Hacker News new | past | comments | ask | show | jobs | submit login
Yik Yak fires 30 of 50 employees (arstechnica.com)
78 points by w1ntermute on Dec 11, 2016 | hide | past | favorite | 70 comments



Not too surprising. From a technology and hacker standpoint, I had a run-in with one of their earlier developers that left a really bad taste in my mouth.

An ex-engineer from Yik Yak reached out while we were hiring a while back.

They proceeded to supply a .zip file of their entire source code repository (yes, all of it). They said it was outdated now so it seemed okay in their eyes.

This included all of the dot files for configuration: keys, passwords, email addresses, Amazon instances where databases were at, and more.

I didn't ask for this .zip file, I was simply looking for some examples of experience.

Needless to say, it definitely made me look at Yik Yak differently.


I know a guy who interviews ops people and asks for certain details of their current employer's network security. The only answer he accepts is "no".


Is it really wrong to give architectural considerations of the security of a system? It seems like security is a problem if having a discussion about such things could lead to its compromise.

However, I have no expertise in the subject so I could be wrong.


Yes, it is wrong. There's no reason to disclose the security systems of your previous employer, and there's no reason for an employer to ask. Any security question that can be asked specifically about one company, can be asked and answered in a more general way.

It's the difference between - "What security controls were in place at Corp?" and "What security controls would you put in place to protect X system?"

The 1st version is bad, not just because it discloses security controls at the previous employer.. but also because it makes the candidate responsible for (possibly bad) security decisions that were outside of their control and/or existed before they were hired.

The 2nd version gives the candidate a chance to talk generally/ideally about security.. even if the previous employer did something else.


> There's no reason to disclose the security systems of your previous employer

But isn't it relevant what technologies you used in your most recent roles?


So if my current employer uses SELinux heavily and I answer a question on how to fix an http server because of a missing or incorrect context your guy would say "Nope, you disclosed secrets, get lost?" Probably not. But if I give it as an example because I once had to do it for real I'm out? That's a very fine line to draw. I agree something specific to an employer could be an issue, but there are plenty of problems no employer may uniquely claim.


Yeah, that's Kerckhoffs' principle:

> "A cryptosystem should be secure even if everything about the system, except the key, is public knowledge"


But real world systems have simple defects that can be exploited without breaking a cryptographic algorithm.


Then it's not secure. Security is about the whole system, not just the crypto algo being used.

It's defense in depth, not security through obscurity.


Defense in depth is stacking several flawed defenses hoping no attacker is aware of enough flaws to get through all of them. If any of the defenses were actually secure you wouldn't need the others. But we as an industry can't yet make anything secure.


High-level discussions of how you designed your architecture is fine. But once you get into details, that gives someone enough information to start to fine-tune an attack on it. The more information they get, the better they can attack it. So, yes, in an ideal situation, you would be secure even if they did know your details, but security is never perfect. So it is wise to be conservative in sharing details.


Yes, we like to have all of the secrecy condensed in secret key(s).

On the other hand, there's "defense in depth" too. Just in case we made a mistake, let's not make it any easier on the hacker then we need to.

Social hacking in particular (gaining access to employee, who has access to local network, which has access to server X, which connects to the database...) can be assisted by inside information.


It's really dependent on precisely what those "certain details" that Erik mentions are.


That sounds like a great trick until someone doesn't see that it's just a hiring game, calls him out on it and publicly accuses him and his company of abusing interviews to socially engineer information about rival companies.


In that case he's got it the wrong way round.

Let me put it this way: is he also going to ask about the candidate's religion, expecting the answer to be "I can't answer that"?


What about "air gap"?


You don't want the adversary to know that common attacks are certain to fail, focusing them on more practical (physical) attacks.


That is some wtf material. Sense of judgement is part of a hiring criteria.


I would assume from your experience that there's a reason he was no longer employed at Yik Yak.


I agree that a guy looks like an idiot when he thinks there's nothing wrong with it.

That said, I doubt you will come across any fast growing startup whose early codebase was exquisite enough to put on github.

