Bit of a tangent and, for those not familiar, Yik Yak is an anonymous, upvote-downvote, location-based forum (kinda) where posts are automatically deleted if they net -5 votes.
In college, I was really interested in how Yik Yak worked and found out that, given a list of N user ids (which were super easy to generate), one could send downvote requests to the server and instantly delete any post with a score <= (N - 5). Infinite loop + pass in a list of locations (e.g. a list of colleges in the US), and it's pretty darn easy to disable Yik Yak for the entire country.
There was no location checking to see if a user id was being used in both Florida and Montana at the same time, and there was no real throttling. I hit up their support, and tried to reach out to their devs, but I kept getting brushed off.
Of course this is just one small thing, but I'm not exactly surprised at how things are turning out if this was the level of interest that the Yik Yak team showed in their own product.
I think they started requiring a real phone number type identification to deal with the issue instead of any type of real IP/region/rate-limited/Captcha based spam detection.
I used it up until they asked for a real phone number. It was kinda cute, but yea, mostly filled with college students. Depending on where I travelled in the world, there may have been messages from three weeks ago on the top for that area. I was surprised how many remote areas had at least a few yackers; although very few non-English posts.
I think my favourite Yak: "If you ever feel down about Uni, just remember there's still someone from your home town trying to make it as a rapper."
A problem I've mused on for a few years is related to this: when a phone submits a lonlat to an API server, how can you make the server more confident it can trust the location? I mean with curl I could POST any lonlat I want---I don't even need a phone! I don't think this is truly solvable, but how can you make spoofing the location harder?
The scale I'm thinking about is "Are you really in the store you say you're in?" where all users are from the same fairly dense city. So geolocating the IP isn't good enough. Accuracy to a city block or two seems good enough though.
My best idea so far is to submit a list of available wifi access points, and use that as a "password" to prove that you're where you say you are. If your list is 80% like the list of other users at that location, we trust you.
Unfortunately in iOS you can't get that list! It requires a private API, so calling that method will get your app rejected from the store.
There is no better case study for this than Pokemon Go, where the interest in spoofing location reached unheard of levels (outside of state actors). This is a good writeup:
Basically sign your API requests with the most obscure function of phone context variables imaginable, and recognize that if you get so popular that it's cracked, you can just hire a machine learning team anyways. And pin your certs!
Swarm/Foursquare I believe solve this problem by tracking the time between check-ins and then consider the distance between the places you've checked into and how long it would take to travel between them. You can't check into a store in New York Times Square one minute and then the next minute check into a place in Los Angeles. Sure you can lie, but with this restriction and restrictions around how frequently you can check in and other levers they have made a high quality experience that works for what they want to do.
Even if you could fingerprint the location accurately, how do you know I'm there now, vs. capturing all of the information when I was there and replaying them later?
A much easier problem than "are you really where you say you are?" is "are you likely to be sending me fake locations?", which is hard to do with a single location update, but if the user is moving rapidly, or in geographically distant locations across multiple updates it's much easier to catch.
This is something that I'm currently dealing with as well. However, I'm a little less concerned with trusting the location in particular and more in whether or not the client itself is trustworthy.
Do you have a user login system? Can you easily isolate fake data to a certain set of accounts? Or are you dealing with anonymous requests?
One possible solution you can look into is signature authentication of the headers to verify that the request is coming from a trusted source. You can either us a public/private key pair or a symmetric key with HMAC. That being said, this isn't foolproof - you have to keep the key secure, and that isn't totally possible in an app. If someone attaches a debugger they will be able to get your secret key if they're determined enough. The best you can do is obfuscate / encrypt the key so that it can't easily be read out from the strings in your app.
If you wanted to verify the location data itself, you could look into modeling the user's movements and look for abnormalities in the sequence of locations. Also, you can check the location against an API like Google or Foursquare on the back end.
Some very popular phones have a barometer[1]. If you are getting data from a bunch of phones, and most of them are legit, then you'll have a good idea of where the air pressure 'should' be, and if you get a barometer reading that is outside that data set by a standard deviation you can probably 'guess' that it is not coming from a phone at the same lat/lon as the other ones.
