Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: I work for consulting firm that's illegally moving bank code to GitHub
80 points by AussieOdyssey on Feb 19, 2017 | hide | past | web | favorite | 78 comments
A big bank in Australia has outsourced its work to my consulting company and when I started work at this bank (One of the biggest in Australia) I noticed that my consulting company is illegally uploading bank software to github.

They do this because each consultant needs to have background verified by the bank security advisors which takes around 2-6 weeks and moving all the software to github allows all consultants to start working immediately (without waiting for background check to complete).

I pushed my code to github without my knowledge the first day and brought this matter to my higher ups in my company but they threatened to take me off the project if I "impeded the workflow of the team".

Now, my rest of the contract fees hasn't been paid out.

A software lawyer said I could be implicit in this activity (which he says is NOT criminal but civil liability) because I pushed my code to the company github on internet (Regardless of my intent or ignorance)

I am an independent contractor with the consulting company. The Financial Ombudsman said I do not qualify for lodging a complaint since I am not "technically an employee"

What's the way out? And will I be in legal trouble if I lawyer up?

A. Shut up now. B. Stop talking about this. C. Shhhh! Shut up! D. Get a lawyer

It sounds like you're a good guy who want to do the right thing. But no one here can fully understand your situation, and it is not smart for you to be discussing this here. Find a lawyer who can give you good advice and protect your interests.

>It sounds like you're a good guy who want to do the right thing

As much as I sound like I am trying to do the right thing all I am doing is avoid going to jail by doing illegal things and earning to feed my family

Gosh darn it! Shut the absolute fuck up! You cannot possibly help yourself by discussing this with your internet buddies on a world-wide public forum.

I tell you this because I love you: Unburden your soul to your favorite lawyer.

I don't want to (a) duplicate work and (b) misstep so I'm asking first - would you like me to ask in /r/AusLaw about this whole thing? I don't think there's much difference between me and you asking; just trying to be helpful.

EDIT: I'm leaving this comment here, but I just learned that /r/AusLaw does not provide legal advice under any circumstances. Asking them would likely get you the same "find a lawyer" advice you've gotten here.

Thank you for being helpful. I really appreciate it. I did checkout /r/auslaw and noticed that do not provide any legal advice under any circumstances.

I'm very curious about whether you've made any progress in figuring out how to resolve this yet. Primarily for your sake, and also because of the side effect that this is an excellent learning opportunity for others.

I noticed your response to the person who provided the anonymized email address. Hopefully that proves helpful!

One request: it would be really awesome if you could provide an update when this has all blown over (which I realize might be months from now - although I hope the $ side gets resolved way before then!).

On the one hand bumping old threads doesn't surface them again, on the other hand I'd say it would be a 50/50 chance whether an update post would ever actually reach the front page on here. Somewhere on Reddit might be a better idea, but I'm not (yet) quite sure where would be a good practical, relevant and high-visibility spot to put it.

No progress at all. I am about to give up and start looking for new contract.

Consulting company: Does NOT want to talk about it at all.

Bank: They were shocked by the news but since I am not their employee they can't reveal their decisions to me. I think they don't want to rock their boat and the consulting firm is major part of their IT division.

Ombudsman: I am technically not an employee. They want to help me but consulting firm refuses to communicate

Lawyers: Understable that they don't want to get involved unless I pay fees (It's like asking me to take a look at perl code for free). Too expensive and risk that I could be counter-sued. Plus it could potentially be criminal liability (With bank code and even customer data used for UAT on the internet).

Ugh. I've been staring at your post for a while wondering about solutions.

I wish there was some way to turn this situation into the bank thanking you with some kind of consideration.

At least it's good to hear that the bank now knows about it, although that doesn't really solve your situation.

I take it that fees are a problem because the contract payouts were stopped, more or less? (As infuriating as that type of situation is) For example I know of one lawyer in NSW who takes computer-related work - for mid-range three figures :/ (that said, would this be interesting to you?)

It sounds to me like it would be a very good idea for you to get a concrete, unambiguous idea (ie sit down and work it out with someone) of where you sit in terms of civil liability, relative to your total and utter ignorance (for example, what's the difference between (a) signing up for this contract, (b) walking into the building for the day and (c) committing the code? IANAL (!!!) but I reckon the argument of intent is equally weak with all examples). It's possible you may be less vulnerable than surface/kneejerk intuition might suggest - but of course I could be wrong. (I have absolutely no idea.)

