Delve removed from Y Combinator
Comments
maxbond
tim333
There's quite a good summary of the allegations here https://www.reddit.com/r/startups/comments/1rz15ui/i_will_no...
>Pre-written audit conclusions. The "Independent Service Auditor's Report" and all test conclusions were already filled in before clients had even submitted their company descriptions...
>Copy-paste templates. 493 out of 494 leaked SOC 2 reports (99.8%) had identical text, same grammatical errors, same nonsensical descriptions...
miki123211
There's an excellent podcast and writeup on this from Patrick mcKenzie, which explains the story in more detail, including an interpretation of their statement and background on why this is a scandal in the first place.
https://www.complexsystemspodcast.com/episodes/delve-into-co...
wlonkly
Thanks for this -- I remember when this broke I thought "I'll wait for Patrick McKenzie's take" and then promptly forgot to keep checking for it.
rvba
Write up is supposed to be concise..
jacquesm
I came across a top tier compliance auditor doing the same thing recently. I tried to talk to them about it and rather than approaching this from a constructive point of view they wanted to know the name of the company that got certified so they could decertify them and essentially asked me to break my NDA. That wasn't going to happen, I wanted to have a far more structural conversation about this and how they probably ended up missing some major items (such as: having non-technical auditors). They weren't interested. They were not at all interested in improving their processes, they were only interested in protecting their reputation.
I'm seriously disgusted about this because this was one of the very few auditors that we held in pretty high esteem.
Pay-to-play is all too common, and I think that there is a baked in conflict of interest in the whole model.
dmos62
Have you considered whistleblowing?
jacquesm
Yes. But I'm not working at either company and I'm 99.9% sure that it would lead to absolutely nothing other than a lot of misery for myself. The NDA's I sign have some pretty stiff penalties attached. I was actually hoping to see my trust in the auditing company confirmed and I'm still more than a little bit annoyed that they did not respond in a more constructive way.
My response however is a simple one: I used to steer (a lot of) business their way and I have stopped doing that.
madaxe_again
Similar boat. Seen the same shenanigans being played with actors who really should know better - everything from military secrets to medical data, and absolutely YOLOing it with an audit mill. I have it on good authority that there are superuser credentials floating around for their production systems that they’ve lost track of.
And no, I won’t whistleblow either, as it would mostly be me that would face repercussions, and I am unafraid to say that I am a coward.
We choose the battles we fight, and I’d like to believe that ultimately, entropy will defeat them without me lifting a finger.
soc2fraud
No NDA can prevent you from making protected communications about fraud, illegal activity, etc. If you have seen fraud that involves the military you can make an anonymous report to the DOD IG. If it involves medical data you can make an anonymous report to the HHS IG. Or, if you want to get rich off of it, there's another option. Happy to chat.
dmos62
"Get rich off it" sounds shady as hell. What are you offering?
maxbond
Wouldn't it require a huge leap of faith for them to admit the audit was improper in order to have that discussion? Who's to say you aren't recording?
jacquesm
I've already established that it was improper. It's up to them to make the most of that knowledge and then to determine of this is a singleton or an example of a class that has more representation. In that sense it is free to them, I'm under absolutely no obligation to provide them with a service. But I'm willing to expend the time and effort required to get them to make the most of it. What I'm not going to do is to allow them to play the blame game or 'shoot the messenger'.
maxbond
I didn't mean it as a criticism, I think giving them the opportunity to improve and refusing to offer a scapegoat were both standup things to do. I'm just wondering if they were ever in a position to take that opportunity.
jacquesm
Hard to tell. But given that it was their legal department contacting me I think you know the answer to that one.
woadwarrior01
I'd called out fraud (blatant lying in investor updates) at a VC backed startup where I was a technical co-founder, once. I emailed all the investors and presented all the evidence to them. They decided to not rock the boat and keep my charlatan co-founder. So, I left. Now, the company is slowly bleeding to death.
buran77
> Now, the company is slowly bleeding to death.
There are thousands of companies where the shady practices are rewarded, the companies thrive and make money for the investors. So the investors are incentivized to reward this behavior just on the chance that they are rewarded back.
Whistleblowing sinks those chances and the investors and VCs know it. It doesn' just take away the money, it even takes away the plausible deniability. They put a lot of effort to absolutely punish any whistleblower to discourage the rest. Anything for a dollar. and this is probably all you'll ever need to know about almost every VC out there. Beyond the witty "I'm rich so I'm smart" blog posts and tweets, they're very much just the "anything for a dollar" type of people.
soc2fraud
if they touch the federal government, feel free to ping me. I can walk you through how to report to people who will actually do something about it and do so anonymously
peyton
To be fair, I’m not sure blatant lying in investor updates alone constitutes fraud. There needs to be harm (or the intent thereof) AFAIK. The other party needs to be using that information to make a decision. If you give me a dollar and then later I tell you I’m actually Beyonce, is that fraud? Or am I just a lying sonofabitch?
brookst
If I give you a dollar and you say it’s being spent wisely, Beyonce loves the product, you’re about to land Taylor Swift as pro bono public ambassador… yeah that’s fraud.
ikidd
It's encouraging future investment on a false pretext. I'd say that's fraud.
woadwarrior01
Lying in investor update was merely the tip of the iceberg. There was lots more, fabricating customer traction pre-investment, paying oneself back-pay for months spent twiddling thumbs pre-investment (before I was involved), etc.
My lesson from the whole kerfuffle was that investors (at least the ones I’d dealt with) prefer hustle over integrity and execution abilities.
zipy124
This makes sense because investors in startups just care that they aren't left holding the bag. As long as they aren't the final fool in the buy in chain, they don't care.
vasco
It's auditing, nobody that is good at doing anything goes to auditing, unfortunately its one of those jobs. I haven't interacted with any auditor that actually understood all they were auditing, some are better than others but the average is worse than almost any other job description I have dealt with.
arianvanp
If you care about this stuff you need to in-house auditing and do your own audits with people who care. Then get certified by an external auditor for the paper.
You can start very lightweight with doing spec driven development with the help of AI if you're at a size where you can't afford that. It's better than nothing.
But the important part is you, as a company, should inherently care.
If you rely on an auditor feedback loop to get compliant you've already lost.
disgruntledphd2
This function exists in every publicly traded public company, and is called internal audit.
It has the potential to be incredibly impactful, but often devolves into box ticking (like many compliance functions).
And it's really hard to find technical people to do the work, as it's generally perceived as a cost centre so tends not to get budget.
ownagefool
Nobody really tries to get technical people to do the work.
Like cool, it's a great idea and would potentially produce positive results if done well, but the roles pay half the engineering roles, and the interviews are stacked towards compliance frameworks.
There's very little ability to fix a large public company when HR is involved
pxc
Maybe it should be treated like on-call duty and have the load spread between existing engineers on some kind of schedule, maybe with some extra comp as incentive because it's boring and will take more effort/time in the "easy case" compared to pager duty.
disgruntledphd2
I think 12-24 month rotations would work really well, but given how the profession is currently setup, that would be difficult to do.
disgruntledphd2
Speaking as a technical (data) person currently working in internal audit for a not quite public company, it's not entirely uncommon.
I do agree that the pay isn't great, but it's the fact that it's considered a cost centre that's been the issue for me.
jacquesm
Everything except for sales tends to be seen as a cost centre. It's ridiculous.
Koffiepoeder
To be honest, I would even go further: if you think certification equals security, you are even more lost.