Not at all, the question was how to combat or at least estimate fraudulent 'adjustment' of the karma in a location based service. The way to do that is to take information that is specific to the location, and changes, and provide that data in the input stream to help understand where your clicks/votes are coming from. If one in 5 phones has a barometer with a high degree of probability, then you can use set bounds on the likelyhood that all 5 votes came from legitimate users. It won't be perfect but it will make it harder for scammers to scam without being there.
That only adds one extra step to spoofing - now I have to check weather.com for the barometer reading in the location I plan to poof before sending. NBD...
Also, pressure in vs outside can vary more than you'd think...
As with anything, it can be over come at a cost, and the only thing anyone can hope for is to keep the cost of defrauding a system higher than the expected return of successfully defrauding it.
Phone temperature is completely useless if the device is kept in a pocket next to human body temperature. Phones are also self-heating, especially when running Pokemon Go.
Barometers aren't very widely spread and I'd be wary of their calibration.
https://www.locationsmart.com provides a service to locate devices at the cell tower level. You can use it to verify location updates from the device are in the ballpark of where they say they are. I haven't used it personally but a friend did.
you could maybe just trust them but flag/disable accounts that jump between locations extremely quickly.
Might be tricky accounting for air travel but even then you could safely assume nobody's taking more than two flights a day and six a week or something like that
Yep, trusting every submission initially is fine, and we do use tricks like you suggest to flag suspicious accounts. For instance if you submit "11111" then "11112" then "11113" on up through "99999" (I've seen it happen!) then we might disqualify you from the raffle. :-) (We have better heuristics than that too.) But having the phone send some kind of extra proof would still be helpful. To point is just to make location spoofing "hard enough," not impossible. Also it is a small enough event that fraud isn't a true problem right now, so this is more just a fun mental exercise for me at this point. Still, good to be prepared!
I think the reason that API is private is because people do not want that level of tracking. And there are very few applications which absolutely, positively need this level of accuracy. And, I'm sorry, but marketing/advertising doesn't count.
In my case it is: the store gives you a secret code, and you enter it on your phone to earn discounts and raffle entries. We would like to prevent people taking the code home and sharing it with all their friends. So it's not about tracking. Still I get why the restriction needs to be there.
Make the user take a pic of the store, then check the EXIF for the timestamp. The pic should be very easy to shape-compare with other submissions of the same store (hardware doesn't move much, as opposed to faces), and the pic should never be exactly the same (refuse submitting twice the same pic).
Other solutions require the participation of the store: Dynamic QR codes, microphone authorization, or a website on the store's Wifi internal network.
It amused me last year when I realised that 95% of my phone use was the facebook app, tinder, and pokemon go. One a notorious battery drain, the next crashed regularly, and then the last was worst at both. I definitely think there are a lot of programmers who place a too much weight on the effect of quality when it comes to consumer apps.
If a company gets users but fails to retain them, causing the product to fail and the investors to lose their funds, then it certainly isn't a success.
Sure, but it's a calculated risk -- maybe they decided that growth features were more important than uptime or data integrity. That still doesn't mean the app is garbage.
Square has an Atlanta office in Atlantic Station, which is ~ 15 minutes from where Yik Yak is located in Buckhead. This same Square office previously picked up the Google Web Toolkit team after Google closed their local office.
Huh, well Square seems to be in the right place at the right time to make this acquisition of talent. I still don't get how Square intends to retain/gain customers at the price point their at, Mercury, Heartland, etc are eating their lunch.
Heartland is such an utter piece of garbage. I'd use almost anything before I'd touch it (or any typical shitty enterprise processor) again.
Source: spent a year helping a client migrate from Stripe to Heartland to save a few basis points. Things like faxing docs to terrible APIs to constant lies from sales, who is a bunch of ignorant, rude good ol' boys, just like most of their competitors. Pure incompetence at virtually every point of interaction. Literally have not a single good thing to say.
I'd invest a significant part of my net worth in Stripe if I could. They and companies like them are going to destroy Heartland in the long run, and it can't come soon enough.
Heartland is only strong in the terminal arena, their entire plan for EMV POS systems boils down to Datacap (fucking nightmare you should avoid) and Pax (which is meh). Mercury/Vantiv aren't bad, and are much more developer friendly if you need complex direct integrations, alternatively FD ISOs vary.
