
YC Alum Hacks Jason Calacanis' Voicemail Message to Ask for Investment - seanmccann
https://twitter.com/Jason/status/526449415117361152
======
raldi
Note that this was done via a Caller-ID-spoofing website where all you have to
do is type in:

* The victim's phone number

* Your real phone number

* The fake one you want to appear to be coming from

Then you click Submit and it puts you through. That's it. Any idiot could do
it.

The tech and telecommunications industries are _WAY_ overdue to do at least
one of the following:

1\. Stop considering Caller ID a secure authentication method

2\. Make Caller ID a secure authentication method

~~~
jedberg
Number one is far easier to do than number two.

Sadly, it's as bad as the banking industry. Still today, they base a lot of
their security on IP addresses. Sad really.

~~~
raldi
It's too bad you don't know anyone who works in the field of tech security
journalism, because it might make for a good exposé...

------
kmfrk
People are told to "hustle", "be naughty", and "break things" \- and are
applauded for it in founder stories. Small wonder something like this happens.

~~~
waterlesscloud
Indeed. If only he'd found a way to systematically make money by breaking the
law and "disrupting" things, he'd be getting a valuation in the billions.

~~~
calibraxis
Monetizing investors as unconsenting platforms... Might be worth covering in
"How to Start a Startup Class".

------
icpmacdo
Sam Altman responding.

[https://twitter.com/sama/status/526448975797186560](https://twitter.com/sama/status/526448975797186560)

~~~
jodrellblank
Oh well, as long as Jason can use his personal influence to harm the
attacker's life in return.

Who needs a justice system or the police, anyway?

(And why is it Sam Altman's place to apologise to Jason Calacanis? What is he
apologising for - did YC suggest, approve or have anything to do with this act
at all?)

~~~
sama
We expect ethical behavior from our community, and this fell well short of
that standard. Obviously we didn't suggest or approve it, but we are still
sorry it happened.

~~~
hadoukenio
If YCombinator don't kick these guys out, it's going to demonstrate that these
all apologies are disingenuous and exist only for PR, and that that in the
future the line to cross does is only imaginary.

~~~
kumarski
YC founder ethics policy here:
[http://www.ycombinator.com/ethics/](http://www.ycombinator.com/ethics/)

As well,
[https://www.youtube.com/watch?v=UacbJ72dluU&feature=channel](https://www.youtube.com/watch?v=UacbJ72dluU&feature=channel)

~~~
hadoukenio
From the policy:

Some examples of ethical behavior we expect from founders are:

    
    
      * Not using misleading, illegal or dishonest sales tactics.
    
      * Not harassing any YC community member, employees, or anyone else.
    
      * Not behaving in a way that damages the reputation of his/her company or of YC.
    
      * Generally behaving in an upstanding way.
    

Looking at Avi's background:

    
    
      "Like at age 16 when my co-founder and I wrote
      one of the first Facebook scripts to mass-invite
      people on Facebook to events we threw. Or how while
      at YCombinator I hacked prototype day (To PG’s
      disapproval)"
    

I think YCombinator is starting to have issues with their filtering process.

~~~
raldi
Also this:

 _> At first, I decided to just solicit them our deck and pitch but then I
realized something: Tim Ferriss and Jason Calacanis almost definitely knew
each other. So I spoof called Calacanis from Tim Ferris’ number._

I know PG looks upon a certain amount of "naughtiness"[1] as a potentially
positive indicator, but it should be clear to anyone with an inkling of common
sense that this is way over the line.

[1]
[http://www.paulgraham.com/founders.html](http://www.paulgraham.com/founders.html)

------
7Figures2Commas
From [https://generalassemb.ly/instructors/avi-
zolty/1658](https://generalassemb.ly/instructors/avi-zolty/1658):

> A millionaire by age 21, Avi sold his most recent site to execs at Paypal,
> and continues to devote his time to his love of innovative business. He is a
> member of YCombinator, the prestigious Silicon Valley incubator, and is the
> first to be inducted on talent alone, without requiring the established
> company/business model usually required for acceptance. Avi recently moved
> to LA to focus on his current project, a music startup called Beatdeck.
> Software startups, Social Media/Marketing, Music, and swing trading bit
> coins are his current fascinations.

So a 20-something millionaire who is apparently a successful serial
entrepreneur is now groveling for investment by hacking a prominent investor's
voicemail? Something doesn't add up.

Also, I didn't realize that entrepreneurs were "inducted" into Y Combinator,
or that Y Combinator required applicants to have an "established
company/business model."

~~~
waterlesscloud
Interesting. I wonder if he was the first (only?) person into YC without an
idea, but on the basis of the entrepreneur themselves?

That was something they tried out a couple cycles ago, though I think I saw pg
say they didn't plan to do it again.

------
jasonmcalacanis
Just getting out of my daughter's Halloween party today (30 kids aged 3-7,
science experiments + sugar = boom!).

I accepted Avi's apology and responded to his email here:
[https://twitter.com/Jason/status/526531089355927552](https://twitter.com/Jason/status/526531089355927552)

~~~
7Figures2Commas
> I forgive the kid who hacked my phone today.

The "kid" in question is in his 20s. In other words, he's not a "kid." He's a
grown man.

Your apparent decision not to refer this matter to law enforcement is
charitable, but it's disappointing that you seem to be implying that somebody
who is an adult is really a child. There are entrepreneurs in their 20s who
run legitimate multi-million dollar companies. There are financial services
workers in their 20s who help manage billions of dollars of capital. There are
attorneys in their 20s who help represent companies in high-stakes litigation.
There are MDs in their 20s who have life and death responsibilities as
residents at hospitals.

You're not doing a man who used a caller ID spoofing service any favors by
telling him "you obviously have talents." In the real world, the bar is
nowhere near _that_ low.

~~~
Bluestrike2
Avi might not be dealing with the legal consequences of his actions, but that
doesn't mean he's coming out of this unscathed. Even with Jason's forgiveness,
his reputation is effectively ruined and anyone considering doing business
with him in the future is going to stumble across this story without even
trying: after all, who wants to be involved with someone who is immature and
short-sighted enough to think that this 'stunt' was a good idea? Even his
attempt at explaining his actions [1] reeks of emotional immaturity and
atrocious judgment. Calling him a kid strikes me as a recognition of that
immaturity, reinforcing the idea that he's someone not to be trusted in the
future.

That said, I don't really agree with the idea of forgiveness in this kind of
stalker-ish situation (but that's largely biased by having to experience my
little sister being terrorized by an ex- who became a stalker... needless to
say, it's not the sort of thing I have any tolerance for), While I don't know
Jason, I can empathize with his approach: it's pretty common for people in
similar situations to just want to get the entire matter behind them.

[1]
[https://webcache.googleusercontent.com/search?q=cache:QkTa-z...](https://webcache.googleusercontent.com/search?q=cache:QkTa-
zWgIh8J:https://medium.com/%40avizolty/my-investment-hack-jason-calacanis-
voicemail-e4b414659ad7)

------
austenallred
For those curious about how this is done (don't try to use this for ill - it's
seriously illegal and almost everyone gets caught):

Generally you can access the voicemail menu by entering star then a four digit
PIN number while listening to any phone's voicemail. A lot of people leave
their PIN as the default (star+1234 on some carriers, star+9999 on others).
You can call their phone, get voicemail, guess the pin, and change any of
their voicemail settings you like. It's even easier if you spoof the call as
calling from the person's own number.

This is a breach of privacy, but generally harmless. It gets dangerous when
you start changing the message to something like "accept" and using someone
else's voicemail to call collect, verify identities, etc.

Again, this post is for curiosity sake only - do not try this.

~~~
pavlov
Voicemail hacking has a sordid history. British tabloid News of the World, one
of the oldest newspapers in the UK, was revealed to have accessed the
voicemail systems of possibly over 4000 people [1]. The scandal was such a hit
to the newspaper's reputation that it was shut down completely in 2011.

It's incredible that a YC founder would think it "an interesting social
experiment".

[1] [http://www.bbc.com/news/uk-11195407](http://www.bbc.com/news/uk-11195407)

------
seanmccann
Here's the story from the founder's perspective:
[http://webcache.googleusercontent.com/search?q=cache:QkTa-
zW...](http://webcache.googleusercontent.com/search?q=cache:QkTa-
zWgIh8J:https://medium.com/%40avizolty/my-investment-hack-jason-calacanis-
voicemail-e4b414659ad7)

~~~
mvrekic
I find the post photo where Jason holds a phone with Skurt logo, alluding to
an existing relationship equally disturbing.

~~~
pygy_
The legend says the image has been modified.

------
georgemcbay
Andrew Auernheimer ("weev") was sentenced to 3 and half years in jail for
something that was (IMO) far more innocuous than this. Terrible move here.

Not only against the law, but this "hack" involves a highly likely creep
factor for the person on the other end of it, not quite as creepy as walking
into your house to find someone harmlessly hanging out in your living room,
but in the same general ballpark.

To top it all off, it isn't even a technically difficult feat.

~~~
boothead
weev... more innocuous? Are you fucking serious?

[http://seriouspony.com/trouble-at-the-koolaid-
point/](http://seriouspony.com/trouble-at-the-koolaid-point/)

~~~
georgemcbay
I've never met weev, but from his online writings and various actions reported
by others he seems like a giant asshole.

However, I wasn't commenting on his character, just the one specific action he
was jailed for and how it compares to the events in this story.

In that context, modifying URLs and resubmitting them seems way more harmless
to me than spoofing your caller-id to gain access to a targeted individual's
voicemail and change their outgoing message.

~~~
Buge
He wrote a bot to do the requests, they weren't manual, and he spoofed his
user agent, it wasn't in-browser.

He then shared some of the private email addresses with various news agencies.

------
cyansmoker
"my co-founder and I wrote one of the first Facebook scripts to mass-invite
people on Facebook to events we threw"

Er...this is not "new and experimental" it's just a spambot, like thousands of
idiots write daily. You have obviously lost the plot.

~~~
yen223
It's not "spamming", it's growth hacking. Get with the times, grandpa!

------
chatmasta
Wow, what an unbelievable idiot. Even YC, it seems, makes admissions mistakes
sometimes!

(OP: [http://webcache.googleusercontent.com/search?q=cache:QkTa-
zW...](http://webcache.googleusercontent.com/search?q=cache:QkTa-
zWgIh8J:https://medium.com/%40avizolty/my-investment-hack-jason-calacanis-
voicemail-e4b414659ad7))

This is so dumb on so many levels I can't even believe it. Is it really so
hard to get an intro to a founder, that you have to resort to this? You are a
YC alum! You are literally handed the contact information of 100's of people
who could help you, and instead you resort to this.

------
pain_perdu
This is not going to end well.

Ethical quandaries aside (of which there are several) for a moment, I think
this strategy speaks poorly of the startup. What type of signal does it send
to prospective investors that you feel it's necessary to pull illegal stunts
in order to gain attention for your round? A quality YC startup shouldn't need
to go to such lengths to raise a round if the substance of your project/team
is of sufficient quality as to warrant investment.

------
birken
This is akin to somebody breaking into Jason's house while nobody is home and
placing an ad for their startup on his coffee table. Nobody is physically
harmed but it is a gross violation of privacy. I assume this is against the
law, and I do hope the perpetrator is prosecuted for it.

~~~
mmastrac
Didn't that happen with Arrington?

~~~
nikcub
Arrington has a ton of these stories. There are a few that I know since I was
there.

The first was the dutch guys (who went on to start TheNextWeb) showing up at
the house randomly early in the morning (we weren't morning people) after
finding the address online. I was woken up by them since my room was at the
front. They bought over coffee, I thought they had been invited so let them
in. They stood around for 30 seconds then all charged into Arrington's room
and woke him up. He had no idea who they even were, took him 20 minutes to get
his bearings and to figure out who these guys were. What made it weirder and
surreal like a von Trier film was that these guys all looked similar and were
dressed in matching white suits - when I first saw them they were actually
walking through the back yard. Having just woken up to a sound of people
walking around the house and seeing three blonde guys with dutch accents in
white suits trampling through the backyard carrying Starbucks and donuts, I
really thought I was tripping.

This story was told in the opening of the Wired profile:

[http://archive.wired.com/techbiz/people/magazine/15-07/ff_ar...](http://archive.wired.com/techbiz/people/magazine/15-07/ff_arrington?currentPage=all)

As much as we tried to scrub the address online so people wouldn't show up, it
was useless. Foursquare was a nightmare because people would come over and
then 'check in', giving away the address of where we lived to the world
without thinking about it

Second time was in Vegas. Arrington finally unplugged and took some time off
and we made a last minute trip to vegas. First day there, get to the pool,
have a couple of drinks and he takes a photo of the view looking up at the sun
and uploads it to flickr (iirc). 3 hours later back at his room and the room
phone rings - I hear one end of the conversation - "yep, uha.. uha.. you know,
this is _really_ inappropriate.. you're not doing yourself any favors.. don't
call again". Gets off, and it turns out someone had tracked the GPS
coordinates in the exif embedded in the photo, worked out what hotel we were
staying at and called the front desk asking for Arrington, saying they were a
friend. They got Arrington on the phone and then spent 30 seconds blurting out
their startup pitch. They also thought it was a cool hack, but it was just
very very creepy. Made that entire day very uncomfortable and it rattled
Arrington for a while. We ended up changing all of our names with the hotel
after telling them about it and they set us all up with aliases (which is
something they apparently do as a security measure for celebrities,
politicians, or people looking for privacy etc.)

edit: privacy violations affect people, it is really fucked up - have respect
for the personal space of others.

~~~
kumarski
Damn.... that sucks.

I try just sending tweets to TC journalists for coverage. It never works, and
as such have given up on TechCrunch.

This shit is ridiculous though.

~~~
nikcub
tips at techcrunch.com is your best bet, everyone at the company is at the end
of that email. do a short email with a story hook in it.

Jason Kincaid's book is really really good:

[http://www.amazon.com/The-Burned-Out-Bloggers-Guide-PR-
ebook...](http://www.amazon.com/The-Burned-Out-Bloggers-Guide-PR-
ebook/dp/B00NFAT238)

------
razzaj
Somehow reading the founder's perspective, makes this look worse for me. There
is a threshold after which "hacking" stops being cute. Do you really want to
start your relationship with a lie?

------
rohunati
What is the point of going to YC if you're going to do such things to ask for
an investment?

The whole idea of YC, I thought, is they hook you up with the best investors
in the valley because of their amazing network. Seems like a lot of trouble to
go through (not to mention a messy legal situation) when you can just call up
Sam and ask for an introduction...

------
thebiglebrewski
Wow, that was a pretty stupid thing to do. Why do people think that this is
ok? Also, of all people to do it to, Jason is probably one of the easiest to
get through to if you have something legitimate to say to him. Just go to one
of the myriad events he throws and you're bound to get a glimpse. This is just
childish.

~~~
minimaxir
In response, someone (EDIT: Cofounder of hacker's previous YC startup)
tweeted:

"the valley seriously can't take a joke anymore. Like 'hey guys - hack
traction do crazy shit' then 'what have you done, you're crazy'"

"but to hack your voicemail, it means you didn't set it up in the first place.
Am I missing something here? Failing to find the harm."

[https://twitter.com/apcommunicate/status/526449274133807104](https://twitter.com/apcommunicate/status/526449274133807104)

~~~
hadoukenio
That someone is his co-founder

~~~
minimaxir
That puts the last tweet in a much different context: "Jacob - I didn't do
anything, but I must say - We definitely don't see it the same."

------
prayag
Unauthorized access of someone else's voicemail is actually a federal crime.
US Court of appeals ruled in 1999
[http://t.co/bvYYlzNpgX](http://t.co/bvYYlzNpgX)

~~~
yuhong
But notice that the CFAA is the wrong act.

------
zoltar92
my apology:
[https://twitter.com/AviZolty/status/526467881295683584](https://twitter.com/AviZolty/status/526467881295683584)

~~~
jsmthrowaway
If I were you, I'd consult with a criminal defense attorney before speaking
further. You wrote a blog post admitting to a federal crime under the CFAA,
and phone hacking is in the spotlight at the moment due to what's going on
with Piers Morgan's former haunts.

If you do not have a criminal defense attorney, you now need one. If you're
banking on Jason's good will, the decision to prosecute you is not in his
hands.

~~~
rabino
Out Of all the noise, this is the only comment he should be paying attention
to.

------
cheez
I once spoofed an email from the president of a security company to their HR
guy to give me a job.

They must have known immediately but played along. That was fun, though no
harm came of it.

------
minimaxir
The original Medium article was submitted to HN a couple hours ago, which the
OP wisely deleted after being called out. (and then he deleted the original
Medium article shortly after)

[https://news.ycombinator.com/item?id=8511547](https://news.ycombinator.com/item?id=8511547)

------
yzzxy
I wonder how long it can possibly be until someone else "borrows" the publicly
listed phone number on the front page of skurt.co

------
eranation
There is a gray line for what you can or can not do to get attention, this
isn't even near it. Even if Jason would have thought these guys company is the
next truecar or something, if he ends up investing it will just solicit more
hacks in the future, and it will end up with someone getting in big trouble.
There are some risks that are not worth to be taken.

------
nikcub
OP posted an apology:

[https://twitter.com/AviZolty/status/526467881295683584](https://twitter.com/AviZolty/status/526467881295683584)

> I just wanted to take a moment to sincerely apologize to @jason publicly.
> Been in contact, he's a great sport, and I admire him so much.

------
S4M
I have troubles understanding how someone can think hacking people's voice
mail will get them to invest in his company - that isn't related to security.

------
orky56
It's such a fine line and if he veered just a bit more on the other side, all
this press would be beneficial. Instead, he's caught with the hot potato.
Honestly, some people have the gift to notice & exploit vulnerabilities but
there needs to be a commensurate amount of tact, empathy, and morality for it
to be a positive force. I'm on the other side of the spectrum looking to
"learn" this type of behavior but my scruples hinder my progress and way of
thinking.

~~~
hadoukenio
That fine line is called the law. "Journalists" were thrown in jail for doing
the same to celebrity/royalty voice mails.

~~~
ritchiea
Ok but what about when companies like Uber break the law and it's celebrated?
Or when the law gets changed to protect existing companies from competition
like Tesla's competitors have been successfully lobbying for?

~~~
jsmthrowaway
It's a very simplistic world view to think that Uber defying regulation and
hacking someone's voicemail are in the same ballpark.

------
nodata
So did he invest?

~~~
orky56
That answer is obvious but more curious if he is informing his network of
investors to stay away.

~~~
rabino
Didn't he do just that by making it public on his twitter?

------
hazzajay
I hope that the same dudes that are against this aren't the same douches that
were for the fappening.

------
stevewillows
It's a shame that Skurt didn't include their social media links on their own
site.

------
daimyoyo
I don't say this often, but I really hope this guy gets prosecuted.

------
travelhead
I would agree with will.I.am that we should change the name of hackathons to
appathons. Facebook "Hacker" culture and the word hacker is too hyped and
gives young people the wrong message.

~~~
waterlesscloud
<Glances up at page title>

------
sauere
Hustle hard.

It should also be noted how he did this "hack". He spoofed a call to Jasons
own number (thus reaching the voicemail). The voicemail was not setup (or PIN
secured), so he was able to do the initial voicemail setup.

Would have been cooler if they were working on some security-related product.

Also: people need to relax.

