ainsleyb's comments

Legally you must disclose any sort of security breach to your users: http://en.wikipedia.org/wiki/Security_breach_notification_la...

This is a severe lack of customer service. The least that can be done is a quick shutdown of the site until there's a good fix, an email to all customers (since legally they have to disclose the breach: http://en.wikipedia.org/wiki/Security_breach_notification_la...), and a thanks out to whomever reported the issue.

If you make a mistake, own up to it. Honesty is the best key to building a business, and I'm sure they've at least lost the HN trust for any product in the future.

Legally, they're now required by law to disclose to their users of a security breach: http://en.wikipedia.org/wiki/Security_breach_notification_la...

Since whomever discovered the bug was able to access others' sensitive information, they have to disclose.

We've done some tests, and many of our customers would much rather have a basic scan and see the full results of the scan, than only be shown a piece of the scan. It gives off the impression that we're holding their vulnerabilities hostage, and that's definitely not what we hope to do!

The best test to see how we differ from Nessus/Burp is to try it yourself! A lot of the vulnerability classes we scan for are very similar, but the ways in which we scan for them are different. We do offer our Standard Plan for a free 30 day trial. Would love to hear what you think :)

If you have any issues, ping us at http://tinfoilsecurity.com/supportchat

Send us your address; we'll send you a tinfoil hat! :)

I'll be playing this song on repeat all day :)

I have multiple responses to multiple comments on this thread, so I'm going to continue here.

For full disclosure, I'm a young entrepreneur (<25), run a company that was started a few months after curebit (my cofounder applied and interviewed for the same YC class with a different idea), have raised pretty close to what curebit has raised, and am also a 500startups-funded company.

I'd just like to take a minute to hope that a couple of screw ups by others won't put companies like ours at a disadvantage. It makes me sad to think that "how old are you guys" is one of the first questions someone would ask, since I'm not sure physical age has anything to do with how people react to different situations. I'd sure like to think that if I screwed up people would chalk it up to me being me and not my generation.

I also hope people realize the big mouth investor with no taste (especially in what he wears ;) isn't the only person vetting 500startup companies. He has a whole investment team. Yes, Dave does pick a lot of the 500s companies himself (he was our biggest advocate), but the entire 500s team has a say. I also think you're overlooking the fact that curebit was also supported by YCombinator (and Dave has a lot of respect for PG's team and the companies they accept).

I don't condone what curebit did (far from it). I am close to positive someone at YC would have at least helped hash out ideas for design (and 500s' mantra is design, data, distribution), and, Dave has always said: running lean doesn't mean running cheap. But I hope that what one company does doesn't ruin it for the rest of us.

A startup is not a 5000 person corporation and shouldn't be run as such. I remember the author posting a Show HN last February introducing his company. At that point in time he was still in a full time job. Now, I don't know what's happened in the life of his company over the past 11 months, but I would venture to guess he has less than 10 employees. I'd even venture to guess it's somewhere less than 5. At this stage you're more looking for collaborators, not people to manage. And when you're looking for early stage employees you should really be looking for a true personality fit, in addition to the required technical prowess (which, incidentally, doesn't necessarily mean "knows ruby").

Yes, hiring is hard. Yes, as an early-stage startup it will take you a very long time to hire. But you have to remember those you're hiring today will make or break the company tomorrow. Their "5 yr plan" should have no bearing on whether or not they get a job at a very early startup, but by the end of the interview you should know not only that they're technically capable, but can roll with any changes you foresee the company making, and that they have the right personality to mesh with you and the rest of your team (you'll be spending a lot of time together - could you grab beers with them?). You should also know that they're so sold on the idea and vision of your company that their 5 year plan and your 5 year plan become one (or are at least related). Realistically, your startup probably won't even be alive in five years.

Of course I know a lot of people look at things differently, and I have complete respect for different opinions and methods (and love reading about them). We're still trying to figure out hiring ourselves, but I think the best engineers come with all sorts of non-corporate eccentricities. If we had followed the author's suggestions, we wouldn't have hired either of our two founders (including myself) or our first engineer. I'll leave it up to the reader to decide whether that would have been a mistake or not. :)

This just isn't the case.

The show was supposed to portray TS in a good light, and even the Davids are taken back by this reaction.

As one of our investors (in the interest of full disclosure), Tisch is awesome. He's always looking out for the best for his companies, either as personal investments or TS companies. I'm also sure none of the TS companies would say the program was a net negative, rather than a net positive.

As for the mentoring aspect, what Bloomberg didn't show is that the entire 1st month of TS is spent with 40-60 mentor meetings so you find the best mentors for your company. Tisch and Cohen are there to keep you on track from an investor's perspective, but they heavily rely on their mentors to keep you on track.

We've actually found it much easier and cheaper to find houses in this area. Granted, we moved here with the major influx of interns :P

Definitely. I'm still trying to figure out the best place. Some people are up for the idea of being further away in something really nice, and others want to be in the thick of things. Optimal situation would be to find a happy medium :)

I prefer orange.

Well.. I am a female, so it will have to tend toward the female-friendly side :)

... There are some great poetry professors at MIT, but valid.

 As an MIT alum I have to comment on how valuable an MIT education is. Whether you're from a public school in the middle of nowhere (like me) or from an awesome tech school, there's something of value for everyone. Not only did I finally learn physics with calculus, though I'm not an engineer, but learned a great deal about things out of my major (some of which I'm now starting a company with).

I always say MIT was the best place for me, and I can honestly say I wouldn't have been as happy anywhere else. I got to explore anything and everything under the sun, from D1 rowing and cognitive vision, to understanding hash tables and  how to write malicious scripts. ;)

Looking at the finances, contact MIT financial aid if you haven't yet. There are also plenty of great opportunities on and off campus to work during all times of the year. Your education is an investment and you've got a pot of gold lying in your lap. Find some way to keep it. 

Tl;dr go to MIT. You won't regret it. 

If you have any questions or need any help feel free to email (see my hn profile), and good luck! :)

It's a completely valid point that usually companies will do a single security review and want it to last for a number of months, often a number of years. Continuous monitoring is the only reasonable way to ensure adequate security of a company's website; if new code is being written, new vulnerabilities are bound to be written too.

Prioritizing vulnerabilities by which to conquer first and analyzing which vulnerabilities will hurt you more quickly and hit you or your clients the hardest is also interesting; it's something we (Tinfoil Security) already do, but not something we see enough people think about.

I think there's a fine balance with teams and team personalities. Sometimes a non-tech cofounder can bring good expertise in something you're not very good at.

I'm not a developer, but I am doing a high-tech startup. My cofounder is extremely good at the overall backend work of our product. He's also very good at talking (sometimes I can't get him to stop) and understanding the overall UX the product should have. How have I helped? Well, for starters we established what he's good at and figured out where the gap is. He hates frontend work, so I have designed the site and learned some HTML/CSS to expedite the frontend development. We're also both taking on 500 hats a minute. There are things he's good at (the technical speak) and things I'm good at (the non-technical speak) and things we're both good at (client meetings, processing feedback, making sure the product is working quickly). We're working on a security problem. As it is, we have completely different ideas; he's always been somewhat more of a blackhat, whereas I'm more of a whitehat, so our complementary ideals have been helping us get great publicity and great customers lined up.

I don't think a non-technical cofounder is necessary, but if you can find someone who can or is willing to do what you don't want to deal with (the books, the legal work, the frontend; everyone has something they aren't good at/don't like), who is also someone who can balance your ideals and personality you can get a great working team going.

In that amount of time you can learn HTML/CSS on your own and get a design you really want out of it, while saving $1k+. I know doing a startup full-time means you're probably also bootstrapping. If you think you can put backend dev on hold for a week to build up the front end yourself, here's a great link that helped me: http://htmldog.com/

And as a side note, you may want to be finding a cofounder anyway (single-manned companies are hard pressed to succeed), and a frontend dev would be a great balance to your backend work.

At the moment we're looking at a pay first business model. We will be tailoring results and recommended solutions to your stack.

I have a good technical understanding, but am no developer. That said, I am jumping into the start-up world and here's how I'm working at it:

Step 1: find a cofounder who is as excited about your ideas as you are with his, and whom you enjoy working with and vice-versa. I am still new to the startup world, but am working well with my co-founder. Hiring someone to code every time your product has a problem is not the correct way to go about it. You have to be able to constantly work and change to keep pushing something forward.

Step 2: immerse yourself in technology Really, I don't feel out of my element because I have surrounded myself in my life with technical people and technical things (went to MIT, have taken tech classes, worked at [stereotypical corporation] doing design and working closely with developers, and am learning how to dev in the process).

Step 3: learn your product and learn it well (including the technical parts) You have to understand your product in and out in order to make sure you are able to speak to those who need the product. If someone asks about security: know it. If they ask about a specific API you don't want to have to "get back to them."

Step 4: find a good balance between what you're doing, what everyone else is doing, and what needs to be done. I think the hacker/hustler combo is really valuable At some point the devs will be way too hosed in the development of the [product/site/whatever you're doing] to go out and find funding/sell the product. You need people who are confident to talk about what you're doing and will have fun doing it.

and Step 5: have fun. Getting into the start-up world is hard. You really have to enjoy taking risks, moving around, getting out there, and meeting people.

I'm sure I'm missing steps in all of this, but the steps above really help.