The least painful way to integrate is semi-integrated with Pax or Dejavoo, and that way your customer can choose from the majority of processors with minimal work on your end. Typically I see grocers paying under 1% after interchange, network fees, processor fees, etc, hence why there is motivation to deal with the legacy good ol' boys.
Yeah, I'd avoid direct integrations entirely, semi-integrated CC/Debit processing like Pax or Dejavoo is much less painful to implement, and costs less on hardware too. See my other comment.
I've found most acquihire situations unfair to existing employees. It seems that those coming in from the acquihire have a higher reward/payout that talented employees already at the company can never negotiate.
Are the incoming acquihired engineers that much more worth than the ones you already have? There are certainly exceptions but by and large I can't imagine this being the case.
I've seen $1M+/engineer compensation (over a 4-year vesting period) given to ordinary employees at big companies. It's actually not that out of the ordinary. One of the things that surprised me about working for a big company is that the compensation structure is not quite as lopsided (in favor of acquisitions) as I thought.
There do need to be two conditions met to bring in the big bucks though: 1) you need to perform, such that your value to the employer is > $1M, and 2) they need to be afraid of losing you. Many employees fail on one or both conditions. They either slack off or don't work on the right things (so they're not actually worth that much), or they're "company men" who will unquestioningly stay with the company regardless of whether they're compensated fairly.
Do you mean $1M per year or over 4 years? 250k per year in total compensation does not seem like that much.
EDIT: Since I am being downvoted, I thought I'd provide some data to back up my claim. The average total compensation for a Senior Software Engineer in the US at Google according to Glassdoor is $267,413.
Are you saying that acquired engineers have a $1M value to the acquirer? From what I've seen, most are simply waiting for the handcuff to cash out and exit.
The acquirer certainly is betting that on average, they do.
Definitely a lot of employees do sorta check out while their stock options vest, but not all. From what I've seen, maybe 50% of the employees in an acquisition aren't going to be worth it. But the 50% that do continue to work hard and assimilate well into the acquirer's culture tend to add a lot of value - many of the best coworkers I knew in my last job were there through an acquisition. I could easily believe that they're adding > $2M value amongst the 50% who continue working hard.
But in the end if you look at the opportunity cost the Acquihired engineers paid brings them to the same level of compensation as others. e.g Working 2 or more years at low pay.
That's not the acquiring company's problem. Certainly engineers at the acquiring co don't care about this. They took that risk fully knowing and willingly.
I loved the idea of Yik Yak, but every time I tried to start a semi-intelligent conversation I was downvoted to death. And this was smack in the middle of MIT. I guess the people I was hoping to interact with was exactly the opposite of the actual user base.
It would be potentially interesting if the upvote/downvote thresholds and ranking took into account your Facebook or other social graph, and then extrapolated to other people that might find your posts interesting.
Yik Yak could have been Waze. Yik Yak could have been a tool for students to ask questions during class when they didn't understand what the professor said. But it wasn't.
> It would be potentially interesting if the upvote/downvote thresholds and ranking took into account your Facebook or other social graph
I think this would be a cool thing to have, but one of the key things for YY was the anonymity. Linking with FB would have killed that (as forcing users to create usernames did).
Oftentimes that's exactly how acquihires are structured: the acqhiring company grants RSUs to the engineers they want that are worth $X00,000, making up for them forfeiting their stock in the acqhired company. It effectively amounts to a signing bonus, since engineers on the open market that need to be enticed to join may also be given similar offers.
It's called an "acquisition" as a face-saving mechanism for the company's founders and investors. It lets them go to investors for their next startup [or fund] saying "Yeah, we [our portfolio company] were acquired by Square", which sounds a lot nicer than "We shut down the company and then Square hired all our people." The acquirer wins, the employees win, the founders & investors save face, and the losers are future investors who don't delve too deeply into what "acquired" means.
Going one by one would present decision fear to any number of said engineers. "Am I going to be offered this deal as well, or will I be left out?"
By going at it collectively, it reduces perceives downside risk. Also, it reduces Square side's risk that one or more key people it wants would balk at the individual offer. By offering a group deal, it pressures everyone to join, since human nature is to not want to sabotage the communal good for your own benefit, especially when you've worked together for years.
It may also permit a more holistic retention package for the next 4 years for this team and keep VCs happy.
It would be interesting if there were a transfer market in programmers like there is in footballers, but I don't see it happening any time soon.