Besides making it clear to the lawyers about the immediate/current liquidity situation, the bank and ombudsman don't seem completely against you, and I wonder how far you could go with that.

I assume you've reiterated all of the context (without unnecessary details, unless that's okay) with the Ombudsman, to see what ideas they might be able to come up with.

With the bank, you've probably scored a few points with the security and related folks there. If the consulting firm is integrated into the bank then that might point to systemic breakdown elsewhere, but on the other hand, their silence could simply be professionalism on their part while they mete out corporate knuckle sandwiches. (Or I could be being ridiculously optimistic.) Maybe you could chase them down and see if they'd be interested in having you on board; worst (ish) case is that you find more of this kind of thing and get even more points. Something to keep in mind.

Finally, have you tried Legal Aid? They're not lawyers per se, but they may be able to give you a bit of a foundation to headscratch through this with. I would definitely call them. (It's only 3PM!)

As a last resort another contract may turn out to be necessary, and I hope that works out if it comes to that. But don't completely give up, even after that point - you refused to do work that could legally compromise you because it violates corporate policy and standard security access controls, due to the craziness and laziness of others. You should still receive your contract payout.

lol at the perl code bit :)

If you want to get in touch, my email is in my profile, and the username you've picked isn't taken on Gmail yet FWIW; there's really nothing interesting Gmail can leak. Just use a fake name/birthday for the associated G+ account that will get created.

Unfortunately there are no solutions. The consulting firm is too firmly entrenched within the bank and the bank cannot make any decision without harming themselves. I have resigned and I will post an update on HN soon.


For what it's worth, thanks very much for the concise headsup.

I think I can safely assume you'll provide a good idea of your experience in that update!

I'd really appreciate a link to it when you post it - I don't want to miss it.

First of all - get a lawyer.

Secondly - get a lawyer.

I don't know what state you're in, but Reddit's /r/AusLaw has a thread[1] which has the various law societies in each state, who can give you advice, and information about community legal centres.

[1] https://www.reddit.com/r/auslaw/comments/1u776a/looking_for_...

Multiple forms of bad behavior here: working w/out clearance; making confidential code publicly available; conditioning payment on illegal/unethical conduct.

Definitely a lawyer - a new one, since if you were satisfied with the first one you wouldn't need to come to HN.

Some questions to ask the new lawyer:

- Under applicable law, would you prevail in court to get your fees if you could only fully "perform" your obligations to contractor's satisfaction if you violated law? I'd expect answer to be yes, which could be noted to contractor's in-house counsel.

- Under applicable law, in your situation, if the contractor continues to sit on the complaint without action, is there any possible argument that you would be required to escalate to the bank or a regulator? That's critical info for your own protection and also could inform what your lawyer says to contractor's in-house counsel, if you go that route.

This - EFA might even worth be asking who might be a good person to represent you.

Anonymously heads-up the country-level information security officer of the bank in question with a link to the Github repo. CC the country head.

Working on code without security background checking confirmed is an absolute no.

This will completely torpedo your employer, but that might not be so bad if this is their attitude to information security.

Edit: As anonymous as you can. Have a lawyer present. Don't take advice from the internet like it is legal opinion.

The consultant is running wireless hotspots to copy the software. All I want is the contract money they agreed to pay me for this project. They froze the payment because I complained about this, at best unethical, behaviour.

You will need a lawyer to determine your own liability here, to determine the best path to report this to the bank, and to check your contract to see how you can force the payment to be delivered. Save any and all communication between you and the contracting firm, ideally on a device that they do not control, and don't communicate in any way that can't be recorded for your own protection.

Once things reach this stage you need a lawyer

Get a lawyer and another job. Putting that data on GitHub may not be a crime, but what they are doing to you may be one.

You're not getting paid until you break the law.

If they're refusing to pay you, as mentioned in a comment, get a lawyer. Now.

The lawyer can help you recover your wages AND advise you about the legal implications of both your and the company's handling of the code, and of any action you might take to reveal it.

I am not clear on one important detail: Is the code being pushed to a public or private GitHub repository?

