Apparently he later changed the last line from "This wasn’t meant to be a malicious hack, but rather a simple social experiment to see how much traction/investor interest I could get" to "LEGAL DISCLOSURE: I have neither attempted to read or plan to read any voicemails," in the version of the cache I have, which is a telling edit.
With lots of providers you only need the PIN if accessing voicemail from a number that isn't your own, eg "dialling in" to your voicemail from a payphone/friendsphone/etc (dial your own number, press *)... if it detects it's from your own number, it generally just lets you in without the PIN.
The original Medium article was submitted to HN a couple hours ago, which the OP wisely deleted after being called out. (and then he deleted the original Medium article shortly after)
Somehow reading the founder's perspective, makes this look worse for me. There is a threshold after which "hacking" stops being cute. Do you really want to start your relationship with a lie?
Andrew Auernheimer ("weev") was sentenced to 3 and half years in jail for something that was (IMO) far more innocuous than this. Terrible move here.
Not only against the law, but this "hack" involves a highly likely creep factor for the person on the other end of it, not quite as creepy as walking into your house to find someone harmlessly hanging out in your living room, but in the same general ballpark.
To top it all off, it isn't even a technically difficult feat.
I've never met weev, but from his online writings and various actions reported by others he seems like a giant asshole.
However, I wasn't commenting on his character, just the one specific action he was jailed for and how it compares to the events in this story.
In that context, modifying URLs and resubmitting them seems way more harmless to me than spoofing your caller-id to gain access to a targeted individual's voicemail and change their outgoing message.
Ethical quandaries aside (of which there are several) for a moment, I think this strategy speaks poorly of the startup. What type of signal does it send to prospective investors that you feel it's necessary to pull illegal stunts in order to gain attention for your round? A quality YC startup shouldn't need to go to such lengths to raise a round if the substance of your project/team is of sufficient quality as to warrant investment.
Wow, that was a pretty stupid thing to do. Why do people think that this is ok? Also, of all people to do it to, Jason is probably one of the easiest to get through to if you have something legitimate to say to him. Just go to one of the myriad events he throws and you're bound to get a glimpse. This is just childish.
Oh well, as long as Jason can use his personal influence to harm the attacker's life in return.
Who needs a justice system or the police, anyway?
(And why is it Sam Altman's place to apologise to Jason Calacanis? What is he apologising for - did YC suggest, approve or have anything to do with this act at all?)
We expect ethical behavior from our community, and this fell well short of that standard. Obviously we didn't suggest or approve it, but we are still sorry it happened.
If YCombinator don't kick these guys out, it's going to demonstrate that these all apologies are disingenuous and exist only for PR, and that that in the future the line to cross does is only imaginary.
Some examples of ethical behavior we expect from founders are:
* Not using misleading, illegal or dishonest sales tactics.
* Not harassing any YC community member, employees, or anyone else.
* Not behaving in a way that damages the reputation of his/her company or of YC.
* Generally behaving in an upstanding way.
Looking at Avi's background:
"Like at age 16 when my co-founder and I wrote
one of the first Facebook scripts to mass-invite
people on Facebook to events we threw. Or how while
at YCombinator I hacked prototype day (To PG’s
disapproval)"
I think YCombinator is starting to have issues with their filtering process.
> At first, I decided to just solicit them our deck and pitch but then I realized something: Tim Ferriss and Jason Calacanis almost definitely knew each other. So I spoof called Calacanis from Tim Ferris’ number.
I know PG looks upon a certain amount of "naughtiness"[1] as a potentially positive indicator, but it should be clear to anyone with an inkling of common sense that this is way over the line.
Indeed. If only he'd found a way to systematically make money by breaking the law and "disrupting" things, he'd be getting a valuation in the billions.
A natural extension of "it's easier to apologize later than to ask for permission."
I'm curious to see how this plays out in terms of YC's response, because as a prominent player and popularly accepted thought leader in the start up "industry", their response will set the tone and draw the line in what is seen as acceptable for " getting things done ".