(Partly this is because the rules of the game prevent replacing Lionel Messi with 1,000 cheap non-Western consultants hired through three layers of outsourcing)
What successful company has been built by "1,000 cheap non-Western consultants hired through three layers of outsourcing"? We don't need a rule against a losing strategy
I think the key problem was the hype train and the lack of product-oriented/technical leadership.
remembered them doing very well on campus last two years of college. They had on campus reps to hand out "schwag"; probably not very fun to scale. The obvious bullying was the problem. If they had found some way to solve that and snuck their way back into high schools...
What did them in for me was the insistence on creating usernames which could not be hid. It ruined the localized aspect of the anonymity by focusing on the person, creating a power-user shit-posting environment instead of letting content arise organically from a faceless localized mass.
College student, it was fun for a year or two and then pretty much everyone gave up on it.
The unique commentary was what made it, there was essentially humor that everyone could relate to and the unique perspectives people felt were too uncomfortable to share with their persona attached. It was fascinating to watch what would come up over the day
To add onto this, college meme groups on Facebook have largely replaced Yik Yak's niche in the past year or so. And those don't require millions in VC funding!
The exact same reason bullying could happen was the exact reason people loved it (anonymity).
Group A (parents, schools, etc) wanted complete de-masking + real-world identity while Group B (the users) wanted some anonymity with no real-world identity.
Could be anonymous but still keep the unique phone ID and boot/hide disruptive users. Users probably want anonymity at a far weaker guarantee than, say, Tor offers.
I was a frequent user for quite a while. It was never truly anonymous in that Yikyak obviously maintained some type of internal ID to identify you. This was fine with me. We had some deep, real conversations (along with the usual nonsense).
I stopped using it when they added mandatory profiles. For online discussion, there is a huge difference between anonymous and pseudonymous. While anonymous, no persona is formed in the mind of other users, except within the context of a specific discussion. It is impossible to form factions. Group think is somewhat minimized, because no one knows it is you that is not following the party line on issue A, even though you are totally on board for issue B.
When you are pseudonymous, factions form, grudges form, prejudices form. Suddenly someone remembers your position on gun control and assumes your position on the death penalty. If you say something stupid, it stays with you.
I don't want to share my sexual interests and my political point of views with strangers and have those things be linked to the same account (from the user perspective). I DO want to do that without that link. I think it tends to focus more on the issues, and let's people avoid the artificial barriers that otherwise might come between them.
When they made this switch, it was suddenly an entirely different app. It was no different than just finding a random web forum, except that you could be sure the people around you were geographically close to you (sort of). Completely non-anonymous Next Door is better in that regard anyway, and Yikyak no longer had anything to offer me.
>I stopped using it when they added mandatory profiles
Same here. It seemed to me that they got rid of the one reason people were using the app in the first place. Also if this was to prevent abuse it actually made it easier to harass another user - 'oh it's that jerk qwerty123 again'
Another issue with being localized is if there aren't many users in the area. It was always busy in a city, but in a rural area there were very few posts - this could've been mitigated by scaling up the coverage zone
The -5 making things disappear wasn't the best solution, as the 'top rated' could become pretty generic stuff, whereas funny but controversial things could vanish quite quickly
I live in a small college town, and it's still fairly active around here. I downloaded it to see what it was all about after someone Yaked (Yiked?) a bomb threat at the college and it made the news. Most of the time it's just kids complaining about finals and being melodramatic.
I'm glad to see this one winding down. In my city it was used by high school students to hassle and mock each other. Yeah, I know, according to their terms of service and geofencing stuff high school students aren't supposed to use it. Tell them that.
Pity, mainly because there seems to be a market for local anonymous communications, but a relatively small, and very vocal subset of users can ruin it for everyone.
I wonder if some sort of anonymous reputation system could have saved them from making product decisions that were counter to the reasons for using the app in the first place.
The posts would get auto-deleted if their vote count got to -5. It was popular enough at my university that this kind of community moderation worked reasonably well, but in a lot of other locations it got abused.
I really disagree. I've used the app maybe 2-3 years ago and looking at their website, it doesn't seem like the main UI or features have changed much. If I didn't know what the app was, going on their website I would think it's a Buzzfeed clone given all their listicles and clickbaity headlines.
Listicles are not how it's mainly used. It's basically a chat app. Most of the activity on the main feed is people looking to chat. And there are very active groups.