So many controls are dubious, sometimes even actively harmful for some set-ups/situations.
And even moreso, it's also perfectly feasible to pass the gates with a burning pile of trash.
jacquesm
And they do not track the industry at all, at best they'll help you win the war of five years ago.
Koffiepoeder
Imagine my face when I had to take periodic backups of stateless, immutable read-only filesystem, non-root containers for "compliance".
subscribed
Maybe that's just a goid moment to review your _policy_. About a half of our compute is exactly that, and we just don't have to do this sort of backups, that'd be silly.
We don't deal with the military though, only fintech (prime brokers and major banks, funds) some government. Plenty of certifications (have someone all site all year round),!no silliness.
jacquesm
That's hilarious :)
Ook goeiemorgen...
PunchyHamster
But companies don't care. They don't want compliance for feel goods, they want compliance because their partners require it. They do the minimum amount required to check the box
Aurornis
Caring about security and comparing about some of the arbitrary hoops you have to jump through for some of these compliance regimes don’t always overlap as much as you’d expect.
I’ve been at companies where we cared deeply about security, but certain compliance things felt like gimmicks on the side. We absolutely wanted to to do the minimum required to check that box so we could get back to the real work.
bob1029
You should check out the banking industry sometime if you'd like to interact with a competent auditor.
Compliance gets taken quite seriously in an industry where one of your principal regulatory bodies has the power to unilaterally absorb your business and defenestrate your entire leadership team in the middle of the night.
jacquesm
They could. But they don't.
I've seen this up close. The regulatory bodies as a rule are understaffed, overworked and underpaid. I'm sure they'd love to do a much better job but the reality is that there are just too many ways to give them busywork allowing the real crap to go unnoticed until it is (much) too late.
close04
Because they’re put there as a box ticking exercise without ever being given the power or resources to be able to do damage or negatively impact the bottom line of the big rule breakers. It’s just supposed to maintain the appearance of doing something without ever supporting these activities for real. For the most part they are a true Potemkin village. If the risk is diffuse (just some average Joe suckers will lose money) I wouldn’t hold my breath that anyone is controlling for real.
jacquesm
I hate to say this but I suspect you are right.
soc2fraud
Usually on a Friday night. If you see a bunch of rental cars hanging out near a bank HQ on a Friday afternoon, get all your money out before the doors close. FDIC is about to wreck shop.
maxbond
They do it on a Friday so they can work through the weekend and reopen the bank on Monday as a branch of a different bank which is solvent, so I wouldn't worry too much. I'd be more worried about putting my money in a fintech not regulated by FDIC or NCUA (though many contract with a "real" bank so that your money is still protected).
TheOtherHobbes
The industry is paid to provide a fig leaf for shady practices. Everyone knows what's going on, no one is going to do anything about it unless governments step in and give regulators more resources and more teeth, and "errors" lead to prosecutions and jail time.
None of those are likely.
This is the industry that missed Enron, WorldCom, Wirecard, Lehman, and many others.
jacquesm
> Wirecard
Don't get me started. That hasn't even properly ended yet, the fall-out is continuing to today.
noir_lord
I suspect many AI startups will be on that list in 2-5 years.
ragall
> But that's just the cherry on top.
That's not the right metaphor here.
maxbond
What should I have used instead?
ragall
It's "the last straw" or "the drop that overflows the cup". The "cherry in the cake" is in need to be a good thing.
maxbond
I appreciate the feedback. I'll consider how I can be more clear in the future.
My usage was ironic. I don't think those fit my meaning because I think the situation would be largely the same without the licencing dispute.
JasonHEIN
lol strongly agree it is just cherry on top. In big tech they also copy but just copy in a smart way so I don't believe that's the reason they got removed.
fontain
YC has no problem with morally questionable behavior, many YC startups do things that are just as shady. YC is, ultimately, not responsible for what these startups choose to do. Delve’s problem is that they betrayed so many other YC companies in the process. An important value of being in YC is access to a ready-made customer base. The licensing issue is nothing compared to their fake audits but it is an affront to the YC community, hence, kicked from the community.
I’m sure if Delve has only engaged in fraudulent audits or had only resold another YC company’s product, they would have been allowed to stay, the problem is all of that combined pissed off enough other YC companies.
madaxe_again
I think it’s partly that, but also that when you have something that is toxic, radioactive and on fire on your ship, you shove it overboard, and assess just how bad the damage was afterwards.
dvfjsdhgfv
> YC is, ultimately, not responsible for what these startups choose to do.
Formally they might not be (depends on the case), but morally they are.
alanknguyen
This is definitely why they're removed from YC. Their practices affect other YC companies like Lovable and such and that's absolutely unacceptable.
throwaway27448
> YC is, ultimately, not responsible for what these startups choose to do.
Of course they're responsible for their investments; they're just not liable. YC has a lot to answer for in the damage it's wreaked over the years.
senko
> YC has a lot to answer for in the damage it's wreaked over the years.
What damage is that? (excluding the present case)
user_7832
How about the privacy darling Flock?
officialchicken
> What damage is that? (excluding the present case)
That seems to be an introspective question.
1attice
Extrospection is valid spection
barry-cotter
They’re responsible for the existence of scribd. Not aware of any other obviously socially net negative companies.
transcriptase
For the uninformed what’s the deal with scribd?
tim333
Scribd are quite annoying. The pitch was "the YouTube for documents" allowing stuff to be posted and shared but they tend to try and get subscription money off you to see anything unlike the likes of YouTube.
CamperBob2
Scribd scrapes the web of all the .PDFs that it can find, then gates them behind a paywall and SEOs their way to the top of Google's rankings. That's it, that's all they do. They run a zero value tollbooth with other peoples' IP, taking advantage of users who don't have the search-fu to hunt down the documents themselves.
They should pretty much die in a grease fire.
roysting
Flock
monsieurbanana
Airbnb
energy123
Zak
I think when making the claim a company is a net negative, it's necessary to explore what would have happened if the company hadn't been founded.
I find it unlikely, for example that there would not be a dominant centralized forum platform. People would have certainly started problematic communities on the dominant platform, and it's unlikely a platform with strict moderation would have gained dominance before 2015 or so. I do think a dominant player would have been established by 2015.
Do you think whatever you see as harmful about Reddit would not have occurred if the company didn't exist?
dangus
This is like saying “that guy would have died eventually if I didn’t murder him.”
The corporate shield for accountability is so annoying in this way. Nobody’s ever responsible for things that they did as human beings.
Zak
This comment assumes both that Reddit is harmful and the outcomes were predictable. The former is debatable, but I am sure the latter is not true; the founders of Reddit didn't know what they were building.
They thought it was a social bookmarking thing for people to find and share blog posts. It didn't even have comments for the first half year. For two more years, self-posts only existed as a hack where the poster had to predict the post's ID to make it link to itself. User-created subreddits didn't show up until about 2.5 years after the site launched.
dangus
I’m pretty sure all endless scroll social media has been scientifically proven to be harmful. Reddit also runs a 1:1 copy of TikTok.
I don’t really care to defend the morality of extremely wealthy VC firms like YC. They know the enshittification process that happens with 100% of the companies they fund.
They could create companies with charters and ownership structures that ensure they exist to better the world and make good products as their binding guiding principals, but they choose not to.
More fun with this subject: https://theonion.com/sam-altman-if-i-dont-end-the-world-some...
energy123
It would have happened more slowly at least, delaying the increase in populism, nihilism and depression in the Western world, the anglosphere in particular.
Zak
What traits specific to Reddit as opposed to a hypothetical generic alternative forum platform do you think are major contributors to those social trends?
energy123
Recommendation engine pushing users into ideological bubbles, public voting mechanism creating incentive for conformity which then creates purity spirals, lack of moderation.
Zak
Early Reddit had a recommended tab, but that didn't last long. The current recommendation features are relatively recent - this decade at least.
It would surprise me if the winner in that space didn't have a public voting mechanism. Digg, Reddit's early major competitor had one, and heavy-handed moderation surrounding the HD-DVD decryption key leak was one of the major inflection points that drove users from Digg to Reddit. Stricter moderation during that time period would have been a losing strategy.
toyg
That's mostly imputable to Facebook, Twitter, and Instagram. Reddit is a footnote in the mainstream, which is dominated by those 3.
energy123
Given the number of Reddit users across the Anglosphere, I disagree that Reddit is not a major contributor.
hdgvhicv
The “I just have the arsonist the match, I didn’t tel him to strike it” approach of tech bros has caused untold damage to the world over the last 20 Years.
bartvk
I'm not saying you're wrong, but a blanket "untold damage" statement won't carry an argument here, you need to be specific.
TZubiri
But then it wouldn't be untold
cindyllm
[dead]
PunchyHamster
Of course, giving money to terrorists also doesn't make the side giving money responsible /s
The delusions people establish to feel better about their or someone else they like mistakes...
whatever1
All LLMs do this, yet nobody bats an eye.
tankenmate
LLMs can't be held legally liable, only the people who use them.
Craighead
hipaa*
maxbond
Oops. Thanks for the correction.
PeterStuer
You are overcomplicating this. They were ejected because they got caught. What for or how they got caught, does not matter.
maxbond
> You are overcomplicating this. They were ejected because they got caught.
I don't see how "they got caught doing X" is more complicated than "they got caught doing Y", but at any rate think it's worth being correct and precise in order to reason from accurate premises. If you absorb a lot of false information you'll start coming to incorrect conclusions and it'll be difficult to understand why. It took me years to unlearn all the bullshit I absorbed from when I used to spent a lot of time watching History channel documentaries.
> What for or how they got caught, does not matter.
So if they were ejected for jaywalking or for murder, that's all the same to you?
johnwheeler
[flagged]
jweir
If you see a fraud and do nothing you are part of the fraud.
maxbond
I've seen a bunch of people go on random crusades. Investigation is fun and righteous indignation is intoxicating. For certain personality types it's easy to get completely absorbed by a mystery/crime and not even realize how much time you're spending digging into it until the sun rises. Others may be intensely motivated by perceived injustice, dishonesty, or graft. Or they may feel personally cheated.
I don't know who this person is or whether they are legit but it doesn't surprise me that someone would do this.
trhway
it may be anybody. Even somebody at YC wanting to create a background to drop Delve if suppose Delve were shady and they discovered it (i really don't know anything here and am simply speculating, heard about Delve today first time, just googled and read some techcrunch article - it says Delve has 1000 clients - googled employee count - sub-50, and until it is "an Uber for auditors" i have hard time to believe that 50 Silicon Valley people can do even one compliance certification for one client, with AI or without)
mikkupikku
[flagged]
bombcar
It looks like a form of covering their ass - they basically (explicitly?) say they've been violating the law and it's Delve's fault.
hobofan
Yes, the way this is being pushed online seems like there is a competitor involved. If not in the initial disclosure, then in the daily rehashing of it.
It's also still unclear to me how much fraud they actually were involved in, and how much of the fault falls on them. SOC2 Type II and ISO 27001 are not audited by them, but by actual accredited auditors (apparently mainly Accorp and Gradient), which must have been just as complicit/negligent. As customers of Delve are free to chose their auditors I'm wondering how this hasn't blown up earlier.
maxbond
If there were not a manipulative competitor, if people just found fraud and abuse of open source compelling and the story was circulating organically, how would that look different? What do you observe that leads you to believe a manipulative competitor is a better hypothesis?
everfrustrated
Someone leaked an internal Bookface chat from Garry Tan (YC CEO) saying:
We have asked Delve to leave YC.
YC is a community, not just an accelerator. The founders in our community have to trust each other, and we have to trust them. When that trust breaks down, there's really only one thing to do.
We're not going to get into the details publicly. We wish them well.
I have no direct knowledge of the accuracy of any of this. This is not my account.
BugsJustFindMe
"They've betrayed my trust but I wish them well" is an interesting statement.
saagarjha
Someone doing harm to you doesn't automatically mean you wish harm to them. Not that I necessarily take what Garry says at face value but it's definitely possible to unironically take this viewpoint.
BugsJustFindMe
"Betrayal" requires intent so it's not just any old harm.
That may not automatically mean you wish them harm in return, but I believe it would be very uncommon to not.
gcr
"Betrayal" also isn't the word that GT used.
BugsJustFindMe
It seems like an accurate paraphrase in the context of other known news about Delve, and it was shorter than "We trusted them to not do something intentionally fraudulent and then lie to us, and I believe they knowingly violated that trust by doing something intentionally fraudulent and lying to us."
saagarjha
This is a core tenet in at least one major religion
lezojeda
[dead]
raverbashing
It's the polite way of saying goodbye when you actually mean "eff off"
roysting
People don’t realize that the people at the top of organizations are effectively like politicians in democratic systems only the vote comes in confidence; usually manipulative, lying, and deceptive because they are inherently dependent on maintaining perception of the people they rely on and underpin their roles and power.
One way in which they do that is to ride or effectively are selected by the system for their mastery of the psychological trick of positivity and optimism that predisposes people to follow and trust, e.g., even when someone betrays you, you “wish them well.
In such systems, courage and hard lines that enforce strict rules, discipline, and principles does not provide the leaders in that system the affordances and benefits of leadership. As has been indicated, the subject behaviors are not only not novel, nor are they unique. What precipitated this current action appears to be the egregious and probably violative nature of the behavior, not the behavior itself. The veneer of perception was pierced, which is the real trigger of action.
Just use my saying what I just said above as an example, there will be people who have not even read this last paragraph and will it will have the urge to down vote what I said solely on the basis that they want to punish me, the messenger, because I’m pointing out things that are very much true and not saying it in a positive manner. It causes feelings of discomfort and especially in American society today where everything is geared towards positivity and good feelings opium, not bad feelings, even if you’re being scammed or defrauded or lied to, you have to remain positive, say things in positive ways, be “constructive”.
I don’t know if it’s sustainable because it’s such a con job at its very core, an abusive confidence trick, maintaining the perception of confidence and optimism to keep people happy and positive and optimistic regardless of red flags; however, we shall all find out one day if no one being able to deal with reality anymore if it’s not wrapped some nicety, is sustainable. Hence, “They violated us/me” but “I wish them well”. See, they are wished well, so everything is fine and we just removed the bad apple, nothing to see here, keep being positive as the telescreen instructs you to.
altmanaltman
"they can fuck off from where they came" would be a bit too intense even for Gary
ethanwillis
I guess if he told them "die slow motherfuckers" as he's told others that wouldn't be too intense for him.
justin66
“We’re keeping our distance but we still own a piece of their company” might have done it?
brookst
It’s what you say to establish it’s a professional action taken for business reasons.
margalabargala
"I wish them well" is an idiom for "I never want to see them again".
Kinda like "bless your heart", which means nothing of the sort.
huhkerrf
Why do non-Southerners keep insisting on this? Bless your heart can be said sincerely or ironically, like pretty much any other phrase.
maxbond
The ironic usage makes for compelling dialogue and comports with stereotypes about Southerners as formal/restrained. So that's what ends up on television. At least that is how I think I came about having that impression.
guzfip
> So that's what ends up on television.
Maybe 7-8 years ago I met an Iranian. They were genuinely shocked I wasn’t a cowboy hat wearing racist when I told them I was from the south.
I grew up in the Atlanta area.
ubertaco
Yeah, I get this a lot, especially from non-southern in-laws who think it's a hoot that they've "cracked the code" and can "speak southern". Being repeatedpy stereotyped to your face gets old pretty quick.
For folks who don't know, here's the best explanation I can offer from growing up in the Atlanta area (but well outside the perimeter):
"Bless your heart" is most commonly an expression of sympathy.
Sometimes, it's sympathetic towards the hardship someone's going through (e.g. "and right after his grandma passed, bless his heart.")
Sometimes it's sympathetic to the trouble someone went through (e.g. "oh bless your heart, you didn't have to go out of your way to bring extra! Thank you so much!")
And yes, sometimes it's an expression of sympathy for the fact that life must be hard for you because of your ignorance, stubbornness, stupidity, or arrogance (or some other such stunting quality) (e.g. "and he thinks he can graduate from Tech with those grades, bless his heart," or "bless his heart, I just don't think he's ever had anyone tell him no in his entire life.")
cbarrick
Yeah, it's a pretty versatile phrase that's hard to explain. But it does often have a connotation of childishness or naivety, even when used sincerely.
It is often used an expression of thanks or appreciation, but I associate that more with an elder speaking to someone younger.
Most of the time, it is an genuine expression of true empathy, but it's not uncommon to be used as a passive aggressive expression of false empathy. It's that childish connotation that give it the extra bite when used passive aggressively.
And that plausible deniability, where the phrase is used in a genuine context often enough that sometimes you can't tell that someone is throwing shade, is very much a reflection of southern culture.
Source: Grew up in Georgia and North Carolina, with some family in Alabama.
margalabargala
You mean kinds like "I wish them well" here?
My comment is an internet comment about idioms, not a comprehensive linguistic treatise.
You seem like you're looking for something to be upset about. I wish you well.
DANmode
but should it be?
4b11b4
The gstack is also pretty interesting.. well, not really
dtf
It's giving Gwyneth Paltrow at the conclusion of her ski crash trial.
vr46
"Bless their little hearts"
DonHopkins
Apparently Garry Tan has the same warm feelings and friendly relationship with Delve as Trump has with Ghislaine Maxwell.
Trump On Ghislaine Maxwell: "I Just Wish Her Well" | NBC News
taikahessu
Everyone one of us makes mistakes. Wish all well and see what the future brings.
pessimizer
It wasn't a mistake, they did it on purpose.
dmos62
Don't you wish well on people you don't want to associate with? It would be interesting if you didn't, imo.
latexr
> people you don't want to associate with
That’s an oversimplification of what your parent comment said, which was someone who has betrayed your trust.
> It would be interesting if you didn't
Why? What’s interesting about it? You don’t have to actively wish harm on people who harmed you, but there’s nothing strange about not wishing them well.
dmos62
You make it sound like wishing harm or wishing wellness are activities while not wishing anything is just the default passive state. To me the default posture is not indifference, but wishing wellness.
We throw around words like "interesting", which is a subtle way to say "not normal", which is a subtle way to say that that's not how we would behave and that we think that others shouldn't behave that way either. So I take back what I said about what is interesting to me, and I'll just say that I wish it was normal to wish well to others, regardless of their actions or repercussions you impose on them.
BugsJustFindMe
> You make it sound like wishing harm or wishing wellness are activities while not wishing anything is just the default passive state. To me the default posture is not indifference, but wishing wellness.
It looks like you've misinterpreted both what I said and what latexr said. Allow me to clarify and reorient the conversation back to the original direction...
First, neither of us is the universal subject. Your default feeling and my default feeling are not "the" default feeling. There's no such thing as "the" default feeling.
Second, nothing I or they said has anything to do with any "default passive state", because this is not a "default passive" situation. The word "betray" here is important. "Betrayal" happens actively, not passively. Feel however you want to feel about your passive default situations. This situation is different.
The only way someone can "betray" trust is by invalidating trust on purpose. If they harm you on purpose without trust, they have not betrayed any trust because there was none. If they invalidate trust accidentally, they have not "betrayed" the trust. They only "betray" your trust if you put trust in them and then they invalidate the trust intentionally.
> I'll just say that I wish it was normal to wish well to others, regardless of their actions
How very noble. Anyway, sorry Siddhartha, if someone actively "betrays" me they can go die in a fire. That has nothing to do with my "default passive" feeling about people.
dmos62
I agree there's no universal default or normal. That was my point too. We are in agreement that betrayal and purposeful harmfulness don't have a default reaction. I expressed how I choose to react, and you expressed how you choose to react. Our choices don't match, and I think that's ok.
I've not read Siddhartha. I take it you didn't like it.
latexr
> You make it sound like wishing harm or wishing wellness are activities while not wishing anything is just the default passive state.
Not what I said.
> To me the default posture is not indifference, but wishing wellness.
Same here. I’m not convinced that’s the default state for everyone, though. David Foster Wallace’s “This is Water” comes to mind.
> We throw around words like "interesting", which is a subtle way to say "not normal", which is a subtle way to say that that's not how we would behave and that we think that others shouldn't behave that way either.
Sure, I get that. Though you’re still answering as if what was in question was the neutral state of “people you don’t associate with” rather than the negative state in question mentioned by your original parent comment of “someone who has wronged you”.
> I'll just say that I wish it was normal to wish well to others, regardless of their actions or repercussions you impose on them.
Interesting. No criticism on my part. My wish would rather be that we don’t wrong each other (which, crucially, requires intentionality) in the first place. And while I don’t typically wish ill on others, I don’t think it’s wrong to not wish well on those who cause harm. If you’re a despot oppressing millions of people for your own selfish benefit, I don’t really think wishing you well is a positive action.
But again, no judgement, I was trying to understand your position, so thank you for clarifying. Have a nice weekend.
blitzar
No, if I believed wishes, hopes and prayers affected anything why would I waste the finite quantity of them on random people let alone people I professionally separated myself from?
As Donald Draper once said "I don't think about you at all."
dmos62
If you would rewatch Mad Men, you might notice that Donald Draper is not well adjusted. It's not subtle either.
What makes you say that wishes are finite? Do you ration them out to your loved ones?
blitzar
We have finite time, considering ones wishes towards someone takes a portion of that time even if it is a very small fraction of time.
dmos62
If we get into it, I think that beliefs are a better abstraction that wishes. Beliefs structure relationships. How does a person believe that he relates to another person. So when I think of "wishing someone well", it's an English-language nuance that makes it an activity, but in reality it's a choice of what beliefs I hold. And, I find, the only beliefs that are a chore to carry around are those that don't serve me.
empathy_m
Is this the first time Bookface screenshots have been published publicly?
edm0nd
[flagged]
minimaxir
The text implies it’s more due to the alleged license violation of a YC startup’s IP than the alleged fraud.
kstrauser
Really? I know nothing about this other than what I've read here, but my first guess was the breakdown in trust means the allegations of fake audits.
minimaxir
I was half-joking, but if YC has a legal issue resulting from the alleged fraud (unclear currently), kicking out the company for the lesser infraction would make more sense.
FreakLegion
Investors aren't on the hook for the bad behavior of companies they invest in. Quite the opposite: Defrauding investors (and acquirers, and creditors) is commonly the thing that lands people like Elizabeth Holmes in prison.
rvnx
Ycombinator may have financially benefited from the scam operations since the company subsequently raised funds.
Considering they do due diligence before investment and are experts in IT and legal, how could they not know what is the business model when it was the unique selling point ?
FreakLegion
Because Delve defrauded them.
rvnx
Yeah, yeah... of course, of course... like telehealth companies prescribing GLP-1 Ozempic/Wegovy where there is one doctor for 10000 patients. Totally sounds legit.
wahnfrieden
It is very clearly the fake audits.
neya
Hi, sorry, just new to this entire story, could you please share light on the fake audits? Trying to understand what exactly happened.
neya
Thanks!
thoughthadlogin
Sure, most companies could add an About section and probably put this behind them pretty quickly. They could have even hired someone like Delve to assure this kind of thing wouldn’t happen again.
But Delve themselves can’t really do any of that. They’ve screwed up on a fundamental piece of their own business model. Their core offering *is* Compliance as a Service!
How could I trust their word that they’ll ensure my company is compliant? How could I trust their word that a company I’m doing business with is compliant? They can’t even handle their own Apache 2.0 licensed works, and that’s child’s play- relatively speaking. I’m supposed to trust that they can handle PCI and HIPPA and all the rest for other companies?
This is like having a dentist who doesn’t brush and floss their own teeth. Or a building inspector working out of a moldy office suite with exposed rebar. Or an editor with a personal website full of typos and grammatical errors. It’s a dealbreaker to anyone with common sense.
borski
You’re right, you can’t.
Unlike Zenefits, which had (allegedly?) committed fraud for part of their business in the interest of moving faster, and then Parker came back with Rippling…
These guys’ entire and actual business model was fraud.
DaedalusII
zenefits didnt commit fraud in the social sense they allowed people to sell real financial products without having a broker licence. its more like not wearing seatbelts than scamming people
the car was real, but there was no drivers licence. 'licence fraud' -> fraud
delve is an actual scam
nfw2
It's not just about delve. It's about yc's model. YC encourages YC companies to trust other YC companies even though they are early.
If you can't trust your batch mates for something as crucial as compliance, the model doesn't work.
jmcgough
They've graduated 5,000+ companies, so some fraud is hard to avoid, especially with young hungry founders willing to do anything to succeed. Honestly, it's a pretty good track record that there's only been a handful of companies like this.
LunaSea
It's precisely because they graduated 5000+ companies that fraud is more difficult to avoid.
They scaled up massively the size of each batch and their frequency to a point where they are incapable of auditing them.
ohashi
Maybe someone should start an auditing company for YC... oh
financetechbro
There is too much friction in the audit process… someone needs to solve this
redanddead
this is a teachable moment for yc, maybe the cost of investing in a sour apple is a lot more than half a mil, maybe there's a brand or reputational cost, even in places you least expect it right, these two seemingly had everything laid out for them by investors, did they even come up with compliance? who told them to work on that? now look what happened, it's like everyone cant get far enough fast enough now. What about their lead investor insight partners? what's that conversation like?
it's all just very strange and stupid, ironically from the the startup posing as auditors..
robotswantdata
Seems crazy that anyone (startups and buyers) would trust these guys for audit.
Shows the “compliance theatre” of what SOC2 has become
progbits
It's always been one.
Every single technical auditor I've dealt with has been majorly incompetent and wanted to do things that would decrease security. And these were not some cheap bottom of the barrel companies but the big "industry leaders".
sheiyei
Oh my, that is so funny and terrifying, but also exactly what my first expectation is for a consultancy firm
worik
It can work under the umbrella of some sort of coordinator
That looks like what happened here.
gnabgib
Related: Delve allegedly forked an open-source tool and sold it as its own (295 points, yesterday, 153 comments) https://news.ycombinator.com/item?id=47615434
whilenot-dev
More likely related: Delve – Fake Compliance as a Service (836 points, 14 days ago, 323 comments) https://news.ycombinator.com/item?id=47444319
hbbio
avaer
I wonder if the kind of personality that gets you on 30U30 correlates with being willing to engage in massive fraud, and being able to get away with it for a minute.
Holmes, SBF, Shkreli, Charlie Javice, Ishan Wahi...
gmd63
When ambitious competitors who can't accept loss or normalcy enter into a field that's saturated with skilled rule-abiding players, they'll cheat.
Hypercompetitive fields will always surface cheaters given enough time. Then regulations pile on to fight the cheating, which makes it harder for honest people to do the good work.
We do not punish cheaters like these as much as we should.
kstrauser
You know, after all this time Lucas Duplan doesn't seem so bad. His hubristic sin was posing for a photo burning fake hundred dollar bills. That just seems like a random Tuesday now.
minimaxir
Naming his startup “Clinkle” should have been a crime, though.
kstrauser
That was epicly horrid.
vr46
When the stakes are high, non-compliance with the rules or the law might be worth the risk, see professional athletes and drug cheats, right?
Karma and integrity seem to be treated as an overdraft. But these folks are hardly held back by the systems they work in.
malthaus
"that gets you on", ie. the kind of personality that literally pays & hustles to be featured on such a list to fuel their own ego?
colour me surprised
people still seem to think that forbes scouts the world for the best talents instead of the lists being basically a paid ad
TrackerFF
If I remember correctly, you need to be nominated by someone to be considered for the 30U30 list. Some of the people on those lists will literally run their own campaigns to get on the list, meaning that they'll pay people to nominate them, pay PR firms to run stories and campaigns. Other people do seemingly nothing, and just get nominated by legit people that admire them.
So, I'm fairly certain lists like that will attract some amount of unscrupulous narcissists.
raverbashing
Yes? I mean, 30U30 has probably some, let's say, "PR steering" behind it
Not "Pay2Win" but possibly something less involved
rapind
Not sure it's exclusively a U30 thing. When it comes to grift and fraud, a well known 79 year old comes to mind.
pdpi
I'd focus less on the U30 part, and more on the 30U, if that makes sense — the problem is with people who seek that sort of attention (and that 79 year old certainly qualifies as wanting that sort of attention). For those people, their businesses are a means to an end in the most cynical way possible.
DonHopkins
Who rapes and bombs schools full of U18 children.
Ekaros
That is just what the O18 want in there. Last one also got their role because that. Doing it in public on camera.
DonHopkins
Speak for yourself. I'm O18 and I don't want him in there like you claim to. Most of his base claimed to be anti-pedo until they saw the evidence in the unredacted subset of the Epstein files that Congress legally forced him to release, and now suddenly they're pro-pedo (and pro-war and pro-bombing-schoolchildren). But you be you, and make baseless evidence-free false equivalence accusations against other people to justify the rapes and legally adjudicated sexual assault and pussy grabbing by the guy you as an "O18" claim you want in there.
vr46
30 Under 30 to Life
Forbes MOST WANTED
GaryBluto
30U30D30
xyst
[flagged]
yyds666
Great to see them take action. I'm waiting for cambioml next. A married couple notorious for fraud that apparently relocated to ME as a result. That's outside of the terrible treatment of ripping off interviewees (see: https://www.reddit.com/r/devops/comments/1n7cdua/got_a_devop...). Won't even comment on other stories I've heard related to them screwing over employees/cofounders.
redanddead
Damn. Deepmind, Stanford, Berkeley, only to end up doc parsing for Applied Systems/Ezlynx, and scamming redditors
jazzpush2
That reddit thread is brutal, knowingly making interviewees pay hundreds of dollars to interview in this economy is messed up.
jrflowers
On the one hand the company that was selling companies pre-made “You’re hipaa compliant” pdfs was doing fraud, but on the other hand the companies that were buying “We’re hipaa compliant” pdfs that said they had implemented compliance measures that they definitely hadn’t were also doing fr
penguoir
Here is Delve’s defence to the whistleblower
joenot443
Wow, that writing is... earnest?
> Below are just some of the many inaccuracies in the story and then the truth.
> The Substack inaccurately said Delve relies on “Indian certification mills operating through front companies” and cannot pass legitimate audits. This too is not accurate.
At least it's not GPT but my goodness - you can definitely sense the panic. I think Karun is a little worried.
wenbin
Curious - in this situation, does delve return money to YC? Or YC simply writes off the investment
argee
Neither. "Leaving YC" or "being removed from Y combinator" really just means you (more precisely, your YC/HN account) loses access to internal resources like bookface. This does have the knock on effect of essentially isolating you from the community. It's not entirely a punishment, it can be as simple as you are a person who isn't working on a YC company anymore, for example.
This has zero bearing on equity, which would be a different conversation. In this case, I think the YC SAFE is likely to remain as-is, unless the founders choose to return the money, or YC chooses to levy a heavier allegation of fraud (which they don't seem to have done here).
raverbashing
The investment details really depends on the term sheet details
And I don't think this is just not "getting locked out of the website", but losing the YC "nod" is a greater deal in itself
rekttrader
Ya it’s a total write down, I dunno how much they took from YC, if it was the standard deal this is just the cost of doing business.
DANmode
Based on?
carabiner
Bye-bye tweet from founder: https://x.com/kocalars/status/2040262537166618887
Notably YC hasn't wished them a farewell.
GaryBluto
> striving to make the world a better place.
Why do all start-ups say this? I don't think there are many companies publicly saying "We're going to go 'scorched earth' on everybody."
bombcar
Because if they had the money to be honest about it they'd not be a start-up!
nurettin
Striving to make the world a better place for us. Is what is implied.
minimaxir
It was a meme over a decade ago so prevalent that HBO's Silicon Valley did a joke about it: https://www.youtube.com/watch?v=B8C5sjjhsso
Saying it in 2026 just makes it sound more insincere than usual.
shepherdjerred
Oracle, right?
mikert89
funny thing about this tweet is the founder still couldnt stop herself from name dropping MIT
carabiner
Look at this series of tweets from her:
> One interesting observation I’ve noticed is a lot of top founders did oddly strong at math from a young age.
https://x.com/kocalars/status/2027076198002553159
Nauseating.
claaams
Much like their soc audits, her time at MIT was also incomplete. Still doesn’t stop them from cosplaying as a grad though!
emerald_rat903
So they decide to drop this from their COO while their CEO has been doing all the talking on a friday night? Looks like YC told them they had to announce this and this was their least-viewable option.
philip1209
At least they put a ladder up that tree
jmcgough
Turns out you can't "fake it til you make it" with SOC2 compliance.
cleansy
Fake it til you make it [into the news for fraud allegations].
nnurmanov
[dead]
cyrusradfar
Related from an hour earlier: Delve removed from YC website [archive.org] https://news.ycombinator.com/item?id=47634405
ChrisArchitect
an example of why to avoid archive links in submissions (save 'em for comments), because the source link here will win.
cyrusradfar
Thanks! felt crazy linking to a 404 ;) live and learn
EdwardDiego
But they "set the record straight"? Right? It was just a malicious actor who stole data from their system!
Good riddance to bad rubbish.
https://delve.co/blog/delve-sets-the-record-straight-on-anon...
apt-apt-apt-apt
Not surprising that Cluely is using them.. they were probably like, what we're compliant, sure if you say so
jaredsohn
Interestingly, they show up in the company list. When you click the link it returns 404.
whilenot-dev
Probably just a means of updating the Algolia index.
sandeepkd
Its quite ironical and interesting at the same time, seems like there is a threshold size/impact beyond which everyone would come and save you, anything less and you will have to bear the consequences.
jrflowers
I like that this sets the precedent that if you want people on HN to believe that they’ve dropped any arbitrary company you just have to point to a convincing-looking url on the ycombinator domain and the 404 signals that you are both correct and following the rules.
cmiles8
Sadly looks like another example of “fake it till you make it” in highly regulated industries is playing with fire.
phplovesong
Classic. I knew this would happen ever sine i first saw Delve on YC. I was right to trust my gut, and never used their product.
redanddead
it felt very forced from the start, there was no iteration, narrative or pivots
who got these kids into compliance? cause it wasn't them
thaumasiotes
The headline here says "Delve removed from Y Combinator", but the link doesn't go to a statement by Y Combinator. It goes to a 404.
Is there reason to believe that Delve has been removed from Y Combinator, the organization, or is this more an announcement that Delve has been removed from Y Combinator's website?
fg137
404 == "removed from Y combinator"
thaumasiotes
Meaning what?
bboreham
From @patio11 a week ago: https://www.complexsystemspodcast.com/episodes/delve-into-co...
kshri24
YC needs to go back to how it was. Choosing those who know what they are doing, and have been in the game for long and not blindly choose those who have graduated from tier-1 institutions. University degrees mean nothing at the end of the day.
And please stop investing in slop/wrappers. They do not solve World's problems.
I feel there has been complacency set into investing in general where investors are chasing quick money (first crypto and now AI slop) over solving hard/grueling problems that take a long time to fix but have huge returns down the line.
And we have a lot of tough problems that still need solving. AI won't magically fix that, despite being a great tool.
embedding-shape
Yeah, used to be that a lot of companies in the batches made more or less sense, or you could at least see how they'd made sense if they managed to successfully reach their vision, even if it many times was a bit wishy-washy.
YC since then seems to have moved into a "spray and pray" approach where the ideas don't matter at all, they're 150% in on the "We invest in founders" idea now, almost too much, although I know that's always been a thing they've thought about. But all the batches since some years ago are just so uninspired and seem to be quick cash grabs, or obviously acquisition targets, rather than "solve a problem you experience yourself" which seemed to be much more popular (and realistic) before.
whoknowsidont
>choose those who have graduated from tier-1 institutions. University degrees mean nothing at the end of the day.
It means everything for YC's model.
YC does not care about the software.
They care about the founders.
YC's model and ecosystem is explicitly designed to be a who's who club of interconnected founders that are very, very encouraged to """rely""" on each other when building their companies.
YC uses a lot of double speak regarding this ecosystem, but if you explained the concept to a layman on the street they'd tell you exactly what this concept is in just a very few, very blunt words.
Elite-class founders and lots of cheap, imported, or "passionate" labor.
Let's get real here folks.
DaedalusII
yes obvious but this is not a secret, its the whole point of yc
yc is explicitly an imitation of harvard , right down to calling people 'alumni'
this is how to find supertalent. much like american idol it works well but not for everyone
an0malous
It starts from the top
rvz
Agreed.
bilalq
While I do think Delve and the leadership there should be held responsible, it's a bit weird to see YC and others take shots at them for breaking the law when so many of their prized unicorns achieved what they did by being willing to just ignore laws and deal with the consequences later.
olalonde
Working around arguably dumb regulations and making your customers happy in the process is not the same as defrauding your customers.
arionhardison
While I agree with you, I also find myself wondering who draws the line. Given the current political atmosphere and its increasingly fluid relationship with "truth," I have to consider that the line for others may not be where it is for me — especially given the nuance buried in the details of many B2B deals.
Their value prop had to be strong enough to get past YC, past the other founders in the batch, past due diligence. Given that, I'm no longer comfortable casting "fraud" as a clean binary.
To be clear — I do genuinely believe they are a fraudulent company that lied and deserved to be removed. But introspectively, I have to sit with the fact that the space between "working around dumb regulations" and "outright fraud" is murkier than we'd like to admit.
pm90
The vast majority of crimes are still being prosecuted as such. You have to reach a certain size/notoriety and money to buy a POTUS pardon; I doubt that matters for a relatively unknown outfit like Delve.
worik
> Working around arguably dumb regulations...
...is breaking the law
kaashif
Yes, but there is a difference between:
1. Customers want to do something, you help them do it, but it's illegal.
2. Customers want to do something, you tell them you did it, but you were lying and defrauding them.
miki123211
And
3. Customers want to do something, you help them do it, and nobody has done it before, so whether it's legal or not is kind of up in the air.
E.G. Uber exploited a legal loophole that distinguished the kind of taxi service you hail on the street from the kind of taxi service you call on a phone.
The latter were much less regulated, and usually much more exclusive and pandering to a richer crowd. Nobody really knew which kind Uber should be classified as, it was the first kind in practice (same customer base as normal taxis) but the second in theory (ordered, not hailed).
NeutralCrane
Is there? At the end of the day both boil down to breaking the law. It’s not better to break the law because someone paid you to do so.
kaashif
Yes, I just described the difference.
It is clearly different because in one case you are not guilty of fraud.
Being guilty of a crime plus fraud is obviously worse than just being guilty of the crime.
Breaking the law by stealing a loaf of bread is obviously different to killing one million people but "both boil down to breaking the law" - I'm not sure that comment contains that much information.
borski
Ignoring a law is different from knowingly and intentionally breaking the law, especially when that law is actual intentional fraud.
Also, there was no “endgame.” They weren’t trying to change the law; they were exclusively breaking it for profit.
bilalq
Let me more clearly instead say that many successful startups knowingly and intentionally broke the law.
But I agree that Delve is a special case and should naturally be held to a higher standard here because their whole business is around being compliant with the law. When most other startups break the law, they do it to get an advantage over competition. Delve did it in a way that sacrificed their core value towards customers.
redanddead
that's defrauding the customer
this will literally get them in court
borski
Yeah, precisely.
afavour
> Ignoring a law is different from knowingly and intentionally breaking the law
This is something Airbnb has facilitated for a very long time, no? And Uber, back when it started.
From a legal perspective I don’t see that it matters whether you’re trying to change the law or not. You’re either following it or breaking it.
borski
Sure. Technically and legally, you’re right.
In reality, it makes quite a difference if public opinion is on your side or not.
“We decided to commit fraud by providing fake compliance reports” reads very differently from “we let homeowners make money by renting a room”
bpodgursky
The difference is that Airbnb customers used Airbnb because they thought hotel regulations were dumb and overbearing (or at least, they didn't care about the laws). Delve customers were literally trying to obey the law and Delve (allegedly) lied to them about it.
jrflowers
> Ignoring a law is different from knowingly and intentionally breaking the law
This is like a line from a Naked Gun movie. The only way that this sentence could be true linguistically is if the party doesn’t break the law that they’re ignoring (e.g. I could ignore the rule against perpetuities while drunk driving through a zoo)
TurdF3rguson
> Ignoring a law is different from knowingly and intentionally breaking the law
Huh? In a legal sense I'm pretty sure they're the same thing.
borski
I ignore the law every day when I jaywalk. Technically, you’re right that that is also breaking the law. I wasn’t being careful with my words.
How and why matters, though.
TurdF3rguson
> How and why matters, though.
How and why you break a law matters (to a judge / jury). Whether you frame it as "ignoring" vs "breaking" in your legal defense, not so much.
borski
I agree; I attempted to clarify that with my “not using words carefully” but that is a fair criticism of what I wrote.
jrflowers
That’s not how words work. This sentence
> I ignore the law every day when I jaywalk.
Means the exact same thing as “I intentionally break jaywalking laws every day”. They are equivalent sentences.
borski
I agreed with you; that is why I said I wasn’t being careful with my language.
jrflowers
What does that mean
worik
> I ignore the law every day when I jaywalk
Not illegal here, but I hope you not complain when caught and fined.
kaashif
Jaywalking was illegal in NYC until 2025 but literally every crossing had people doing it constantly. This is not figurative, it actually is literal.
Including people doing it in front of police. Including the police themselves!
The law only existed for police to harass and fine blacks and Latinos. And indeed, that was how it was struck down.
It is critical to a just society that victims of unjust laws or uneven enforcement complain!
tjwebbnorfolk
There is a difference between "fake it till you make it" and "blatant widespread fraud", but the line is blurrier than many startups would like to admit.
HaloZero
I think it's fairly straight forward why. It's because Delve broke the law and got other YC companies in trouble vs other industries & people not under the YC banner.
colechristensen
There's a sliding scale between fake it `till you make it and fraud.
tikhonj
Yeah, fraud is what happens when you don't make it.
rvnx
Laws don't apply to you if you are big enough (e.g. AI companies)
sky2224
Can you provide examples of YC startups that knowingly broke laws and just dealt with those issues later? I'm not very aware.
bix6
Airbnb, DoorDash
antonvs
Uber
el_io
Uber is not YC backed.
antonvs
Oh my context window is apparently too small
gmerc
The deal is to have plausible deniability and not get caught
Pxtl
They broke laws that programmers care about.
Like, it's a company that sells AI-slop powered regulatory compliance. How many laws do you think the "fake it ill you make it and you'll never make it" AI will break? But "regulatory compliance" is laws that startups hate, so breaking them is good.
Copyright and the copyleft licenses built upon it are the laws that support the software industry instead of just making sure innocent people aren't hurt by all this innovating and disrupting.
MangoCoffee
fake it until you make it? at some point this attitudes of Silicon Valley start up will back fire.
KennyBlanken
> At its core, this article argues that Delve fakes compliance while creating the appearance of compliance without the underlying substance.
Anderson Consulting er I mean "Accenture": "Hey, that's our job!"
PWC: "Yeah! Fuck off!"
KPMG: "Damn straight!"
Ernst & Young: "What they said."
Deloitte & Touche: "Ditto."
( https://en.wikipedia.org/wiki/Accounting_scandals#List_of_th... )
anovikov
Interesting! I worked for one YC startup that committed blatant fraud, with the founders vanishing when investors started chasing them to bring them to responsibility. And they haven't been removed. Just marked as "inactive".
rvnx
As early investors, did YC benefit from the fraud at the expense of the newer investors ?
anovikov
Nope. Founders just disappeared with whatever money was left.
They claimed to have a working product and a big list of paying clients while in fact they had a half-assed prototype written by one hapless dude who they paid to the tune of $15 an hour. Which i helped to transform into a somewhat-better prototype and they paid very well for it. But no actual paying clients ever existed and the idea was obviously brain-dead from day one. After they got tired of pretending, they stopped paying, then disappeared. Then years later i read in the news that subsequent investors launched an investigation into fraud and they were put on the list in some countries.
I'm sure no one except themselves ever made any money on it, certainly not YC.
orf
What one? There’s little risk of naming the startup.
philip1209
Can they keep their CISO out of jail?
redanddead
waiting on the cluely scandal next
xdavidliu
> 404 not found
"delve removed from y combinator" removed from y combinator
mememememememo
404s for me
bcraven
I think that's the point - they have been removed.
OptionOfT
That's the point.
mememememememo
Sorry! I thought it would be announcement. And it was subsequently taken down due to the HN interest.
fredgrott
hmm, how is this not like when Sam Altman was kicked out?
Post now seems deleted.....
Well, can see why...if its fraud you only post it when results of investigation by 3rd party is in due to defame concerns...
rvz
There is no saving Delve after this.
The only next product launch is an investigation.
big-chungus4
An I the only one who has 404 not found when I click the link
_morgs_
That's the point...
edm0nd
which means it was removed...which is the entire point of the post bruv
mememememememo
This is where I'd actually appreciate "blog spam" i.e. a quick post to mention the URL, link to archive to show what was there before and explain the significance.
dankobgd
The only good delve is the go debugger
baggy_trough
can't believe I almost spent 10 grand on this company a week before they blew up.
everfrustrated
The two founders being early 20's with no background in compliance wasn't a red-flag?
mememememememo
Plus the 30u30 is now a signal.
baggy_trough
I didn't know about them or think to check into the founders.
greenchair
streissand effect in action, surprised this thread was allowed to live.
jacquesm
"By combining the evidence I collected together with what the sim.ai team provided, I will show that Delve has stolen an open-source company’s tech by violating their license and then making a lot of money with it."
->
You mean like OpenAI, Anthropic and all these other 'unicorns'?
I'm happy we're all clear on how bad Delve is but in essence what they were doing is exactly the same as what these AI companies do.
Tyrubias
While I despise the sham commercial LLMs have made out of intellectual property, I think Delve is one step worse than that. The technology behind LLMs is innovative, even if the data used to train them have ethically and legally dubious origins. Delve doesn’t even have the ability to claim anything they’ve done as original, unless you count fraud as a service.
chromacity
> Delve doesn’t even have the ability to claim anything they’ve done as original, unless you count fraud as a service.
I'd wager there's some prior art...
jacquesm
The only thing that makes delve worse in my book is that they're selling compliance, they have zero excuses. But the likes of OpenAI and Anthropic even if they don't sell compliance do whitewash bulk copyright violations and they have valuations far in excess of Delve. Too big to fail I guess.
throwaway81523
Fraud as a service! The next big thing!!!
cjbgkagh
Presidential pardon insurance, like audit insurance but for breaking laws instead of filing taxes.
dataspencer
They delved too greedily and too deep.
mgraczyk
Having gone through the SOC2 process multiple times and having worked with and read SOC2 reports from many public companies, it's difficult for me to understand the outrage.
The specific fraud allegations are bad (lying about US based auditors) but it's completely normal and common for soc2 reports to be templates with no company specific information. It would be unusual for reports to include anything about the specific information found during an observation window as some have suggested.
SOC2 is basically fake and it isn't possible in practice to fail to be compliant. You really can apply the same template to all companies and automate the audit process.
ramraj07
We have done SOC2 and it's not fake. Its real and enforced some good practices and we spent a lot of time collecting evidence and submitting it. You can take it seriously or you can choose not to.
mgraczyk
What evidence did you collect that was not automated?
yearolinuxdsktp
A startup might have trouble with, and might not have enough automation for:
- proving churned customer data was deleted completely and within the agreed-on period of time
- - not enough to have a record
- - auditors will ask you to prove the data is not laying around
- proving branch rules are set to require PRs and prohibit changing history on release/trunk branches
- - auditors will ask you to show live that you can’t approve your own changes
- - some auditors might ask you for an audit log to prove no unexpected branch rule changes occurred —- depending on the observation period, you might have to build your own audit log capture to prove this
- proving you performed a disaster recovery test in production with the frequency you claim (e.g. annually)
- - running a DR test might be more than a few hours depending on your data size and level of infra automation
- - this is often something that startups are ready to execute, but don’t invest a lot of time automating
- - this is automated with MDM but a startup might not be running an MDM yet
- - automated reports are available for some credentials, e.g. AWS keys, but takes more work for smaller vendors
- - even with AWS, you might discover you forgot to rotate something, and it might be because it’s non-trivial to execute
- - some systems are more difficult/time consuming to inspect against your employee and permissions list
- - ideally this is automated, but often times at a startup, you might not have fully automated authorization and access control, such that when employees change teams or leave the company, that you get notified and don’t miss it
- - auditors will ask you to show live some examples of past alerts and that someone handled it
- - auditors will often ask you to show live that these alerts are consistently configured for all your production system —- startups might not have the alerting and PagerDuty-like setup be fully automated (e.g. with Terraform)petcat
There are typically two soc2 reports generated from an audit. The first is the one for general use, often just shared publicly. This is probably what you look at from public companies that you have no binding relationship with. The other is the restricted use report which details all the findings and controls. That is typically only shared under NDA.
mgraczyk
I haven't seen that and all the reports I got were under nda
RIMR
>it's difficult for me to understand the outrage.
It's pretty simple. Compliance is legally important, and faking compliance exposes companies to extraordinary legal liability. Being lied to about your compliance warrants outrage.
>SOC2 is basically fake
This isn't true, but if it were, it would justify outrage in its own right.
mgraczyk
I don't understand in what sense they faked the process. What I've heard described is substantially similar to other SOC2 processes I've seen
And yes SOC2 is fake. Have you ever heard of a startup failing to get soc2 or doing more than a few hours of work to get into compliance?
SanjayMehta
Orwellian memory hole engaged.
blast
friday news dump tho
your_challenger
I mean this is not the first time a YC company has stolen an open source project.
jazzpush2
Pretty disgusting behavior from the founders just posting as normal on linkedin/twitter as if this is run-of-the-mill. Fraudsters need to be nipped in the bud, lest we get trump-like scenarios.
getverdict
[dead]
mt18
[dead]
dfordp11
[dead]
bongripper
[dead]
ewuhic
[dead]
Devasta
YC invests in military startups, they have no problem killing people if it would make them money. What makes a fake HIPPA compliance cert worse than that?
Bratmon
Fairly inevitable. Like all YC companies, they were total frauds, but they made the cardinal mistake of defrauding other YC companies instead of the general public. Bad move.
whoknowsidont
This thread is going to use very dressed up and lofty language discussing the issue, in order for the express purpose of dancing around the fundamental issue here.
Y Combinator as a concept, and all of its "children" are rotten to the core.
Every single company is "evil" in some form, and not in the usual "private companies are big baddies" kind of way. They grossly and recklessly violate laws and ethical boundaries day in and day out.
The sooner people are even willing to entertain this, the sooner we can have actual conversation around these issues.
I'm getting the impression that a lot of people in this thread think this is because they violated an open-source license and saying things to the effect of, "they're just the ones who got caught". I also thought that was the scandal initially. (And when it comes to license violations, yes, there's absolutely more where that came from.)
But that's just the cherry on top. I don't think they're being thrown out because they violated a license. There are really serious fraud allegations. Allegedly they were rubber-stamping noncompliant customers, leaving them exposed to potential criminal liability under regulations like HIPPA.
https://deepdelver.substack.com/p/delve-fake-compliance-as-a...
I've only skimmed this so I do not endorse these allegations, but I think it's context missing from this discussion.