The EFI fine [1] demonstrated that it often pays to be illegal. The banks demonstrate this on a regular basis with their paltry funds and settlements. Will startups/small-tech follow suit? (Well, maybe only towards lay people rather than investors with power and money. Today's lesson: don't mess with people who actually have power!)
There is a big difference between hustling (hardcore sales), being naughty (sneaking into a room you shouldn't, getting your hands on a phone number you shouldn't be able to) and breaking things (manipulating a system to your advantage) to something like this.
A combination of above would be to stalk down Tim Ferriss' number, organize $150 in car rental credit or whatever, and then text him to let him know that the car is ready for him. Or, even still, rent a car for him and send it to his building, and let him know its waiting for him.
That is an example of breaking the system. Blatantly hacking someone else's phone doesn't do anything for your sales; it doesn't do anything to showcase your product (unless your product is a phone hacking/security device); and there is nothing personal to it at all.
This is so dumb on so many levels I can't even believe it. Is it really so hard to get an intro to a founder, that you have to resort to this? You are a YC alum! You are literally handed the contact information of 100's of people who could help you, and instead you resort to this.
It should also be noted how he did this "hack". He spoofed a call to Jasons own number (thus reaching the voicemail). The voicemail was not setup (or PIN secured), so he was able to do the initial voicemail setup.
Would have been cooler if they were working on some security-related product.
This is akin to somebody breaking into Jason's house while nobody is home and placing an ad for their startup on his coffee table. Nobody is physically harmed but it is a gross violation of privacy. I assume this is against the law, and I do hope the perpetrator is prosecuted for it.
Arrington has a ton of these stories. There are a few that I know since I was there.
The first was the dutch guys (who went on to start TheNextWeb) showing up at the house randomly early in the morning (we weren't morning people) after finding the address online. I was woken up by them since my room was at the front. They bought over coffee, I thought they had been invited so let them in. They stood around for 30 seconds then all charged into Arrington's room and woke him up. He had no idea who they even were, took him 20 minutes to get his bearings and to figure out who these guys were. What made it weirder and surreal like a von Trier film was that these guys all looked similar and were dressed in matching white suits - when I first saw them they were actually walking through the back yard. Having just woken up to a sound of people walking around the house and seeing three blonde guys with dutch accents in white suits trampling through the backyard carrying Starbucks and donuts, I really thought I was tripping.
This story was told in the opening of the Wired profile:
As much as we tried to scrub the address online so people wouldn't show up, it was useless. Foursquare was a nightmare because people would come over and then 'check in', giving away the address of where we lived to the world without thinking about it
Second time was in Vegas. Arrington finally unplugged and took some time off and we made a last minute trip to vegas. First day there, get to the pool, have a couple of drinks and he takes a photo of the view looking up at the sun and uploads it to flickr (iirc). 3 hours later back at his room and the room phone rings - I hear one end of the conversation - "yep, uha.. uha.. you know, this is really inappropriate.. you're not doing yourself any favors.. don't call again". Gets off, and it turns out someone had tracked the GPS coordinates in the exif embedded in the photo, worked out what hotel we were staying at and called the front desk asking for Arrington, saying they were a friend. They got Arrington on the phone and then spent 30 seconds blurting out their startup pitch. They also thought it was a cool hack, but it was just very very creepy. Made that entire day very uncomfortable and it rattled Arrington for a while. We ended up changing all of our names with the hotel after telling them about it and they set us all up with aliases (which is something they apparently do as a security measure for celebrities, politicians, or people looking for privacy etc.)
edit: privacy violations affect people, it is really fucked up - have respect for the personal space of others.
If I were you, I'd consult with a criminal defense attorney before speaking further. You wrote a blog post admitting to a federal crime under the CFAA, and phone hacking is in the spotlight at the moment due to what's going on with Piers Morgan's former haunts.