In any case, there are 2 issues:

1. Your employer (the consulting company) does not want to pay you for the work that you have done.

2. Your current assignment involves supposedly illegal activities (putting the customer's (i.e. bank's) code to GitHub) in which you do not want to participate.

In order to resolve issue #1, get a lawyer, analyze your contract and if its terms were indeed broken, sue the company.

In order to resolve issue #2, simply do not do it. Quit the job. If the matter bothers you and you want to stop the supposedly illegal practices from occurring again, talk to the customer (i.e. the bank, not your employer). They must have some means of internal whistleblowing. Find out what it is and how to raise a concern. It should be possible to do it anonymously. As soon as you do it, your part is done. From that point on, it is their responsibility to take the matter further, should they wish to do so.

1. Theoretically I am the asshole. I refused to push the code to github and the company refused to pay me.

2. Yes, I refused to do it until proper channels were established but I ended up looking like a sore thumb when other employees didn't mind pushing/pulling from github.com via wifi hotspots.

I can talk to the bank, I can quit the job but the bottom line is that I will be without any cash inflow. My lawyer said that the consulting company is one of the biggest one and they will make sure that I don't have another job (Which is kind of true because of reference checks)

You did not answer the question.

And how exactly can your past employer "make sure" that you do not have another job? I do not get your remark about the references check.

If your potential future employer will be interested in references from your past employers and if they find out something which raises concerns, they should want to hear your side of the story as well. You will get every chance to explain what exactly happened and why you acted as you did. If they do not like it, you probably would not want to work for them anyway.

In any case, do not get intimidated and do not worry too much about the loss of income. It will be temporary. You have all the freedom to choose your next employer. Do so wisely.

A word of warning - it's quite straightforward to do a Google search for 'site:github.com {bank_name}' for the large Australian banks, and find a repository that looks like the one you describe.

You might want to contact the HN admins and ask them to completely scrub this entire thread, as it could well get you into trouble.

I don't get your comment. Assuming we are not talking about public repos here. OP's employer did set up a private github repo where contractors collaborate on bank's code. This cannot be searched by google. The problem OP has is that the code should not be hosted outside bank's own infrastructure and contractors should not have access before they pass background checks. According to my understanding.

No. They said it's on the public GitHub, as opposed to private GitHub enterprise installation. Not that the repo itself is public.

This is correct. It's a "public github" as in it's on *.github.com with access to all employees of the consulting company regardless of the background check (That's the whole idea of them moving to their github repo)

I think there's a small misunderstanding here that I'd like to clear up explicitly.

Public GitHub repos are viewable by anyone with or without an account. You can view and clone the repo if you know the correct URL.

Private GitHub repos are only accessible to those given access.

Within the scope of this terminology, my understanding is that this repo is private. I think I'm right based on https://news.ycombinator.com/item?id=13682657 and https://news.ycombinator.com/item?id=13682501. Am I right?

Within the scope of corporate security, I understand that the code is being moved out of the local intranet onto a non-corporate-managed Web service. However, GitHub manage private repos for some fairly high-level groups (or at least I assume they do), so their data protection policies are clearly very decent. (I at least know that individual floors on the building are keycarded, which is nice. I learned this from a story posted here by a guy who got fired.) So, even though this is an impressive level of stupid, I'm relieved that no leaking can/will happen (particularly for your sake now you've posted this here).

OP, please note that several people have reached out to you from top-level comments. If you could add a new comment listing an email address (IANAL but a new gmail one would probably be okay), or even better yet put it in your profile, that would probably result in some nice leads for you.

> I understand that the code is being moved out of the local intranet onto a non-corporate-managed Web service

Spot on and this is what I meant. By "public github" I meant code on the internet but accessible to anyone in the consulting company. There are multiple modules and they are moved to github,bitbucket and stash.

This also means people without background checks or ANYONE in the organization has access to ALL the code of the bank. In the bank ONLY people in specific departments have access to specific code (As is customary for all IT industry)

I am not trying to be a whistle-blower and mr goody two shoes. I am very angry that my refusal to upload code to the internet is resulting in non-payment of fees and threats that I will never get a contract in this city. And as an independent contractor I am truly terrified of uploading bank code to the internet; I don't want to end up in jail for stupid reasons.


Hmm, so this is violating standard access controls. I can appreciate your freaked-out-ness...

