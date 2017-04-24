In college, I was really interested in how Yik Yak worked and found out that, given a list of N user ids (which were super easy to generate), one could send downvote requests to the server and instantly delete any post with a score <= (N - 5). Infinite loop + pass in a list of locations (e.g. a list of colleges in the US), and it's pretty darn easy to disable Yik Yak for the entire country.
There was no location checking to see if a user id was being used in both Florida and Montana at the same time, and there was no real throttling. I hit up their support, and tried to reach out to their devs, but I kept getting brushed off.
Of course this is just one small thing, but I'm not exactly surprised at how things are turning out if this was the level of interest that the Yik Yak team showed in their own product.
I used it up until they asked for a real phone number. It was kinda cute, but yea, mostly filled with college students. Depending on where I travelled in the world, there may have been messages from three weeks ago on the top for that area. I was surprised how many remote areas had at least a few yackers; although very few non-English posts.
I think my favourite Yak: "If you ever feel down about Uni, just remember there's still someone from your home town trying to make it as a rapper."
The scale I'm thinking about is "Are you really in the store you say you're in?" where all users are from the same fairly dense city. So geolocating the IP isn't good enough. Accuracy to a city block or two seems good enough though.
My best idea so far is to submit a list of available wifi access points, and use that as a "password" to prove that you're where you say you are. If your list is 80% like the list of other users at that location, we trust you.
Unfortunately in iOS you can't get that list! It requires a private API, so calling that method will get your app rejected from the store.
Does anyone have any other ideas?
http://engineering.shapesecurity.com/2016/08/pokemon-go-api....
Basically sign your API requests with the most obscure function of phone context variables imaginable, and recognize that if you get so popular that it's cracked, you can just hire a machine learning team anyways. And pin your certs!
Apply a max threshold to check if a client is reasonably close to potential "co-located" clients.
You can't shrink physical distance. Pinging a server in a nearby US city is 13ms. Hong Kong is 232ms.
A much easier problem than "are you really where you say you are?" is "are you likely to be sending me fake locations?", which is hard to do with a single location update, but if the user is moving rapidly, or in geographically distant locations across multiple updates it's much easier to catch.
Do you have a user login system? Can you easily isolate fake data to a certain set of accounts? Or are you dealing with anonymous requests?
One possible solution you can look into is signature authentication of the headers to verify that the request is coming from a trusted source. You can either us a public/private key pair or a symmetric key with HMAC. That being said, this isn't foolproof - you have to keep the key secure, and that isn't totally possible in an app. If someone attaches a debugger they will be able to get your secret key if they're determined enough. The best you can do is obfuscate / encrypt the key so that it can't easily be read out from the strings in your app.
If you wanted to verify the location data itself, you could look into modeling the user's movements and look for abnormalities in the sequence of locations. Also, you can check the location against an API like Google or Foursquare on the back end.
Curious to hear what other people think as well.
Make the user take a pic of the store, then check the EXIF for the timestamp. The pic should be very easy to shape-compare with other submissions of the same store (hardware doesn't move much, as opposed to faces), and the pic should never be exactly the same (refuse submitting twice the same pic).
Other solutions require the participation of the store: Dynamic QR codes, microphone authorization, or a website on the store's Wifi internal network.
Not to mention, most phones may not have those sensors.
[1] https://www.phonegg.com/list/303-Cell-Phones-with-Barometer
Also, pressure in vs outside can vary more than you'd think...
Barometers aren't very widely spread and I'd be wary of their calibration.
Might be tricky accounting for air travel but even then you could safely assume nobody's taking more than two flights a day and six a week or something like that
In fact, I've found often times they're inversely correlated. Maybe something to do with where time is spent?
Source: spent a year helping a client migrate from Stripe to Heartland to save a few basis points. Things like faxing docs to terrible APIs to constant lies from sales, who is a bunch of ignorant, rude good ol' boys, just like most of their competitors. Pure incompetence at virtually every point of interaction. Literally have not a single good thing to say.
I'd invest a significant part of my net worth in Stripe if I could. They and companies like them are going to destroy Heartland in the long run, and it can't come soon enough.
The least painful way to integrate is semi-integrated with Pax or Dejavoo, and that way your customer can choose from the majority of processors with minimal work on your end. Typically I see grocers paying under 1% after interchange, network fees, processor fees, etc, hence why there is motivation to deal with the legacy good ol' boys.
