I'm getting the impression that a lot of people in this thread think this is because they violated an open-source license and saying things to the effect of, "they're just the ones who got caught". I also thought that was the scandal initially. (And when it comes to license violations, yes, there's absolutely more where that came from.)
But that's just the cherry on top. I don't think they're being thrown out because they violated a license. There are really serious fraud allegations. Allegedly they were rubber-stamping noncompliant customers, leaving them exposed to potential criminal liability under regulations like HIPPA.
>Pre-written audit conclusions. The "Independent Service Auditor's Report" and all test conclusions were already filled in before clients had even submitted their company descriptions...
>Copy-paste templates. 493 out of 494 leaked SOC 2 reports (99.8%) had identical text, same grammatical errors, same nonsensical descriptions...
There's an excellent podcast and writeup on this from Patrick mcKenzie, which explains the story in more detail, including an interpretation of their statement and background on why this is a scandal in the first place.
I came across a top tier compliance auditor doing the same thing recently. I tried to talk to them about it and rather than approaching this from a constructive point of view they wanted to know the name of the company that got certified so they could decertify them and essentially asked me to break my NDA. That wasn't going to happen, I wanted to have a far more structural conversation about this and how they probably ended up missing some major items (such as: having non-technical auditors). They weren't interested. They were not at all interested in improving their processes, they were only interested in protecting their reputation.
I'm seriously disgusted about this because this was one of the very few auditors that we held in pretty high esteem.
Pay-to-play is all too common, and I think that there is a baked in conflict of interest in the whole model.
Yes. But I'm not working at either company and I'm 99.9% sure that it would lead to absolutely nothing other than a lot of misery for myself. The NDA's I sign have some pretty stiff penalties attached. I was actually hoping to see my trust in the auditing company confirmed and I'm still more than a little bit annoyed that they did not respond in a more constructive way.
My response however is a simple one: I used to steer (a lot of) business their way and I have stopped doing that.
Similar boat. Seen the same shenanigans being played with actors who really should know better - everything from military secrets to medical data, and absolutely YOLOing it with an audit mill. I have it on good authority that there are superuser credentials floating around for their production systems that they’ve lost track of.
And no, I won’t whistleblow either, as it would mostly be me that would face repercussions, and I am unafraid to say that I am a coward.
We choose the battles we fight, and I’d like to believe that ultimately, entropy will defeat them without me lifting a finger.
No NDA can prevent you from making protected communications about fraud, illegal activity, etc. If you have seen fraud that involves the military you can make an anonymous report to the DOD IG. If it involves medical data you can make an anonymous report to the HHS IG. Or, if you want to get rich off of it, there's another option. Happy to chat.
I've already established that it was improper. It's up to them to make the most of that knowledge and then to determine of this is a singleton or an example of a class that has more representation. In that sense it is free to them, I'm under absolutely no obligation to provide them with a service. But I'm willing to expend the time and effort required to get them to make the most of it. What I'm not going to do is to allow them to play the blame game or 'shoot the messenger'.
I didn't mean it as a criticism, I think giving them the opportunity to improve and refusing to offer a scapegoat were both standup things to do. I'm just wondering if they were ever in a position to take that opportunity.
I'd called out fraud (blatant lying in investor updates) at a VC backed startup where I was a technical co-founder, once. I emailed all the investors and presented all the evidence to them. They decided to not rock the boat and keep my charlatan co-founder. So, I left. Now, the company is slowly bleeding to death.
There are thousands of companies where the shady practices are rewarded, the companies thrive and make money for the investors. So the investors are incentivized to reward this behavior just on the chance that they are rewarded back.
Whistleblowing sinks those chances and the investors and VCs know it. It doesn' just take away the money, it even takes away the plausible deniability. They put a lot of effort to absolutely punish any whistleblower to discourage the rest. Anything for a dollar. and this is probably all you'll ever need to know about almost every VC out there. Beyond the witty "I'm rich so I'm smart" blog posts and tweets, they're very much just the "anything for a dollar" type of people.
if they touch the federal government, feel free to ping me. I can walk you through how to report to people who will actually do something about it and do so anonymously
To be fair, I’m not sure blatant lying in investor updates alone constitutes fraud. There needs to be harm (or the intent thereof) AFAIK. The other party needs to be using that information to make a decision. If you give me a dollar and then later I tell you I’m actually Beyonce, is that fraud? Or am I just a lying sonofabitch?
If I give you a dollar and you say it’s being spent wisely, Beyonce loves the product, you’re about to land Taylor Swift as pro bono public ambassador… yeah that’s fraud.
Lying in investor update was merely the tip of the iceberg. There was lots more, fabricating customer traction pre-investment, paying oneself back-pay for months spent twiddling thumbs pre-investment (before I was involved), etc.
My lesson from the whole kerfuffle was that investors (at least the ones I’d dealt with) prefer hustle over integrity and execution abilities.
It's auditing, nobody that is good at doing anything goes to auditing, unfortunately its one of those jobs. I haven't interacted with any auditor that actually understood all they were auditing, some are better than others but the average is worse than almost any other job description I have dealt with.