I understand you're not trying to make a scene (especially considering the circumstances!) and are simply trying to resolve what is effectively a legally-tangled paycheck bug.

Have you made any practical headway with figuring out how to resolve this? https://news.ycombinator.com/item?id=13682560 looks interesting, and https://news.ycombinator.com/item?id=13682806 sounds helpful also.

PS. FWIW, I'm in Sydney myself :) although I'm not working at the moment.

Let the hunt begin!

To everyone worried and/or curious, the code is in a private repo. https://news.ycombinator.com/item?id=13680180

>OP's employer did set up a private github repo where contractors collaborate on bank's code.

This is correct. They are not doing anything criminal. They just want to make sure all employees start working from Day 0. However this is illegal and I refused to push my code out of the intranet

You can see the company's github profile but you cannot see the project. It's only for the consulting company employees. The commenter below explains it right.

It's moved out of intranet into the internet without consent to avoid delaying work for employees who failed/in process of background check

As a consultant, this is why it is a good idea to have a corporate entity to absorb contractual liability...and why it is a good idea for that corporate entity to have no assets.

Practically speaking, and skipping the 'hire a lawyer' part. It is likely that if there is legal action, it will be directed at the consulting company first and foremost because it is likely to have deeper pockets and be backed by an insurance policy that was acceptable to the bank.

Generally, the insurance company will settle based on its exposure rather than outright liability. These things rarely wind up in court. Which brings me to my second recommendation, have insurance for errors and ommissions.

Good luck.

Yes, what you are saying is true and that is indeed how I have worked in financial industries. I have my own ACN (C-Corp) consulting company with Indemnity/Liability insurance through which I work.

However this muddies up as I consult to a consulting company which in turn consults to the bank. I was informed by the Ombudsman that this was a common way to work in Silicon Valley and US has laws that clarifies it however Australia has not updated the laws regarding this "double employment"

Thanks. I tried to avoid getting too specific since I knew Australian law would be different, i.e. in the US the normal form of protection would be an LLC or an S-corp (tax pass through closely held entity) and a consulting firm in the US would very rarely be a C-corp (taxable income at both corporate and individual levels).

What employment means is also different. A person consulting to a consulting company that consults to a bank would have no employment relationship with either the bank or its direct consultant. The person might have an employment relationship with their own company that was contracted to the bank's direct consultant.

All of which ought to be governed by contracts...which I failed to mention, but I'd not be surprised it they were in play here.

Off topic: It would be good to have C-Corp and be taxable at both corporate and individual levels because companies pay a flat tax while individuals are tiered. This way we can choose our salary and leave the rest in company.

This however severely complicates cases like mine which has three pass-thru contracts

In the US, there is a cap on the wages to which social security tax applies. That tax amounts to approximately 15.5% of gross salary when the company portion and the individual portion are combined, the effective tax rate for an individual is much less progressive than portrayed in popular political opinion. It is also the case that control of a C-corp offers much less personal liquidity than is possible with an LLC. In addition, the layer of complexity for a C-Corp is likely to require more meaningful (from an individual perspective) expenses on legal and accounting services.

All things being equal, it makes sense to optimize on taxes. Most of the time, all things aren't equal.

I would use the consulting company's open door policy and go up the chain... right to the country lead partner and mention this to them in writing. Believe it or not ethics is extremely important to consulting companies as trust and future work depends on this - and bring up any fears of being dismissed for bringing this up to their attention.

>consulting company's open door policy

Just a heads up (regardless of my case):

Company open door policy exists to protect the company. Even the HR is there to protect the company. Even in US, whistle-blowing or rocking the boat will result you in being fired faster than you can say Oklahoma backwards.

I am not a lawyer, but I think we can safely talk about the commercial aspects to this.

1. The bank won't chase you for what you've done. You have nothing the bank wants. The bank's legal team have bigger fish to fry. It's not cost effective for them.

If you want to walk away from this and forget about it, no-one will ever bring it up.

2. Nothing will happen between the bank and the consulting company. If you want to make life interesting, you could send an anonymous tip to the bank's auditors (likely to be Deloitte or KPMG). There will be a slap on the wrist for the consulting company, and they will be forced to put in some kind of better access control. Which they will then bypass unless the auditors come looking.

3. The only issue for you is getting your contract paid out.

If you and the consulting company's contract can be heard in Australia, you could try small claims court. There might be an equivalent in your own country if not. This is cheaper for the litigant and doesn't require legal representation (in Australia). There will be a process to follow (send a letter of final demand, etc. etc.).

I've never had to execute a small claims court case, because just the threat of it is enough to make most companies behave themselves and act like adults and negotiate sensibly.

In your case, the consulting company doesn't want it announced in court that they are violating the security of their customers (and that the reason you couldn't complete the contract was because you didn't want to be complicit in it). That costs them more than paying out your contract. Therefore they will settle before it gets in front of a judge.

But getting there will take weeks and months of heart-ache and stress. Decide whether it's worth it.

Just my $0.10 from 20 years doing consulting work with large enterprises.

"Illegal" how? Against an actual Australian law, or do you think it's against the terms of the master services agreement the bank has with the consulting company. Have you seen that agreement or the specific statement of work they're operating under?

I have worked in Financial sector for a long time and know that copying bank software illegally is criminal in US and probably civil in Australia.

I program for the bank via the consulting company and my code is on the internet. Plus my contract is frozen with fees until I withdraw my complaint to IT of my consulting company.

Not sure who to talk to in the bank. HR said I have to resolve with my consulting company but I am pretty sure the HR doesn't understand the implication of copying software

Is the illegal part generic for any software because of copyright and licensing or is it specific for banks? If the latter, what are those laws based on? Why is it not the same as any software for any private company?

You're doing the right thing, please look out for yourself though!

You're pretty much inviting media in on this now before you're ready.

Delete post, it's a short list here in AU and I know which one of them I'd look at first. Get more legal advice before going any further.

Tricky spot. You need a lawyer to write what's called a letter of demand for the rest of your contract fees. If your consultancy has any sense that should resolve things. Don't contact the bank as that could backfire. Suggest contacting https://www.slatergordon.com.au/dispute-resolution/contract-...

My speculation is you're working for cognizant am I right?

I'm not seeing any GitHub organizations in Australia with that name...

I will neither confirm nor deny this.


If you're in Sydney and want to have a chat email me edward at flagshiplegal.com.au.

Seems like if you notified one of the higher ups in charge of security at the bank, they would probably take care of it. And maybe you could parlay this into your own consultant agency by being honest and promising to follow the rules and take their security seriously. But definitely consult a lawyer. I have no stake in your future. And free advice is often worth every penny you pay for it.

Firstly you need to take care of yourself. If they are refusing to pay you and you are coming here to make an "anonymous public statement", it is fair to assume that your employer didn't like what they heard or quite simply how they were told. It is important to remain true to your values, raising it with your employer and explain why you are uncomfortable with that would have been my number one suggestion. She/he should be able to understand. It looks like she/he did not, my suggestion would be to raise it to she/he managers and managers manager. Always calmly and respectfully, as most likely there isn't necessarily a malicious intent.

Secondly, if you are really keen to reach out to the bank I'm happy to do it for you as I know quite a few security teams in the major banks. But please do not disclose who you are. Email me at 6lh008+1lhx68glu7jh83h8r9pxo7ad9wc8uao@pokemail.net

Thank you for the polite response. I did speak to the consulting company HR and their response was extremely rude with them going as far as saying they will make sure I never get a contract with anyone else in "(this city)"

The federal ombudsman offered to mediate the issue but they flat out refused to talk to either the ombudsman or me and the ombudsman has no power to force them (as they are technically not my "employer")

I am sending you an email

Hi. I think this comment shows up at the top of your user comment page so I'm adding this here.

I understand that things didn't work out but I'm very curious to find out what direction you went. An update would be hugely appreciated :)

What rights has the bank given to the consulting company regarding the software?

If the bank has stated that the software can't be on github and your company is putting it there then it sounds like a legal trouble between the bank and consulting company with you as the whistleblower, if you decide to lawyer up

There are strict security in place to prevent any "leaks" of software which means all USB ports are disabled in company devices, the company network has disable git/github/bitbucket and our security manual explicitly states that the code cannot leave the intranet.

The consultant bypasses this by running wireless hotspots

Talk to a lawyer. Especially because you're asking about Oz advice on a primarily us site, so common understanding of the law may be different. And whatever you do, consider if you can afford getting both fired and sued right now - even if people tell you you're right.