Pseudonymous, not anonymous. People can recognise your username and treat you accordingly. Conversely if you start a new username it doesn't retain any karma from your "main".
The phrasing makes it seem like Yik Yak itself is not being acquired. Is that a thing that ever happens? I doubt square is interested in their tech anyways.
I've heard that the Atlanta tech scene is dominated by business types rather then techies. It wouldn't surprise me if leadership is selling off most their engineering team and planning to outsource as needed from here on out.
I moved here from Philadelphia and was surprised that from an engineer's perspective the tech scene was significantly better in ATL. There were more jobs at more interesting companies. Obviously this is anecdotal from one job search 5 years ago. Philly might also be surprisingly poor.
One cool company here is BitPay. Not sure what they are valued at these days but they are a big name in the bitcoin world. I think they have some solid engineering there. I worked with Oracle for a couple years here right after they acquired a company called Vitrue for $300 million. It's not unicorn status but that was one of several acquisitions around that time. Acquisitions like that in Philly were much more rare.
There are a lot of huge corporations here which can continually spin off startups and Georgia Tech is a good source of new engineering talent. I think Atlanta has a healthy tech scene but not one focused in headline grabbing areas.
From my experience going to meetups and seeing the kind of job postings that get thrown up out here, there's just more of an "enterprise" mindset here. A lot less "hard" tech being pursued. I think it's because there's not a lot of VC money (relative to the west coast and Boston/N.Y) so startups need to be more focused on generating revenue sooner. No long runways out here (for the most part).
This seems to select for business that find cash generating opportunities as opposed to chasing "changing the world."
Not OP but I'm a software engineer working for a startup in ATL. I'm not sure how we have a reputation for being "dominated by business types", but we do have a relatively high contingent of fintech and b2b companies here (our only unicorn, Kabbage, plus several others like Square, Salesloft, Salesforce). I think though that our pool of engineering talent is relatively high - I'd guess it's the most likely landing spot for good engineers from the southeast.
> I'm not sure how we have a reputation for being "dominated by business types"
Two things:
1. Atlanta's tech scene is largely b2b. Its driven a lot by people who worked in industry and then had a great idea for a company and left. Or serial entrepreneurs who are capable of building a business but not a product. So a lot of companies simply originate from "business types" because they're founded by them, for them.
2. ATV. ATV strived to make itself the face of the ATL startup scene, and generally succeeded. But the resources ATV provides are all primarily aimed at business types - pitch practices, VC events, demo days, and networking gatherings. And so business types gathered there, since that's a convenient place to be, and the successful companies went elsewhere due to rising rent. So now, ATV is largely the face of startups in Atlanta, and yet is a building filled with "business types" hustling to get their company started or funding secured. The optics on the startup ecosystem are consequently very heavily "business types" because everyone tends to just look at ATV as the thermometer.
I think by "business types" the OP means that most of the tech/startup scene consists of people more on the business-side: marketers, salespeople, general "hustlers", etc., rather than technical hackers.
There's a medtech and health-IT cluster as well, partly due to Emory's med school, and Atlanta being a regional hospital center. Much of that's b2b too (though there are a few Fitbit-style b2c health-IT companies), but different set of people than most b2b companies are, and with its own set of startup incubators (Neurolaunch, Sling Health Atlanta, Global Center for Medical Innovation, etc.).
I could be wrong here but my understanding is if a company is acquired they WERE a unicorn (if the acquisition was for $1B+) but they aren't a unicorn after the acquisition.
I go the other way. Your valuation means jack until you are acquired . It's just some VCs thinking you've built $1 billion business. For example YikYak being valued at $400M. Actually getting acquired for $1 billion... now that's special and rare
I just read an article that there revenue for 2016 was estimated to be $400 million. Not bad. I don't know what the profits were but I would guess that gets them 'unicorn status.' :)
Yes. If you acquire a company, you assume all their liabilities as well as the assets. You might want to just buy the assets and have the acquisition owners dissolve it themselves to keep the liabilities at bay.
Yeah, and it's so common there's a phrase for it: "acquihire". When a company (or even just its team) is acquired for the engineers themselves, not for any existing code, product, or business.
This app used to be very popular on my university campus up until last summer that they removed the anonymous posting feature! Almost all of their users were upset and were threatening to leave the app but yik yak didn't take them seriously. That resulted in them losing 90% of their active users within a few weeks
They brought back anonymous posting a few months after in a desperate attempt to bring back the old users but that didn't save them
That's not really the case here. Golden handcuffs refers to stock that was previously granted but either has not yet vested or has vested but the employee can't keep if they walk away from the job. While the employees in question surely own Yik-yak stock that stock is now worthless.
They're starting at Square just like they would start at any other job. Thus they will stay at Square if it is a better job for them (for whatever reason) than they could otherwise get.
Yes, but presumably as part of the acquisition they're getting $X00,000 of stock/cash on a 4-year vest. That's far more than one would get for a standard new hire options package at a company of Square's size/maturity.
I'd say that's accurate to describe as "golden handcuffs", since they (probably) can't just walk down the street to another company and get that offer matched.
If golden handcuffs are "stock that was previously granted but either has not yet vested or has vested but the employee can't keep if they walk away from the job", I'm curious at what point unvested stock becomes "golden handcuffs". The one-year cliff? One month in? After the first day, when waiting for your one-year cliff is one day closer than your one-year cliff would be if you quit and started a new job the very next day?
(Hope this isn't coming across as combative — if we're gonna have a discussion of semantics, I'm trying to nail down where you're coming from :) )
As with many things in life I would say that it's shades of grey. Perhaps they are handcuffs from day one but they haven't been latched closed yet. The longer you stay the tighter they get.
The "tightness" of the handcuffs is, roughly speaking, the % of your motivation to work there based on a previously accrued reward vs reward that is earned day by day.
With powerful enough golden handcuffs the company could reduce your salary to zero and you would still stay (though perhaps be pissed about it).
They probably got $x00,000 signing bonuses with a claw back of 2 years in addition to the stock compensation.
They definitely could shop around and find a new role (if they can find another company they want to work for in Atlanta) but it's unlikely to come with as healthy compensation as that.
Plus if you like your team you can keep working together.
I'm missing something. Were these engineers under a transferable contract? What, specifically, did Square buy with their "less than $3 million", and from whom?
What this likely means is that the engineers at Square get some kind of vesting stock options (i.e. golden handcuffs) that are valued in aggregate at less than $3 million. It also means the engineers get to have a well-recognized brand on their resume, and not a gap of a few weeks to months that then needs to be explained (not to mention the hit their bank accounts would take). This is generally what's called an "acquihire."
Yik Yak destroyed itself by ignoring their users and making changes that undermined the reason people used their app in the first place. They're only "struggling" because of a series of self-inflicted wounds.
That doesn't mean users wanted something else; I used it originally because it was a "localized 4chan". When they started adding usernames and whatnot, I uninstalled.
That was the thing users wanted, take it away and why use the app? There are hundreds of social communities I can join, so what is YikYak's MVP? From that perspective, you have to choose what battle you want to fight - maintain anonymity and deal with the ramifications or lose your userbase by becoming just another social app?
Sad to see things end this way - Yik Yak was pretty dope at Berkeley. However, I felt like the content got stale and predictable, and met the classic homogenous fate of every upvote/downvote community ever.
I played with it briefly, curious about whether it might on any way become similar to the "local" view that was in Google+ for a while, but it seemed mostly to consist of dig jokes and a little bit of high schoolers trashing mostly students from other schools.
> The company’s reputation suffered from cases of cyber-harassment, hate speech, and threats that appeared on Yik Yak’s platform.
Angry young white men strike again. It's one thing to be threatened by anonymous mobs on Twitter or Reddit but when you know the attackers are phisically within a mile or two things can get seriously scary.
In college, I was really interested in how Yik Yak worked and found out that, given a list of N user ids (which were super easy to generate), one could send downvote requests to the server and instantly delete any post with a score <= (N - 5). Infinite loop + pass in a list of locations (e.g. a list of colleges in the US), and it's pretty darn easy to disable Yik Yak for the entire country.
There was no location checking to see if a user id was being used in both Florida and Montana at the same time, and there was no real throttling. I hit up their support, and tried to reach out to their devs, but I kept getting brushed off.
Of course this is just one small thing, but I'm not exactly surprised at how things are turning out if this was the level of interest that the Yik Yak team showed in their own product.