If you care about this stuff you need to in-house auditing and do your own audits with people who care. Then get certified by an external auditor for the paper.
You can start very lightweight with doing spec driven development with the help of AI if you're at a size where you can't afford that. It's better than nothing.
But the important part is you, as a company, should inherently care.
If you rely on an auditor feedback loop to get compliant you've already lost.
Nobody really tries to get technical people to do the work.
Like cool, it's a great idea and would potentially produce positive results if done well, but the roles pay half the engineering roles, and the interviews are stacked towards compliance frameworks.
There's very little ability to fix a large public company when HR is involved
Maybe it should be treated like on-call duty and have the load spread between existing engineers on some kind of schedule, maybe with some extra comp as incentive because it's boring and will take more effort/time in the "easy case" compared to pager duty.
Maybe that's just a goid moment to review your _policy_. About a half of our compute is exactly that, and we just don't have to do this sort of backups, that'd be silly.
We don't deal with the military though, only fintech (prime brokers and major banks, funds) some government. Plenty of certifications (have someone all site all year round),!no silliness.
But companies don't care. They don't want compliance for feel goods, they want compliance because their partners require it. They do the minimum amount required to check the box
Caring about security and comparing about some of the arbitrary hoops you have to jump through for some of these compliance regimes don’t always overlap as much as you’d expect.
I’ve been at companies where we cared deeply about security, but certain compliance things felt like gimmicks on the side. We absolutely wanted to to do the minimum required to check that box so we could get back to the real work.
You should check out the banking industry sometime if you'd like to interact with a competent auditor.
Compliance gets taken quite seriously in an industry where one of your principal regulatory bodies has the power to unilaterally absorb your business and defenestrate your entire leadership team in the middle of the night.
I've seen this up close. The regulatory bodies as a rule are understaffed, overworked and underpaid. I'm sure they'd love to do a much better job but the reality is that there are just too many ways to give them busywork allowing the real crap to go unnoticed until it is (much) too late.
Because they’re put there as a box ticking exercise without ever being given the power or resources to be able to do damage or negatively impact the bottom line of the big rule breakers. It’s just supposed to maintain the appearance of doing something without ever supporting these activities for real. For the most part they are a true Potemkin village. If the risk is diffuse (just some average Joe suckers will lose money) I wouldn’t hold my breath that anyone is controlling for real.
Usually on a Friday night. If you see a bunch of rental cars hanging out near a bank HQ on a Friday afternoon, get all your money out before the doors close. FDIC is about to wreck shop.
They do it on a Friday so they can work through the weekend and reopen the bank on Monday as a branch of a different bank which is solvent, so I wouldn't worry too much. I'd be more worried about putting my money in a fintech not regulated by FDIC or NCUA (though many contract with a "real" bank so that your money is still protected).
The industry is paid to provide a fig leaf for shady practices. Everyone knows what's going on, no one is going to do anything about it unless governments step in and give regulators more resources and more teeth, and "errors" lead to prosecutions and jail time.
None of those are likely.
This is the industry that missed Enron, WorldCom, Wirecard, Lehman, and many others.
lol strongly agree it is just cherry on top. In big tech they also copy but just copy in a smart way so I don't believe that's the reason they got removed.
YC has no problem with morally questionable behavior, many YC startups do things that are just as shady. YC is, ultimately, not responsible for what these startups choose to do. Delve’s problem is that they betrayed so many other YC companies in the process. An important value of being in YC is access to a ready-made customer base. The licensing issue is nothing compared to their fake audits but it is an affront to the YC community, hence, kicked from the community.
I’m sure if Delve has only engaged in fraudulent audits or had only resold another YC company’s product, they would have been allowed to stay, the problem is all of that combined pissed off enough other YC companies.
I think it’s partly that, but also that when you have something that is toxic, radioactive and on fire on your ship, you shove it overboard, and assess just how bad the damage was afterwards.
Scribd are quite annoying. The pitch was "the YouTube for documents" allowing stuff to be posted and shared but they tend to try and get subscription money off you to see anything unlike the likes of YouTube.
Scribd scrapes the web of all the .PDFs that it can find, then gates them behind a paywall and SEOs their way to the top of Google's rankings. That's it, that's all they do. They run a zero value tollbooth with other peoples' IP, taking advantage of users who don't have the search-fu to hunt down the documents themselves.
I think when making the claim a company is a net negative, it's necessary to explore what would have happened if the company hadn't been founded.
I find it unlikely, for example that there would not be a dominant centralized forum platform. People would have certainly started problematic communities on the dominant platform, and it's unlikely a platform with strict moderation would have gained dominance before 2015 or so. I do think a dominant player would have been established by 2015.
Do you think whatever you see as harmful about Reddit would not have occurred if the company didn't exist?
It would have happened more slowly at least, delaying the increase in populism, nihilism and depression in the Western world, the anglosphere in particular.
What traits specific to Reddit as opposed to a hypothetical generic alternative forum platform do you think are major contributors to those social trends?