Also I'm assuming that's 100% the public GitHub service and not an on-site, or specially negotiated GitHub enterprise system?

100% public github because they want to give access to new employees who do not have access to enterprise system.

Sounds like they want to give access to everyone on Earth!

Please tell me you're not saying they're using a public repository (one reachable to anyone, even people not logged in to GitHub).

Sorry, that's not what I meant. I mean *.github.com and NOT an enterprise level private repository.

If you go to the company's public github & bitbucket profile you cannot see the project but you can see all the devs and all these devs have access to the code.

The logic is: All the employees are able to work with minimal delay (caused by background checks)

Thanks for clarifying. It appears some other people in this thread ran to conclusions. Although the situation is still bad, just not immediately disastrous.

could be the repos at https://github.com/WestpacCXTeam

I vouched for this because it's a fair point to make, and also because it can be 200% debunked:

1. That repo links to a publicly-viewable website, I'm seeing files in the list from 9 months ago (way long enough), and GitHub has a very clear, very well-oiled DMCA process. This is up because it's okay.

2. From https://news.ycombinator.com/item?id=13682657 (nearby this thread):

> If you go to the company's public github & bitbucket profile you cannot see the project but you can see all the devs and all these devs have access to the code.

IOW, it's a private repo hosted on GitHub. «The code is safe from the public» but the contractor's actions still squarely violate the security guidelines for the project such as no USB drive access (!) (https://news.ycombinator.com/item?id=13679303).

The OP qualified this fairly explicitly here: https://news.ycombinator.com/item?id=13682501


Just a clarification that I posted here:

By "public github" I meant code on the internet (from the bank intranet) and accessible to anyone in the consulting company (public as in public network). There are multiple modules and they are moved to github,bitbucket and stash. This also means people without background checks or ANYONE in the organization has access to ALL the code of the bank. In the bank ONLY people in specific departments have access to specific code (As is customary for all IT industry) This in turn means all contractors that git sync have all code on their machines regardless of their access.

The consulting company is not breaking rules just for the sake of it but to speed up development although what they doing is illegal.

> although what they doing is illegal

I can't add much to help you, but I'd be interested what laws requiring background checks for this look like, could you tell me where I can find more about that? (I would have expected this to be "just" a contractual requirement between the bank and your employer)

What SCM does that bank itself use? It may have started as a svn bridge or something and been moved to github and had access extended accidentally.

Oh ouch. That git setup is... great lawyer material. Wow.

Ask a lawyer, also asking programmer for legal advice is like asking doctor for stock advice. They might think they have a good idea of what to do, but 99 times out of 100 that's because they have no effin clue what they're doing.

If I were you I wouldn't worry about doing anything about the code being on Github. You need a lawyer to get the money you're owed, and then find another job.

As far as the bank goes: this is what they get when they outsource their work to an unscrupulous company. The company you're working for likely cheats both ways - don't expect to be treated any better in the future. They probably screw a lot of their employees over. They seem to have no issue doing illegal things. You don't want to be working for a company like this.

Now, my rest of the contract fees hasn't been paid out.

A software lawyer said I could be implicit in this activity ...


What's the way out? And will I be in legal trouble if I lawyer up?

I'm not sure why you are asking for advice on Hacker News if you've already spoken to a lawyer. Has the lawyer advised you to lawyer up?

There's nothing wrong with whistleblowing, or even venting on HN if you feel you were robbed by the consulting company of contracting fees, but I don't see the point of seeking legal advice here, under these circumstances.

I have contacts in the security team of most banks in Australia. Happy to help

Did you intend for your username to give away where you work? Unless of course Odecee is not the firm here.

You should probably check your professional indemnity insurance is all sorted out if you are a contractor.

One thing that I haven't noticed anyone here mentioning is:

Document everything you've done. Everything. It may help protect you.

But get a good lawyer.

What in the fucking fuck! How hard is it setup your own git server for the consultants to use?!

Contact the CEO of the consultancy. Assume he/she doesnt know and would like to know. Do it in writing. Then write registered letters to all directors of bank if no satisfactory answer and remove yourself from project, and send threats of legal action if not paid in required time.

If you are upfront with the bank, it is unlikely they will take legal action against you. In the event they do, you will be protected by your limited liability company (assuming you are operating through one).

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact