

Then the CEO of, one of the companies that sent me this panic text message, and it was like, take down the ad, please take down the ad, we're losing customers from this. I was like, Ok, no problem. So, I posted a new version of it. And I just asked it and it was so yielded negative ROI very bad.

Rory Madden
I guess was that the spark that's led to suck it though now. So, I hope you've seen them, the talk about supply chain attack? So, updating NPM packages and more nefarious things, I guess, some people, some bad actors are putting into those packages. So, it was that one of the seeds of the idea?

Feross Aboukhadijeh
Yes, I mean, I realized, I have way too much. As a maintainer, I have way too much power, actually, that I shouldn't have, in a way, because I could just decide one day to do this change. And then everyone who's installing it, is getting now adds in their terminal, right. And, for the most part, open source, maintainers are good people trying to just contribute something good into the world. And they're doing their best.

They're burdened with a lot of work and a lot of issues. And I'm not trying to, yes, definitely. Really, admire the work of all open source maintainers. But there is this risk that comes from using open source that might funding experiment revealed, but also just other things I saw in the ecosystem at the time.

It was just really, gnarly to the bottom of one of the files. And no one really noticed, because most people don't read the code. They don't open up the code, right. And then a couple days go by, I think five or, six days go by. It gets bundled into a company's product of a bunch of company’s products, actually. And the thing that was so nefarious about this code that was added. It actually didn't do anything unless, it was running in one particular company's product. So, it would look at the name, the project that it was within, and it would only activate in that scenario.

There were examples of means, a maintainer, a friend of mine, gave access to somebody who volunteered to help with the project that he hadn't been working on, for about four years. And he gave access to this person. And for about a month, they contributed good changes, but a month in, they actually added a big blob of obfuscated code couldn't really tell what it did?

It turned out they were targeting a Bitcoin wallet project. So, it was even really unfair. So, it would look at the only activate in the wallet, and then it would look at what the balance in the user's account was? And if it was over a million Bitcoin and 39 million dollars of Bitcoin, then it would just send it all to the attacker, right. Only the thing that's really nefarious about it is? The support people at this company are used to.

Probably, users having difficulties with their wallets and saying, oh, the balance in my balance is missing or, whatever, because it only targeted these high roller accounts. It was only a handful of people who had their funds stolen. They didn't even set off any alarm bells for the company that they got these support queries, because it was a handful that, not that out of the norm, really. So yeah, it went for quite a while without being caught.

It only got caught by total accident too, that's the really scary part is. It wasn't like, somebody just read, you know, was looking at the code and saw it. It happened as a total accident. So, they used a feature in Node.JS that happened to be deprecated in the next version so, just totally as an accident, right.

Somebody was running the new version of Node and saw this deprecation warning getting printed out, and they traced it back to this blob of code and said, hey, why is this here? And then eventually, the mystery was solved. But if that feature hadn't been deprecated, who knows how many more weeks?Yes, so it was really wild. And that's the thing that I like. It's all firsthand.

Rory Madden
Well, we're out of time actually, but I've really enjoyed the conversation. It's just been an incredible journey from that, creating all the different companies, projects, going viral multiple times. So, thank you for sharing it and I hope you enjoyed it as well.

Feross Aboukhadijeh
Yes thank you. Thank you for having me.