Recommendation engine pushing users into ideological bubbles, public voting mechanism creating incentive for conformity which then creates purity spirals, lack of moderation.
Early Reddit had a recommended tab, but that didn't last long. The current recommendation features are relatively recent - this decade at least.
It would surprise me if the winner in that space didn't have a public voting mechanism. Digg, Reddit's early major competitor had one, and heavy-handed moderation surrounding the HD-DVD decryption key leak was one of the major inflection points that drove users from Digg to Reddit. Stricter moderation during that time period would have been a losing strategy.
This comment assumes both that Reddit is harmful and the outcomes were predictable. The former is debatable, but I am sure the latter is not true; the founders of Reddit didn't know what they were building.
They thought it was a social bookmarking thing for people to find and share blog posts. It didn't even have comments for the first half year. For two more years, self-posts only existed as a hack where the poster had to predict the post's ID to make it link to itself. User-created subreddits didn't show up until about 2.5 years after the site launched.
I’m pretty sure all endless scroll social media has been scientifically proven to be harmful. Reddit also runs a 1:1 copy of TikTok.
I don’t really care to defend the morality of extremely wealthy VC firms like YC. They know the enshittification process that happens with 100% of the companies they fund.
They could create companies with charters and ownership structures that ensure they exist to better the world and make good products as their binding guiding principals, but they choose not to.
The “I just have the arsonist the match, I didn’t tel him to strike it” approach of tech bros has caused untold damage to the world over the last 20
Years.
> You are overcomplicating this. They were ejected because they got caught.
I don't see how "they got caught doing X" is more complicated than "they got caught doing Y", but at any rate think it's worth being correct and precise in order to reason from accurate premises. If you absorb a lot of false information you'll start coming to incorrect conclusions and it'll be difficult to understand why. It took me years to unlearn all the bullshit I absorbed from when I used to spent a lot of time watching History channel documentaries.
> What for or how they got caught, does not matter.
So if they were ejected for jaywalking or for murder, that's all the same to you?
I've seen a bunch of people go on random crusades. Investigation is fun and righteous indignation is intoxicating. For certain personality types it's easy to get completely absorbed by a mystery/crime and not even realize how much time you're spending digging into it until the sun rises. Others may be intensely motivated by perceived injustice, dishonesty, or graft. Or they may feel personally cheated.
I don't know who this person is or whether they are legit but it doesn't surprise me that someone would do this.
it may be anybody. Even somebody at YC wanting to create a background to drop Delve if suppose Delve were shady and they discovered it (i really don't know anything here and am simply speculating, heard about Delve today first time, just googled and read some techcrunch article - it says Delve has 1000 clients - googled employee count - sub-50, and until it is "an Uber for auditors" i have hard time to believe that 50 Silicon Valley people can do even one compliance certification for one client, with AI or without)
Yes, the way this is being pushed online seems like there is a competitor involved. If not in the initial disclosure, then in the daily rehashing of it.
It's also still unclear to me how much fraud they actually were involved in, and how much of the fault falls on them. SOC2 Type II and ISO 27001 are not audited by them, but by actual accredited auditors (apparently mainly Accorp and Gradient), which must have been just as complicit/negligent. As customers of Delve are free to chose their auditors I'm wondering how this hasn't blown up earlier.
If there were not a manipulative competitor, if people just found fraud and abuse of open source compelling and the story was circulating organically, how would that look different? What do you observe that leads you to believe a manipulative competitor is a better hypothesis?
Someone leaked an internal Bookface chat from Garry Tan (YC CEO) saying:
We have asked Delve to leave YC.
YC is a community, not just an accelerator. The founders in our community have to trust each other, and we have to trust them. When that trust breaks down, there's really only one thing to do.
We're not going to get into the details publicly. We wish them well.
Someone doing harm to you doesn't automatically mean you wish harm to them. Not that I necessarily take what Garry says at face value but it's definitely possible to unironically take this viewpoint.
People don’t realize that the people at the top of organizations are effectively like politicians in democratic systems only the vote comes in confidence; usually manipulative, lying, and deceptive because they are inherently dependent on maintaining perception of the people they rely on and underpin their roles and power.
One way in which they do that is to ride or effectively are selected by the system for their mastery of the psychological trick of positivity and optimism that predisposes people to follow and trust, e.g., even when someone betrays you, you “wish them well.
In such systems, courage and hard lines that enforce strict rules, discipline, and principles does not provide the leaders in that system the affordances and benefits of leadership. As has been indicated, the subject behaviors are not only not novel, nor are they unique. What precipitated this current action appears to be the egregious and probably violative nature of the behavior, not the behavior itself. The veneer of perception was pierced, which is the real trigger of action.
Just use my saying what I just said above as an example, there will be people who have not even read this last paragraph and will it will have the urge to down vote what I said solely on the basis that they want to punish me, the messenger, because I’m pointing out things that are very much true and not saying it in a positive manner. It causes feelings of discomfort and especially in American society today where everything is geared towards positivity and good feelings opium, not bad feelings, even if you’re being scammed or defrauded or lied to, you have to remain positive, say things in positive ways, be “constructive”.