A lot of early startup codebase will be messy by nature and it't not fair to "look at a company differently" just because of that. In many cases what happens is the founders try out all kinds of things to make it work, and one day it starts working suddenly, and it works so well that they don't have time to go back and refactor anything because they have to focus on sustaining the growth.

Not saying that's how it should be, just sharing my perspective on why these things happen.


The WTF is not about the quality of code, it's that the engineer offered w/o asking the company's IP & secrets and didn't think there was anything wrong it.

It's a frightening insight into the culture of a company where that it is both possible to do that and not thought to be wrong.


Yeah I agree with what you're saying. But I was talking about this part:

> Needless to say, it definitely made me look at Yik Yak differently.

As I said, that's messed up that the guy thought that way but I don't think it's the company's fault. I can do the same for my employer what this guy did since I have access to a lot of private information, but that's my fault, not the company's fault for trusting their employee.


I suppose the op of the story is saying that the company Yik Yak IS its employees, which, especially for a small company, is pretty true. Isn't a company just === people that work for it?


I really don't know how you reach that conclusion.

This one unethical guy who doesn't even work there anymore, who's not even one of the founders, makes unethical decisions. And suddenly the entire company he used to work for--which really did nothing wrong and has nothing to do with this guy's behavior--is unethical?


I work nearby their Atlanta office, and about a six months ago I received numerous phone calls and emails from an internal recruiter about a Go developer job in that office. Speaking of fad flame-outs, his pitch kept trying to link Yik Yak to Pokemon Go (i.e. "one out of every eight yaks is about Pokemon!"). Uhh, okay?

I never responded... because I heard that they had shot themselves in the foot with recent app changes, and were dying. Obviously, now I'm glad that I made the right call.

I've seen this happen numerous times in my career, though. I just don't understand the sort of denial that keeps companies in "hire mode", even when their internal metrics must make it obvious that things have turned south.


I worked at a company in sf that went from bumping internal referral bonuses / pitching the employees to push eng friends to apply to layoffs in the span of a month. Including an h1b engineer that had been lured away from another company 3 weeks previously. It is, btw, completely legal to lure people away from jobs knowing there's a good chance you'll have to lay them off in the very near future. CEOs are happy to fuck employees over and we should never forget it.


> CEOs are happy to fuck employees over and we should never forget it.

_Jerk_ CEOs are happy to do that. There are plenty of ethical founders and managers out there that loath this type of behavior.

Unfortunately I see more of this flavor at venture backed companies....


By their very nature, VC backed companies are likely to get more unpleasant surprises than "normal" companies due to their need for regular large injections of capital from willing investors. Everything can look great until a round of investment falls through or is delayed and suddenly things can become unpleasant very rapidly.


that is definitely not true as a general rule for vc backed companies. this might be applicable to companies that have no business model/non-revenue-generating. but even then, any decent founder can do the basic arithmetic needed to figure out burn and runway


This will be a problem as long as “VC” is synonymous “no business model”, which has been the case since at least the late-90s when you started to see huge valuations based on the number of users without any serious attempt to factor in the probable per-user revenue.

The only thing which seems likely to change that would be more of a cost for failure, since it's otherwise too easy to gamble everything on the small probability of a huge win versus a more attainable decent return, and it makes it harder for well-managed companies since they're competing with the gamblers for users and staff.


> CEOs are happy to fuck employees over and we should never forget it.

Completely unnecessary. Your initial point is a good anecdote, but globalizing it to all CEOs is completely unfair. Also, I reject the "us vs them" mentality of labor vs management. That sort of sentiment causes more trouble than it's worth.


It's cute you "reject" it, but the people who fire and the people who are fired do not play for the same team. Or if you prefer, the people who get 10-40% of a company and the people who get 0.2%.


> Since it began in 2013, the company behind the purportedly anonymous messaging app has never had, and still doesn’t have, any obvious source of meaningful revenue. Yet somehow, Yik Yak was valued by venture capitalists at $400 million in December 2014 after Sequoia Capital invested $62 million.

Do investments of this size/nature typically have a raise-or-pay-us-back date associated with them? i.e. are they usually done as a convertible note to force the issue or pure equity?