Helpful library: https://github.com/AccelerateNetworks/PHPax
Vantiv Payments
Are the incoming acquihired engineers that much more worth than the ones you already have? There are certainly exceptions but by and large I can't imagine this being the case.
There do need to be two conditions met to bring in the big bucks though: 1) you need to perform, such that your value to the employer is > $1M, and 2) they need to be afraid of losing you. Many employees fail on one or both conditions. They either slack off or don't work on the right things (so they're not actually worth that much), or they're "company men" who will unquestioningly stay with the company regardless of whether they're compensated fairly.
EDIT: Since I am being downvoted, I thought I'd provide some data to back up my claim. The average total compensation for a Senior Software Engineer in the US at Google according to Glassdoor is $267,413.
Definitely a lot of employees do sorta check out while their stock options vest, but not all. From what I've seen, maybe 50% of the employees in an acquisition aren't going to be worth it. But the 50% that do continue to work hard and assimilate well into the acquirer's culture tend to add a lot of value - many of the best coworkers I knew in my last job were there through an acquisition. I could easily believe that they're adding > $2M value amongst the 50% who continue working hard.
It would be potentially interesting if the upvote/downvote thresholds and ranking took into account your Facebook or other social graph, and then extrapolated to other people that might find your posts interesting.
Yik Yak could have been Waze. Yik Yak could have been a tool for students to ask questions during class when they didn't understand what the professor said. But it wasn't.
I think this would be a cool thing to have, but one of the key things for YY was the anonymity. Linking with FB would have killed that (as forcing users to create usernames did).
I feel like they could have saved money and created happy engineers by offering each employee a hefty sign on bonus.
It's called an "acquisition" as a face-saving mechanism for the company's founders and investors. It lets them go to investors for their next startup [or fund] saying "Yeah, we [our portfolio company] were acquired by Square", which sounds a lot nicer than "We shut down the company and then Square hired all our people." The acquirer wins, the employees win, the founders & investors save face, and the losers are future investors who don't delve too deeply into what "acquired" means.
By going at it collectively, it reduces perceives downside risk. Also, it reduces Square side's risk that one or more key people it wants would balk at the individual offer. By offering a group deal, it pressures everyone to join, since human nature is to not want to sabotage the communal good for your own benefit, especially when you've worked together for years.
It may also permit a more holistic retention package for the next 4 years for this team and keep VCs happy.
(Partly this is because the rules of the game prevent replacing Lionel Messi with 1,000 cheap non-Western consultants hired through three layers of outsourcing)
Interestingly, these are common anyway. Some obvious examples are laws against suicide, incest, and infanticide.
remembered them doing very well on campus last two years of college. They had on campus reps to hand out "schwag"; probably not very fun to scale. The obvious bullying was the problem. If they had found some way to solve that and snuck their way back into high schools...
then again, kids can be so cruel.
The unique commentary was what made it, there was essentially humor that everyone could relate to and the unique perspectives people felt were too uncomfortable to share with their persona attached. It was fascinating to watch what would come up over the day
The exact same reason bullying could happen was the exact reason people loved it (anonymity).
Group A (parents, schools, etc) wanted complete de-masking + real-world identity while Group B (the users) wanted some anonymity with no real-world identity.
Yik-Yak could've never won as far as I can see.
I stopped using it when they added mandatory profiles. For online discussion, there is a huge difference between anonymous and pseudonymous. While anonymous, no persona is formed in the mind of other users, except within the context of a specific discussion. It is impossible to form factions. Group think is somewhat minimized, because no one knows it is you that is not following the party line on issue A, even though you are totally on board for issue B.
When you are pseudonymous, factions form, grudges form, prejudices form. Suddenly someone remembers your position on gun control and assumes your position on the death penalty. If you say something stupid, it stays with you.
I don't want to share my sexual interests and my political point of views with strangers and have those things be linked to the same account (from the user perspective). I DO want to do that without that link. I think it tends to focus more on the issues, and let's people avoid the artificial barriers that otherwise might come between them.
When they made this switch, it was suddenly an entirely different app. It was no different than just finding a random web forum, except that you could be sure the people around you were geographically close to you (sort of). Completely non-anonymous Next Door is better in that regard anyway, and Yikyak no longer had anything to offer me.
Same here. It seemed to me that they got rid of the one reason people were using the app in the first place. Also if this was to prevent abuse it actually made it easier to harass another user - 'oh it's that jerk qwerty123 again'
Another issue with being localized is if there aren't many users in the area. It was always busy in a city, but in a rural area there were very few posts - this could've been mitigated by scaling up the coverage zone
The -5 making things disappear wasn't the best solution, as the 'top rated' could become pretty generic stuff, whereas funny but controversial things could vanish quite quickly
I wonder if some sort of anonymous reputation system could have saved them from making product decisions that were counter to the reasons for using the app in the first place.
I've heard that the Atlanta tech scene is dominated by business types rather then techies. It wouldn't surprise me if leadership is selling off most their engineering team and planning to outsource as needed from here on out.
In ATL, can confirm. That's not to say there aren't good engineers here.
I moved here from Philadelphia and was surprised that from an engineer's perspective the tech scene was significantly better in ATL. There were more jobs at more interesting companies. Obviously this is anecdotal from one job search 5 years ago. Philly might also be surprisingly poor.
One cool company here is BitPay. Not sure what they are valued at these days but they are a big name in the bitcoin world. I think they have some solid engineering there. I worked with Oracle for a couple years here right after they acquired a company called Vitrue for $300 million. It's not unicorn status but that was one of several acquisitions around that time. Acquisitions like that in Philly were much more rare.
There are a lot of huge corporations here which can continually spin off startups and Georgia Tech is a good source of new engineering talent. I think Atlanta has a healthy tech scene but not one focused in headline grabbing areas.
This seems to select for business that find cash generating opportunities as opposed to chasing "changing the world."
Two things:
1. Atlanta's tech scene is largely b2b. Its driven a lot by people who worked in industry and then had a great idea for a company and left. Or serial entrepreneurs who are capable of building a business but not a product. So a lot of companies simply originate from "business types" because they're founded by them, for them.
2. ATV. ATV strived to make itself the face of the ATL startup scene, and generally succeeded. But the resources ATV provides are all primarily aimed at business types - pitch practices, VC events, demo days, and networking gatherings. And so business types gathered there, since that's a convenient place to be, and the successful companies went elsewhere due to rising rent. So now, ATV is largely the face of startups in Atlanta, and yet is a building filled with "business types" hustling to get their company started or funding secured. The optics on the startup ecosystem are consequently very heavily "business types" because everyone tends to just look at ATV as the thermometer.
1: http://atlantatechvillage.com
Random example companies: http://www.virtuallybetter.com/, http://safeheartus.com/
http://www.bizjournals.com/atlanta/blog/atlantech/2014/03/un...
Uhhh Let me introduce you to a little company called Internet Security Systems. $1.3B+ acquisition by IBM.
Off topic - I always get such bizarre vibes when I interact with anyone from MC or hear of others' interactions with MC employees (ATL here).
Yes. If you acquire a company, you assume all their liabilities as well as the assets. You might want to just buy the assets and have the acquisition owners dissolve it themselves to keep the liabilities at bay.
They brought back anonymous posting a few months after in a desperate attempt to bring back the old users but that didn't save them
Classic acquihire scenario?
They're starting at Square just like they would start at any other job. Thus they will stay at Square if it is a better job for them (for whatever reason) than they could otherwise get.
I'd say that's accurate to describe as "golden handcuffs", since they (probably) can't just walk down the street to another company and get that offer matched.
(Hope this isn't coming across as combative — if we're gonna have a discussion of semantics, I'm trying to nail down where you're coming from :) )
The "tightness" of the handcuffs is, roughly speaking, the % of your motivation to work there based on a previously accrued reward vs reward that is earned day by day.
With powerful enough golden handcuffs the company could reduce your salary to zero and you would still stay (though perhaps be pissed about it).
(not coming off as combative :) )
They definitely could shop around and find a new role (if they can find another company they want to work for in Atlanta) but it's unlikely to come with as healthy compensation as that.
Plus if you like your team you can keep working together.
That was the thing users wanted, take it away and why use the app? There are hundreds of social communities I can join, so what is YikYak's MVP? From that perspective, you have to choose what battle you want to fight - maintain anonymity and deal with the ramifications or lose your userbase by becoming just another social app?
Yes universities could "ban" an app
Square probably doesn't need more brogrammers.
Angry young white men strike again. It's one thing to be threatened by anonymous mobs on Twitter or Reddit but when you know the attackers are phisically within a mile or two things can get seriously scary.