If you do not have a criminal defense attorney, you now need one. If you're banking on Jason's good will, the decision to prosecute you is not in his hands.
Is there anyone there who can proof read your landing page at skurt.co? I know you don't need it to be perfect but it reads like an email from a Nigerian prince.
It's such a fine line and if he veered just a bit more on the other side, all this press would be beneficial. Instead, he's caught with the hot potato. Honestly, some people have the gift to notice & exploit vulnerabilities but there needs to be a commensurate amount of tact, empathy, and morality for it to be a positive force. I'm on the other side of the spectrum looking to "learn" this type of behavior but my scruples hinder my progress and way of thinking.
Unfortunately, it's not as simple as the "law" but more of "is it worth enforcing?". If you look at the stories of successful startups including YC ones, you'll see a history of unfair advantage early on to achieve initial traction or press. If their intent was misconstrued as malicious, it wouldn't be too difficult for someone to take them to court.
Some examples -
1) P2P file sharing & video hosting sites gained their meaningful traction by dealing with copyrighted content in a very hands-off manner
2) AirBnB & dating sites taking existing customers from popular sites to move them over in a way that goes against TOS
Ok but what about when companies like Uber break the law and it's celebrated? Or when the law gets changed to protect existing companies from competition like Tesla's competitors have been successfully lobbying for?
For those curious about how this is done (don't try to use this for ill - it's seriously illegal and almost everyone gets caught):
Generally you can access the voicemail menu by entering star then a four digit PIN number while listening to any phone's voicemail. A lot of people leave their PIN as the default (star+1234 on some carriers, star+9999 on others). You can call their phone, get voicemail, guess the pin, and change any of their voicemail settings you like. It's even easier if you spoof the call as calling from the person's own number.
This is a breach of privacy, but generally harmless. It gets dangerous when you start changing the message to something like "accept" and using someone else's voicemail to call collect, verify identities, etc.
Again, this post is for curiosity sake only - do not try this.
Voicemail hacking has a sordid history. British tabloid News of the World, one of the oldest newspapers in the UK, was revealed to have accessed the voicemail systems of possibly over 4000 people [1]. The scandal was such a hit to the newspaper's reputation that it was shut down completely in 2011.
It's incredible that a YC founder would think it "an interesting social experiment".
There is a gray line for what you can or can not do to get attention, this isn't even near it. Even if Jason would have thought these guys company is the next truecar or something, if he ends up investing it will just solicit more hacks in the future, and it will end up with someone getting in big trouble. There are some risks that are not worth to be taken.
What is the point of going to YC if you're going to do such things to ask for an investment?
The whole idea of YC, I thought, is they hook you up with the best investors in the valley because of their amazing network. Seems like a lot of trouble to go through (not to mention a messy legal situation) when you can just call up Sam and ask for an introduction...
I have troubles understanding how someone can think hacking people's voice mail will get them to invest in his company - that isn't related to security.
Recently I found myself in trouble when abroad because I had no secret code on my voicemail. And My carrier flat refused to do anything without a code when on a different network. I guess it is to prevent this kind of things (I could set a code on the carrier's website).
96 comments
[ 2.8 ms ] story [ 194 ms ] thread> This wasn’t meant to be a malicious hack, but rather a simple social experiment to see how much traction/investor interest I could get.
What matters isn't what it was meant as. What matters is that in doing this you showed your poor judgement.
https://www.dropbox.com/s/go9lfnxwt9fnax2/My%20Investment%20...
https://news.ycombinator.com/item?id=8511547
Not only against the law, but this "hack" involves a highly likely creep factor for the person on the other end of it, not quite as creepy as walking into your house to find someone harmlessly hanging out in your living room, but in the same general ballpark.
To top it all off, it isn't even a technically difficult feat.
http://seriouspony.com/trouble-at-the-koolaid-point/
However, I wasn't commenting on his character, just the one specific action he was jailed for and how it compares to the events in this story.