Investments in money-losing companies have a natural raise-or-do-something date called "zero cash day". And generally, the company can't raise new money without having a majority of each class of preferred stock vote for it, i.e. a majority of the money in every previous round. So if enough investors have lost confidence in management, no matter how much board control management has, investors can let the company run out of money.


> Investments in money-losing companies have a natural raise-or-do-something date called "zero cash day". And generally, the company can't raise new money without having a majority of each class of preferred stock vote for it, i.e. a majority of the money in every previous round. So if enough investors have lost confidence in management, no matter how much board control management has, investors can let the company run out of money.

I was thinking more about the situation where the founders fire all the employees, run the operation as lean as possible (to maintain their obligations), and stretch the $62M as long as they can. At $2M/year that's 31 years without accounting for any growth of the money itself.

Besides due diligence on the part of the investors to not give money to the kind of person that would do that, what prevents that situation?


If the founders retain board control and don't run out of money there is little the investors can realistically do. Both sides are taking a lot of risk, I wouldn't rate this as a terribly concerning one. Far far more founders spend too much money and nosedive into the ground.


xenadu02 is correct that your scenario is vanishlingly rare. After a nosedive, the next most likely scenario is that a failing business cuts its way to semi-profitability, which leaves the investors stuck with a low-growth investment in a fund that's nearing its end.


I would assume the board seats that the investors get in return for their investment provide this kind of protection. If the founders do not want to raise another round then the investors can boot the founders out and replace them with someone that will play ball. With board control then this might be more implied versus explicitly defined in the fundraising terms.

Disclaimer: I've never been in this situation personally


I have not used YikYak since they required me to add a phone number, it's so antithetical to their entire point that, in hindsight at least, their decision to de-anonymize it is unbelievable. Are any of the wave of anonymous social apps doing ok or well?


As far as I can see, none. There was some discussion recently about Secret coming back into vogue, but that seems to have fizzled in the past fortnight.

The sad thing is, a lot of these apps are really successful in the outset, but then end up burned as the companies try, heavy handedly, to monetise.

As much as the startup world sees themselves as morally above the like of Google who will sell out customers, many startups seem to sell out both their customers and their product, making fundamentally incompatible changes with what they were built on in the pursuit of cash.


Speaking of Secret, the founder of Secret's subsequent startup just launched a side project which is definitely not a stealth attempt at revitalizing Secret: https://bold.io/about-io-2016-12-06



Interesting seeing him shilling for Infinity, I thought he was all about ferraris: http://www.businessinsider.com/secret-founder-sells-ferrari-...


That's the first time I've seen that, and it's certainly no surprise that the company he works for is never mentioned in the video.


You say sell out, but the fundamental problem is (1) nothing is free, only who pays varies; and (2) landlords/intel + supermicro/aws take cash.


Oh, I agree that ultimately, someone must pay - but how you do it is important.

There are many dimensions in which to monetise, the simplest being getting users hooked and then charging a fee, and others that are more complex, and all of these vary in how much money they will bring in and how many users will reject them.

What I don't understand is why startups so often choose monetisation strategies that have such huge drawbacks in the context of their "killer features". In this case, in order to sell out their users (and build profiles ripe for exploitation in the most honest, business sense), they also had to sell out the purpose of the app: anonymity.

It's likely that in an alternate universe, YikYak tried something with a lower yield to what they saw with this strategy, but didn't headshot their customerbase.


Why do people get upset about a phone number? That's like a 1/2 step above an email address. Don't you have a Google Voice number (not on a Gmail account you use) or something for things like that?


they can and do detect VoIP numbers and reject them. I don't know about yik yak specifically but it's trivial enough that I'm sure they do it too


Is that why my comment was down voted? LOL Weird, I don't know about Yil Yak but using a Google Voice number has never been a problem before for me. Maybe I don't use the right services? People who only use a VOIP number are out of luck I guess? I take it back... I wouldn't use that service either.


At a Sequoia-organized hiring event (which was dubbed as a conference) in New York this October, I got a chance to interact with over 10 of YikYak engineers, their hiring manager (ex-Google) and the CEO.

The CEO had an unconventional background (was in med school at Furman), so I was interested in knowing how he made it. I was shocked to see that he didn't have any insights about how anything at the firm worked. I asked him how he raised funds, he replied that he found a family friend who worked in startups and everything was good from there.

I wasn't interested in getting a job as I already have one, but the arrogant hiring manager didn't stop his attempts at (literally) pushing me towards a computer and asking me to apply.

The (now, unfortunate) engineers were the only people who had some clue what they were doing (they had some really decent cross-language optimization problems)...


Furman doesn't have a med school. He was a pre-med.


I saw two of the founders speak at an event during SXSW last year. They spoke about the privacy and anonymity features of their app as if they added no value and caused more trouble than they were worth.

To be fair though, half of the people asking questions during the Q&A were angry teachers and parents, grandstanding about how they don't sensor enough. I can see how that might wear you down.

I would have cut them a break if they hadn't generally come off as arrogant pricks.


This was sad to see. I work in their building and there were a lot of people crying and unhappy and venting in the lobby.


Unfortunately, the bad news hits hardest on those who believed the managements' positive spin. You hope that the leaders were being honest with employees as things began looking worse, so that it wasn't such a surprise.


People shouldn't say "fired" when they mean "laid off."

Being laid off means someone's position was eliminated. Being fired means someone was terminated for cause, i.e. because of something they did (or didn't do).


What I don't understand are the people who still have it installed. They ruined the only interesting thing about the app when they forced names on everyone


They actually reverse-pivoted into being an anonymous app again.


How's that? Just use a fake name.


The problem with pseudonymous account names is that if you post consistently under one, it makes it possible for people to figure out who you are, people who know you in real life can figure out the pattern. Yeah you could defeat this by repeatedly creating new accounts, but that would be annoying.


Sorta related and not trying to pile it on, but I made a clone of Yik Yak during a hackathon a couple weeks ago.

Share notes with people nearby

https://unturf.com


I've always wondered what happens to all the private conversations, guaranteed anonymized by the user agreement, when a company like this decides to start selling off it's assets.


Yik Yak had 50 employees?!

I'd have thought anybody could tell them that was too many...

Wasn't Snapchat or Instagram at around that until fairly recently? Yik Yak is no Snapchat or Instagram.


You're thinking of WhatsApp


My point stands m.m.


Indeed!


> Yik Yak fires 30 of 50 employees, still has no business model

Oh, so what? Ars is trying to spin it off like the former caused the latter, while it's definitely the opposite. They hired too many people and realized it was time to let some go. There's absolutely nothing wrong with a company trying to rectify its mistakes. Instagram had 13 employees at acquisition, Yik Yak might have expanded too fast, but they're fixing it.

> still doesn’t have any obvious source of meaningful revenue. Yet somehow ... valued ... at $400 million in December 2014"

Plenty of companies have no revenue model initially, and can be valued at millions of dollars: Snapchat $800m in 2013[1], Instagram acquired at $1b.

Maybe i'm too naive, but a company makes plenty of epic mistakes throughout its lifetime, and can do some pretty outrageous things (Zuck's business cards [2]) but that doesn't mean they're incompetent, just learning. This article's trying to shovel as much dirt as it can on the company with cherry picked incidents about trouble the company's run into, and it's not a lot of trouble honestly. How is a company's experimentation with mandatory user handles part of a post on its downsizing?

[1]: http://qz.com/97467/snapchats-complete-inability-to-make-mon...

[2]: http://nextshark.com/heres-the-story-behind-mark-zuckerbergs...


Did they try running in-app ads? Why do they have "no business model"?

They should still have a big chunk of that $62 million left in the bank, if they only had 50 employees. Cutting that to 20 should give them a few years of runway.


I'd imagine they might have spent a bunch getting into campuses across the US...


They had a campus representative at my university (UK), not sure how that worked. But if you had high 'yakarma' you'd apparently get free Yik Yak socks/t-shirts etc. from them.


Everyone is moving to Jodel




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: