YC Alum Hacks Jason Calacanis' Voicemail Message to Ask for Investment
Note that this was done via a Caller-ID-spoofing website where all you have to do is type in:
* The victim's phone number
* Your real phone number
* The fake one you want to appear to be coming from
Then you click Submit and it puts you through. That's it. Any idiot could do it.
The tech and telecommunications industries are WAY overdue to do at least one of the following:
1. Stop considering Caller ID a secure authentication method
2. Make Caller ID a secure authentication method
People are told to "hustle", "be naughty", and "break things" - and are applauded for it in founder stories. Small wonder something like this happens.
Sam Altman responding.
From https://generalassemb.ly/instructors/avi-zolty/1658:
> A millionaire by age 21, Avi sold his most recent site to execs at Paypal, and continues to devote his time to his love of innovative business. He is a member of YCombinator, the prestigious Silicon Valley incubator, and is the first to be inducted on talent alone, without requiring the established company/business model usually required for acceptance. Avi recently moved to LA to focus on his current project, a music startup called Beatdeck. Software startups, Social Media/Marketing, Music, and swing trading bit coins are his current fascinations.
So a 20-something millionaire who is apparently a successful serial entrepreneur is now groveling for investment by hacking a prominent investor's voicemail? Something doesn't add up.
Also, I didn't realize that entrepreneurs were "inducted" into Y Combinator, or that Y Combinator required applicants to have an "established company/business model."
Just getting out of my daughter's Halloween party today (30 kids aged 3-7, science experiments + sugar = boom!).
I accepted Avi's apology and responded to his email here: https://twitter.com/Jason/status/526531089355927552
For those curious about how this is done (don't try to use this for ill - it's seriously illegal and almost everyone gets caught):
Generally you can access the voicemail menu by entering star then a four digit PIN number while listening to any phone's voicemail. A lot of people leave their PIN as the default (star+1234 on some carriers, star+9999 on others). You can call their phone, get voicemail, guess the pin, and change any of their voicemail settings you like. It's even easier if you spoof the call as calling from the person's own number.
This is a breach of privacy, but generally harmless. It gets dangerous when you start changing the message to something like "accept" and using someone else's voicemail to call collect, verify identities, etc.
Again, this post is for curiosity sake only - do not try this.
Here's the story from the founder's perspective: http://webcache.googleusercontent.com/search?q=cache:QkTa-zW...
Andrew Auernheimer ("weev") was sentenced to 3 and half years in jail for something that was (IMO) far more innocuous than this. Terrible move here.
Not only against the law, but this "hack" involves a highly likely creep factor for the person on the other end of it, not quite as creepy as walking into your house to find someone harmlessly hanging out in your living room, but in the same general ballpark.
To top it all off, it isn't even a technically difficult feat.
"my co-founder and I wrote one of the first Facebook scripts to mass-invite people on Facebook to events we threw"
Er...this is not "new and experimental" it's just a spambot, like thousands of idiots write daily. You have obviously lost the plot.
Wow, what an unbelievable idiot. Even YC, it seems, makes admissions mistakes sometimes!
(OP: http://webcache.googleusercontent.com/search?q=cache:QkTa-zW...)
This is so dumb on so many levels I can't even believe it. Is it really so hard to get an intro to a founder, that you have to resort to this? You are a YC alum! You are literally handed the contact information of 100's of people who could help you, and instead you resort to this.
This is not going to end well.
Ethical quandaries aside (of which there are several) for a moment, I think this strategy speaks poorly of the startup. What type of signal does it send to prospective investors that you feel it's necessary to pull illegal stunts in order to gain attention for your round? A quality YC startup shouldn't need to go to such lengths to raise a round if the substance of your project/team is of sufficient quality as to warrant investment.
This is akin to somebody breaking into Jason's house while nobody is home and placing an ad for their startup on his coffee table. Nobody is physically harmed but it is a gross violation of privacy. I assume this is against the law, and I do hope the perpetrator is prosecuted for it.
Somehow reading the founder's perspective, makes this look worse for me. There is a threshold after which "hacking" stops being cute. Do you really want to start your relationship with a lie?
What is the point of going to YC if you're going to do such things to ask for an investment?
The whole idea of YC, I thought, is they hook you up with the best investors in the valley because of their amazing network. Seems like a lot of trouble to go through (not to mention a messy legal situation) when you can just call up Sam and ask for an introduction...
Wow, that was a pretty stupid thing to do. Why do people think that this is ok? Also, of all people to do it to, Jason is probably one of the easiest to get through to if you have something legitimate to say to him. Just go to one of the myriad events he throws and you're bound to get a glimpse. This is just childish.
Unauthorized access of someone else's voicemail is actually a federal crime. US Court of appeals ruled in 1999 http://t.co/bvYYlzNpgX
I once spoofed an email from the president of a security company to their HR guy to give me a job.
They must have known immediately but played along. That was fun, though no harm came of it.
The original Medium article was submitted to HN a couple hours ago, which the OP wisely deleted after being called out. (and then he deleted the original Medium article shortly after)
I wonder how long it can possibly be until someone else "borrows" the publicly listed phone number on the front page of skurt.co
There is a gray line for what you can or can not do to get attention, this isn't even near it. Even if Jason would have thought these guys company is the next truecar or something, if he ends up investing it will just solicit more hacks in the future, and it will end up with someone getting in big trouble. There are some risks that are not worth to be taken.
OP posted an apology:
https://twitter.com/AviZolty/status/526467881295683584
> I just wanted to take a moment to sincerely apologize to @jason publicly. Been in contact, he's a great sport, and I admire him so much.
I have troubles understanding how someone can think hacking people's voice mail will get them to invest in his company - that isn't related to security.
It's such a fine line and if he veered just a bit more on the other side, all this press would be beneficial. Instead, he's caught with the hot potato. Honestly, some people have the gift to notice & exploit vulnerabilities but there needs to be a commensurate amount of tact, empathy, and morality for it to be a positive force. I'm on the other side of the spectrum looking to "learn" this type of behavior but my scruples hinder my progress and way of thinking.
So did he invest?
I hope that the same dudes that are against this aren't the same douches that were for the fappening.
It's a shame that Skurt didn't include their social media links on their own site.
undefined
I don't say this often, but I really hope this guy gets prosecuted.
I would agree with will.I.am that we should change the name of hackathons to appathons. Facebook "Hacker" culture and the word hacker is too hyped and gives young people the wrong message.
Hustle hard.
It should also be noted how he did this "hack". He spoofed a call to Jasons own number (thus reaching the voicemail). The voicemail was not setup (or PIN secured), so he was able to do the initial voicemail setup.
Would have been cooler if they were working on some security-related product.
Also: people need to relax.