I don’t know if it’s sustainable because it’s such a con job at its very core, an abusive confidence trick, maintaining the perception of confidence and optimism to keep people happy and positive and optimistic regardless of red flags; however, we shall all find out one day if no one being able to deal with reality anymore if it’s not wrapped some nicety, is sustainable. Hence, “They violated us/me” but “I wish them well”. See, they are wished well, so everything is fine and we just removed the bad apple, nothing to see here, keep being positive as the telescreen instructs you to.
The ironic usage makes for compelling dialogue and comports with stereotypes about Southerners as formal/restrained. So that's what ends up on television. At least that is how I think I came about having that impression.
Yeah, I get this a lot, especially from non-southern in-laws who think it's a hoot that they've "cracked the code" and can "speak southern". Being repeatedpy stereotyped to your face gets old pretty quick.
For folks who don't know, here's the best explanation I can offer from growing up in the Atlanta area (but well outside the perimeter):
"Bless your heart" is most commonly an expression of sympathy.
Sometimes, it's sympathetic towards the hardship someone's going through (e.g. "and right after his grandma passed, bless his heart.")
Sometimes it's sympathetic to the trouble someone went through (e.g. "oh bless your heart, you didn't have to go out of your way to bring extra! Thank you so much!")
And yes, sometimes it's an expression of sympathy for the fact that life must be hard for you because of your ignorance, stubbornness, stupidity, or arrogance (or some other such stunting quality) (e.g. "and he thinks he can graduate from Tech with those grades, bless his heart," or "bless his heart, I just don't think he's ever had anyone tell him no in his entire life.")
Yeah, it's a pretty versatile phrase that's hard to explain. But it does often have a connotation of childishness or naivety, even when used sincerely.
It is often used an expression of thanks or appreciation, but I associate that more with an elder speaking to someone younger.
Most of the time, it is an genuine expression of true empathy, but it's not uncommon to be used as a passive aggressive expression of false empathy. It's that childish connotation that give it the extra bite when used passive aggressively.
And that plausible deniability, where the phrase is used in a genuine context often enough that sometimes you can't tell that someone is throwing shade, is very much a reflection of southern culture.
Source: Grew up in Georgia and North Carolina, with some family in Alabama.
That’s an oversimplification of what your parent comment said, which was someone who has betrayed your trust.
> It would be interesting if you didn't
Why? What’s interesting about it? You don’t have to actively wish harm on people who harmed you, but there’s nothing strange about not wishing them well.
You make it sound like wishing harm or wishing wellness are activities while not wishing anything is just the default passive state. To me the default posture is not indifference, but wishing wellness.
We throw around words like "interesting", which is a subtle way to say "not normal", which is a subtle way to say that that's not how we would behave and that we think that others shouldn't behave that way either. So I take back what I said about what is interesting to me, and I'll just say that I wish it was normal to wish well to others, regardless of their actions or repercussions you impose on them.
> You make it sound like wishing harm or wishing wellness are activities while not wishing anything is just the default passive state. To me the default posture is not indifference, but wishing wellness.
It looks like you've misinterpreted both what I said and what latexr said. Allow me to clarify and reorient the conversation back to the original direction...
First, neither of us is the universal subject. Your default feeling and my default feeling are not "the" default feeling. There's no such thing as "the" default feeling.
Second, nothing I or they said has anything to do with any "default passive state", because this is not a "default passive" situation. The word "betray" here is important. "Betrayal" happens actively, not passively. Feel however you want to feel about your passive default situations. This situation is different.
The only way someone can "betray" trust is by invalidating trust on purpose. If they harm you on purpose without trust, they have not betrayed any trust because there was none. If they invalidate trust accidentally, they have not "betrayed" the trust. They only "betray" your trust if you put trust in them and then they invalidate the trust intentionally.
> I'll just say that I wish it was normal to wish well to others, regardless of their actions
How very noble. Anyway, sorry Siddhartha, if someone actively "betrays" me they can go die in a fire. That has nothing to do with my "default passive" feeling about people.
I agree there's no universal default or normal. That was my point too. We are in agreement that betrayal and purposeful harmfulness don't have a default reaction. I expressed how I choose to react, and you expressed how you choose to react. Our choices don't match, and I think that's ok.
I've not read Siddhartha. I take it you didn't like it.
> You make it sound like wishing harm or wishing wellness are activities while not wishing anything is just the default passive state.
Not what I said.
> To me the default posture is not indifference, but wishing wellness.
Same here. I’m not convinced that’s the default state for everyone, though. David Foster Wallace’s “This is Water” comes to mind.
> We throw around words like "interesting", which is a subtle way to say "not normal", which is a subtle way to say that that's not how we would behave and that we think that others shouldn't behave that way either.
Sure, I get that. Though you’re still answering as if what was in question was the neutral state of “people you don’t associate with” rather than the negative state in question mentioned by your original parent comment of “someone who has wronged you”.