In that context, modifying URLs and resubmitting them seems way more harmless to me than spoofing your caller-id to gain access to a targeted individual's voicemail and change their outgoing message.
He then shared some of the private email addresses with various news agencies.
Ethical quandaries aside (of which there are several) for a moment, I think this strategy speaks poorly of the startup. What type of signal does it send to prospective investors that you feel it's necessary to pull illegal stunts in order to gain attention for your round? A quality YC startup shouldn't need to go to such lengths to raise a round if the substance of your project/team is of sufficient quality as to warrant investment.
They must have known immediately but played along. That was fun, though no harm came of it.
"the valley seriously can't take a joke anymore. Like 'hey guys - hack traction do crazy shit' then 'what have you done, you're crazy'"
"but to hack your voicemail, it means you didn't set it up in the first place. Am I missing something here? Failing to find the harm."
https://twitter.com/apcommunicate/status/526449274133807104
https://twitter.com/sama/status/526448975797186560
Who needs a justice system or the police, anyway?
(And why is it Sam Altman's place to apologise to Jason Calacanis? What is he apologising for - did YC suggest, approve or have anything to do with this act at all?)
As well, https://www.youtube.com/watch?v=UacbJ72dluU&feature=channel
Some examples of ethical behavior we expect from founders are:
Looking at Avi's background: I think YCombinator is starting to have issues with their filtering process.> At first, I decided to just solicit them our deck and pitch but then I realized something: Tim Ferriss and Jason Calacanis almost definitely knew each other. So I spoof called Calacanis from Tim Ferris’ number.
I know PG looks upon a certain amount of "naughtiness"[1] as a potentially positive indicator, but it should be clear to anyone with an inkling of common sense that this is way over the line.
[1] http://www.paulgraham.com/founders.html
Oh, wait, he hadn't already raised millions and wasn't yet part of the untouchables? hum, I feel for him.
I'm curious to see how this plays out in terms of YC's response, because as a prominent player and popularly accepted thought leader in the start up "industry", their response will set the tone and draw the line in what is seen as acceptable for " getting things done ".
The EFI fine [1] demonstrated that it often pays to be illegal. The banks demonstrate this on a regular basis with their paltry funds and settlements. Will startups/small-tech follow suit? (Well, maybe only towards lay people rather than investors with power and money. Today's lesson: don't mess with people who actually have power!)
[1] http://www.engadget.com/2014/10/23/efi-underpaying-workers/
A combination of above would be to stalk down Tim Ferriss' number, organize $150 in car rental credit or whatever, and then text him to let him know that the car is ready for him. Or, even still, rent a car for him and send it to his building, and let him know its waiting for him.
That is an example of breaking the system. Blatantly hacking someone else's phone doesn't do anything for your sales; it doesn't do anything to showcase your product (unless your product is a phone hacking/security device); and there is nothing personal to it at all.
That's just my view on it anyway.
(OP: http://webcache.googleusercontent.com/search?q=cache:QkTa-zW...)
This is so dumb on so many levels I can't even believe it. Is it really so hard to get an intro to a founder, that you have to resort to this? You are a YC alum! You are literally handed the contact information of 100's of people who could help you, and instead you resort to this.
It should also be noted how he did this "hack". He spoofed a call to Jasons own number (thus reaching the voicemail). The voicemail was not setup (or PIN secured), so he was able to do the initial voicemail setup.
Would have been cooler if they were working on some security-related product.
Also: people need to relax.
The first was the dutch guys (who went on to start TheNextWeb) showing up at the house randomly early in the morning (we weren't morning people) after finding the address online. I was woken up by them since my room was at the front. They bought over coffee, I thought they had been invited so let them in. They stood around for 30 seconds then all charged into Arrington's room and woke him up. He had no idea who they even were, took him 20 minutes to get his bearings and to figure out who these guys were. What made it weirder and surreal like a von Trier film was that these guys all looked similar and were dressed in matching white suits - when I first saw them they were actually walking through the back yard. Having just woken up to a sound of people walking around the house and seeing three blonde guys with dutch accents in white suits trampling through the backyard carrying Starbucks and donuts, I really thought I was tripping.
This story was told in the opening of the Wired profile:
http://archive.wired.com/techbiz/people/magazine/15-07/ff_ar...
As much as we tried to scrub the address online so people wouldn't show up, it was useless. Foursquare was a nightmare because people would come over and then 'check in', giving away the address of where we lived to the world without thinking about it
Second time was in Vegas. Arrington finally unplugged and took some time off and we made a last minute trip to vegas. First day there, get to the pool, have a couple of drinks and he takes a photo of the view looking up at the sun and uploads it to flickr (iirc). 3 hours later back at his room and the room phone rings - I hear one end of the conversation - "yep, uha.. uha.. you know, this is really inappropriate.. you're not doing yourself any favors.. don't call again". Gets off, and it turns out someone had tracked the GPS coordinates in the exif embedded in the photo, worked out what hotel we were staying at and called the front desk asking for Arrington, saying they were a friend. They got Arrington on the phone and then spent 30 seconds blurting out their startup pitch. They also thought it was a cool hack, but it was just very very creepy. Made that entire day very uncomfortable and it rattled Arrington for a while. We ended up changing all of our names with the hotel after telling them about it and they set us all up with aliases (which is something they apparently do as a security measure for celebrities, politicians, or people looking for privacy etc.)
edit: privacy violations affect people, it is really fucked up - have respect for the personal space of others.
I try just sending tweets to TC journalists for coverage. It never works, and as such have given up on TechCrunch.
This shit is ridiculous though.
Jason Kincaid's book is really really good:
http://www.amazon.com/The-Burned-Out-Bloggers-Guide-PR-ebook...
Great sport? This isn't a practical joke gone wrong.
Doing this is the one thing, pulling back 15 minutes after someone criticises you is the other.
If you do not have a criminal defense attorney, you now need one. If you're banking on Jason's good will, the decision to prosecute you is not in his hands.
https://twitter.com/AviZolty/status/526467881295683584
> I just wanted to take a moment to sincerely apologize to @jason publicly. Been in contact, he's a great sport, and I admire him so much.
Some examples -
1) P2P file sharing & video hosting sites gained their meaningful traction by dealing with copyrighted content in a very hands-off manner
2) AirBnB & dating sites taking existing customers from popular sites to move them over in a way that goes against TOS
Er...this is not "new and experimental" it's just a spambot, like thousands of idiots write daily. You have obviously lost the plot.
Generally you can access the voicemail menu by entering star then a four digit PIN number while listening to any phone's voicemail. A lot of people leave their PIN as the default (star+1234 on some carriers, star+9999 on others). You can call their phone, get voicemail, guess the pin, and change any of their voicemail settings you like. It's even easier if you spoof the call as calling from the person's own number.
This is a breach of privacy, but generally harmless. It gets dangerous when you start changing the message to something like "accept" and using someone else's voicemail to call collect, verify identities, etc.
Again, this post is for curiosity sake only - do not try this.
It's incredible that a YC founder would think it "an interesting social experiment".
[1] http://www.bbc.com/news/uk-11195407
The whole idea of YC, I thought, is they hook you up with the best investors in the valley because of their amazing network. Seems like a lot of trouble to go through (not to mention a messy legal situation) when you can just call up Sam and ask for an introduction...
* The victim's phone number
* Your real phone number
* The fake one you want to appear to be coming from
Then you click Submit and it puts you through. That's it. Any idiot could do it.
The tech and telecommunications industries are WAY overdue to do at least one of the following:
1. Stop considering Caller ID a secure authentication method
2. Make Caller ID a secure authentication method
Sadly, it's as bad as the banking industry. Still today, they base a lot of their security on IP addresses. Sad really.