> I'll just say that I wish it was normal to wish well to others, regardless of their actions or repercussions you impose on them.
Interesting. No criticism on my part. My wish would rather be that we don’t wrong each other (which, crucially, requires intentionality) in the first place. And while I don’t typically wish ill on others, I don’t think it’s wrong to not wish well on those who cause harm. If you’re a despot oppressing millions of people for your own selfish benefit, I don’t really think wishing you well is a positive action.
But again, no judgement, I was trying to understand your position, so thank you for clarifying. Have a nice weekend.
No, if I believed wishes, hopes and prayers affected anything why would I waste the finite quantity of them on random people let alone people I professionally separated myself from?
As Donald Draper once said "I don't think about you at all."
If we get into it, I think that beliefs are a better abstraction that wishes. Beliefs structure relationships. How does a person believe that he relates to another person. So when I think of "wishing someone well", it's an English-language nuance that makes it an activity, but in reality it's a choice of what beliefs I hold. And, I find, the only beliefs that are a chore to carry around are those that don't serve me.
I was half-joking, but if YC has a legal issue resulting from the alleged fraud (unclear currently), kicking out the company for the lesser infraction would make more sense.
Investors aren't on the hook for the bad behavior of companies they invest in. Quite the opposite: Defrauding investors (and acquirers, and creditors) is commonly the thing that lands people like Elizabeth Holmes in prison.
Ycombinator may have financially benefited from the scam operations since the company subsequently raised funds.
Considering they do due diligence before investment and are experts in IT and legal, how could they not know what is the business model when it was the unique selling point ?
Yeah, yeah... of course, of course... like telehealth companies prescribing GLP-1 Ozempic/Wegovy where there is one doctor for 10000 patients. Totally sounds legit.
Sure, most companies could add an About section and probably put this behind them pretty quickly. They could have even hired someone like Delve to assure this kind of thing wouldn’t happen again.
But Delve themselves can’t really do any of that. They’ve screwed up on a fundamental piece of their own business model. Their core offering *is* Compliance as a Service!
How could I trust their word that they’ll ensure my company is compliant? How could I trust their word that a company I’m doing business with is compliant? They can’t even handle their own Apache 2.0 licensed works, and that’s child’s play- relatively speaking. I’m supposed to trust that they can handle PCI and HIPPA and all the rest for other companies?
This is like having a dentist who doesn’t brush and floss their own teeth. Or a building inspector working out of a moldy office suite with exposed rebar. Or an editor with a personal website full of typos and grammatical errors. It’s a dealbreaker to anyone with common sense.
Unlike Zenefits, which had (allegedly?) committed fraud for part of their business in the interest of moving faster, and then Parker came back with Rippling…
These guys’ entire and actual business model was fraud.
zenefits didnt commit fraud in the social sense they allowed people to sell real financial products without having a broker licence. its more like not wearing seatbelts than scamming people
the car was real, but there was no drivers licence. 'licence fraud' -> fraud
They've graduated 5,000+ companies, so some fraud is hard to avoid, especially with young hungry founders willing to do anything to succeed. Honestly, it's a pretty good track record that there's only been a handful of companies like this.
this is a teachable moment for yc, maybe the cost of investing in a sour apple is a lot more than half a mil, maybe there's a brand or reputational cost, even in places you least expect it right, these two seemingly had everything laid out for them by investors, did they even come up with compliance? who told them to work on that? now look what happened, it's like everyone cant get far enough fast enough now. What about their lead investor insight partners? what's that conversation like?
it's all just very strange and stupid, ironically from the the startup posing as auditors..
Every single technical auditor I've dealt with has been majorly incompetent and wanted to do things that would decrease security. And these were not some cheap bottom of the barrel companies but the big "industry leaders".
I wonder if the kind of personality that gets you on 30U30 correlates with being willing to engage in massive fraud, and being able to get away with it for a minute.
Holmes, SBF, Shkreli, Charlie Javice, Ishan Wahi...
When ambitious competitors who can't accept loss or normalcy enter into a field that's saturated with skilled rule-abiding players, they'll cheat.
Hypercompetitive fields will always surface cheaters given enough time. Then regulations pile on to fight the cheating, which makes it harder for honest people to do the good work.
We do not punish cheaters like these as much as we should.
You know, after all this time Lucas Duplan doesn't seem so bad. His hubristic sin was posing for a photo burning fake hundred dollar bills. That just seems like a random Tuesday now.
If I remember correctly, you need to be nominated by someone to be considered for the 30U30 list. Some of the people on those lists will literally run their own campaigns to get on the list, meaning that they'll pay people to nominate them, pay PR firms to run stories and campaigns. Other people do seemingly nothing, and just get nominated by legit people that admire them.
So, I'm fairly certain lists like that will attract some amount of unscrupulous narcissists.
I'd focus less on the U30 part, and more on the 30U, if that makes sense — the problem is with people who seek that sort of attention (and that 79 year old certainly qualifies as wanting that sort of attention). For those people, their businesses are a means to an end in the most cynical way possible.
Speak for yourself. I'm O18 and I don't want him in there like you claim to. Most of his base claimed to be anti-pedo until they saw the evidence in the unredacted subset of the Epstein files that Congress legally forced him to release, and now suddenly they're pro-pedo (and pro-war and pro-bombing-schoolchildren). But you be you, and make baseless evidence-free false equivalence accusations against other people to justify the rapes and legally adjudicated sexual assault and pussy grabbing by the guy you as an "O18" claim you want in there.
Great to see them take action.
I'm waiting for cambioml next. A married couple notorious for fraud that apparently relocated to ME as a result. That's outside of the terrible treatment of ripping off interviewees (see: https://www.reddit.com/r/devops/comments/1n7cdua/got_a_devop...). Won't even comment on other stories I've heard related to them screwing over employees/cofounders.
> Below are just some of the many inaccuracies in the story and then the truth.
> The Substack inaccurately said Delve relies on “Indian certification mills operating through front companies” and cannot pass legitimate audits. This too is not accurate.
At least it's not GPT but my goodness - you can definitely sense the panic. I think Karun is a little worried.
Neither. "Leaving YC" or "being removed from Y combinator" really just means you (more precisely, your YC/HN account) loses access to internal resources like bookface. This does have the knock on effect of essentially isolating you from the community. It's not entirely a punishment, it can be as simple as you are a person who isn't working on a YC company anymore, for example.
This has zero bearing on equity, which would be a different conversation. In this case, I think the YC SAFE is likely to remain as-is, unless the founders choose to return the money, or YC chooses to levy a heavier allegation of fraud (which they don't seem to have done here).
Its quite ironical and interesting at the same time, seems like there is a threshold size/impact beyond which everyone would come and save you, anything less and you will have to bear the consequences.
On the one hand the company that was selling companies pre-made “You’re hipaa compliant” pdfs was doing fraud, but on the other hand the companies that were buying “We’re hipaa compliant” pdfs that said they had implemented compliance measures that they definitely hadn’t were also doing fr
YC needs to go back to how it was. Choosing those who know what they are doing, and have been in the game for long and not blindly choose those who have graduated from tier-1 institutions. University degrees mean nothing at the end of the day.
And please stop investing in slop/wrappers. They do not solve World's problems.
I feel there has been complacency set into investing in general where investors are chasing quick money (first crypto and now AI slop) over solving hard/grueling problems that take a long time to fix but have huge returns down the line.
And we have a lot of tough problems that still need solving. AI won't magically fix that, despite being a great tool.
Yeah, used to be that a lot of companies in the batches made more or less sense, or you could at least see how they'd made sense if they managed to successfully reach their vision, even if it many times was a bit wishy-washy.
YC since then seems to have moved into a "spray and pray" approach where the ideas don't matter at all, they're 150% in on the "We invest in founders" idea now, almost too much, although I know that's always been a thing they've thought about. But all the batches since some years ago are just so uninspired and seem to be quick cash grabs, or obviously acquisition targets, rather than "solve a problem you experience yourself" which seemed to be much more popular (and realistic) before.
>choose those who have graduated from tier-1 institutions. University degrees mean nothing at the end of the day.
It means everything for YC's model.
YC does not care about the software.
They care about the founders.
YC's model and ecosystem is explicitly designed to be a who's who club of interconnected founders that are very, very encouraged to """rely""" on each other when building their companies.
YC uses a lot of double speak regarding this ecosystem, but if you explained the concept to a layman on the street they'd tell you exactly what this concept is in just a very few, very blunt words.
Elite-class founders and lots of cheap, imported, or "passionate" labor.
While I do think Delve and the leadership there should be held responsible, it's a bit weird to see YC and others take shots at them for breaking the law when so many of their prized unicorns achieved what they did by being willing to just ignore laws and deal with the consequences later.
While I agree with you, I also find myself wondering who draws the line. Given the current political atmosphere and its increasingly fluid relationship with "truth," I have to consider that the line for others may not be where it is for me — especially given the nuance buried in the details of many B2B deals.
Their value prop had to be strong enough to get past YC, past the other founders in the batch, past due diligence. Given that, I'm no longer comfortable casting "fraud" as a clean binary.
To be clear — I do genuinely believe they are a fraudulent company that lied and deserved to be removed. But introspectively, I have to sit with the fact that the space between "working around dumb regulations" and "outright fraud" is murkier than we'd like to admit.
The vast majority of crimes are still being prosecuted as such. You have to reach a certain size/notoriety and money to buy a POTUS pardon; I doubt that matters for a relatively unknown outfit like Delve.
3. Customers want to do something, you help them do it, and nobody has done it before, so whether it's legal or not is kind of up in the air.
E.G. Uber exploited a legal loophole that distinguished the kind of taxi service you hail on the street from the kind of taxi service you call on a phone.
The latter were much less regulated, and usually much more exclusive and pandering to a richer crowd. Nobody really knew which kind Uber should be classified as, it was the first kind in practice (same customer base as normal taxis) but the second in theory (ordered, not hailed).
It is clearly different because in one case you are not guilty of fraud.
Being guilty of a crime plus fraud is obviously worse than just being guilty of the crime.
Breaking the law by stealing a loaf of bread is obviously different to killing one million people but "both boil down to breaking the law" - I'm not sure that comment contains that much information.
Let me more clearly instead say that many successful startups knowingly and intentionally broke the law.
But I agree that Delve is a special case and should naturally be held to a higher standard here because their whole business is around being compliant with the law. When most other startups break the law, they do it to get an advantage over competition. Delve did it in a way that sacrificed their core value towards customers.
The difference is that Airbnb customers used Airbnb because they thought hotel regulations were dumb and overbearing (or at least, they didn't care about the laws). Delve customers were literally trying to obey the law and Delve (allegedly) lied to them about it.
There is a difference between "fake it till you make it" and "blatant widespread fraud", but the line is blurrier than many startups would like to admit.
> Ignoring a law is different from knowingly and intentionally breaking the law
This is like a line from a Naked Gun movie. The only way that this sentence could be true linguistically is if the party doesn’t break the law that they’re ignoring (e.g. I could ignore the rule against perpetuities while drunk driving through a zoo)
I think it's fairly straight forward why. It's because Delve broke the law and got other YC companies in trouble vs other industries & people not under the YC banner.
Like, it's a company that sells AI-slop powered regulatory compliance. How many laws do you think the "fake it ill you make it and you'll never make it" AI will break? But "regulatory compliance" is laws that startups hate, so breaking them is good.
Copyright and the copyleft licenses built upon it are the laws that support the software industry instead of just making sure innocent people aren't hurt by all this innovating and disrupting.
So they decide to drop this from their COO while their CEO has been doing all the talking on a friday night? Looks like YC told them they had to announce this and this was their least-viewable option.
This is where I'd actually appreciate "blog spam" i.e. a quick post to mention the URL, link to archive to show what was there before and explain the significance.
I like that this sets the precedent that if you want people on HN to believe that they’ve dropped any arbitrary company you just have to point to a convincing-looking url on the ycombinator domain and the 404 signals that you are both correct and following the rules.
"By combining the evidence I collected together with what the sim.ai team provided, I will show that Delve has stolen an open-source company’s tech by violating their license and then making a lot of money with it."
->
You mean like OpenAI, Anthropic and all these other 'unicorns'?
I'm happy we're all clear on how bad Delve is but in essence what they were doing is exactly the same as what these AI companies do.
While I despise the sham commercial LLMs have made out of intellectual property, I think Delve is one step worse than that. The technology behind LLMs is innovative, even if the data used to train them have ethically and legally dubious origins. Delve doesn’t even have the ability to claim anything they’ve done as original, unless you count fraud as a service.
The only thing that makes delve worse in my book is that they're selling compliance, they have zero excuses. But the likes of OpenAI and Anthropic even if they don't sell compliance do whitewash bulk copyright violations and they have valuations far in excess of Delve. Too big to fail I guess.
Having gone through the SOC2 process multiple times and having worked with and read SOC2 reports from many public companies, it's difficult for me to understand the outrage.
The specific fraud allegations are bad (lying about US based auditors) but it's completely normal and common for soc2 reports to be templates with no company specific information. It would be unusual for reports to include anything about the specific information found during an observation window as some have suggested.
SOC2 is basically fake and it isn't possible in practice to fail to be compliant. You really can apply the same template to all companies and automate the audit process.
We have done SOC2 and it's not fake. Its real and enforced some good practices and we spent a lot of time collecting evidence and submitting it. You can take it seriously or you can choose not to.
A startup might have trouble with, and might not have enough automation for:
- proving churned customer data was deleted completely and within the agreed-on period of time
- - not enough to have a record
- - auditors will ask you to prove the data is not laying around
- proving all changes shipped are reviewed and linked to tracked work
- proving branch rules are set to require PRs and prohibit changing history on release/trunk branches
- - auditors will ask you to show live that you can’t approve your own changes
- - some auditors might ask you for an audit log to prove no unexpected branch rule changes occurred —- depending on the observation period, you might have to build your own audit log capture to prove this
- proving you performed penetration testing
- proving you performed a disaster recovery test in production with the frequency you claim (e.g. annually)
- - running a DR test might be more than a few hours depending on your data size and level of infra automation
- - this is often something that startups are ready to execute, but don’t invest a lot of time automating
- proving you have and enforce full-disk-encryption on all your employee laptops
- - this is automated with MDM but a startup might not be running an MDM yet
- proving you are rotating credentials on the frequency you ascribe to in your policies
- - automated reports are available for some credentials, e.g. AWS keys, but takes more work for smaller vendors
- - even with AWS, you might discover you forgot to rotate something, and it might be because it’s non-trivial to execute
- perform quarterly access reviews
- - some systems are more difficult/time consuming to inspect against your employee and permissions list
- - ideally this is automated, but often times at a startup, you might not have fully automated authorization and access control, such that when employees change teams or leave the company, that you get notified and don’t miss it
- proving that you act on performance or reliability alerts
- - auditors will ask you to show live some examples of past alerts and that someone handled it
- - auditors will often ask you to show live that these alerts are consistently configured for all your production system —- startups might not have the alerting and PagerDuty-like setup be fully automated (e.g. with Terraform)
There are typically two soc2 reports generated from an audit. The first is the one for general use, often just shared publicly. This is probably what you look at from public companies that you have no binding relationship with. The other is the restricted use report which details all the findings and controls. That is typically only shared under NDA.
It's pretty simple. Compliance is legally important, and faking compliance exposes companies to extraordinary legal liability. Being lied to about your compliance warrants outrage.
>SOC2 is basically fake
This isn't true, but if it were, it would justify outrage in its own right.
The headline here says "Delve removed from Y Combinator", but the link doesn't go to a statement by Y Combinator. It goes to a 404.
Is there reason to believe that Delve has been removed from Y Combinator, the organization, or is this more an announcement that Delve has been removed from Y Combinator's website?
Interesting! I worked for one YC startup that committed blatant fraud, with the founders vanishing when investors started chasing them to bring them to responsibility. And they haven't been removed. Just marked as "inactive".
Nope. Founders just disappeared with whatever money was left.
They claimed to have a working product and a big list of paying clients while in fact they had a half-assed prototype written by one hapless dude who they paid to the tune of $15 an hour. Which i helped to transform into a somewhat-better prototype and they paid very well for it. But no actual paying clients ever existed and the idea was obviously brain-dead from day one. After they got tired of pretending, they stopped paying, then disappeared. Then years later i read in the news that subsequent investors launched an investigation into fraud and they were put on the list in some countries.
I'm sure no one except themselves ever made any money on it, certainly not YC.
Pretty disgusting behavior from the founders just posting as normal on linkedin/twitter as if this is run-of-the-mill. Fraudsters need to be nipped in the bud, lest we get trump-like scenarios.
YC invests in military startups, they have no problem killing people if it would make them money. What makes a fake HIPPA compliance cert worse than that?
Fairly inevitable. Like all YC companies, they were total frauds, but they made the cardinal mistake of defrauding other YC companies instead of the general public. Bad move.
This thread is going to use very dressed up and lofty language discussing the issue, in order for the express purpose of dancing around the fundamental issue here.
Y Combinator as a concept, and all of its "children" are rotten to the core.
Every single company is "evil" in some form, and not in the usual "private companies are big baddies" kind of way. They grossly and recklessly violate laws and ethical boundaries day in and day out.
The sooner people are even willing to entertain this, the sooner we can have actual conversation around these issues.
But that's just the cherry on top. I don't think they're being thrown out because they violated a license. There are really serious fraud allegations. Allegedly they were rubber-stamping noncompliant customers, leaving them exposed to potential criminal liability under regulations like HIPPA.
https://deepdelver.substack.com/p/delve-fake-compliance-as-a...
I've only skimmed this so I do not endorse these allegations, but I think it's context missing from this discussion.
>Pre-written audit conclusions. The "Independent Service Auditor's Report" and all test conclusions were already filled in before clients had even submitted their company descriptions...
>Copy-paste templates. 493 out of 494 leaked SOC 2 reports (99.8%) had identical text, same grammatical errors, same nonsensical descriptions...
https://www.complexsystemspodcast.com/episodes/delve-into-co...
I'm seriously disgusted about this because this was one of the very few auditors that we held in pretty high esteem.
Pay-to-play is all too common, and I think that there is a baked in conflict of interest in the whole model.
My response however is a simple one: I used to steer (a lot of) business their way and I have stopped doing that.
And no, I won’t whistleblow either, as it would mostly be me that would face repercussions, and I am unafraid to say that I am a coward.
We choose the battles we fight, and I’d like to believe that ultimately, entropy will defeat them without me lifting a finger.
There are thousands of companies where the shady practices are rewarded, the companies thrive and make money for the investors. So the investors are incentivized to reward this behavior just on the chance that they are rewarded back.
Whistleblowing sinks those chances and the investors and VCs know it. It doesn' just take away the money, it even takes away the plausible deniability. They put a lot of effort to absolutely punish any whistleblower to discourage the rest. Anything for a dollar. and this is probably all you'll ever need to know about almost every VC out there. Beyond the witty "I'm rich so I'm smart" blog posts and tweets, they're very much just the "anything for a dollar" type of people.
My lesson from the whole kerfuffle was that investors (at least the ones I’d dealt with) prefer hustle over integrity and execution abilities.
You can start very lightweight with doing spec driven development with the help of AI if you're at a size where you can't afford that. It's better than nothing.
But the important part is you, as a company, should inherently care.
If you rely on an auditor feedback loop to get compliant you've already lost.
It has the potential to be incredibly impactful, but often devolves into box ticking (like many compliance functions).
And it's really hard to find technical people to do the work, as it's generally perceived as a cost centre so tends not to get budget.
Like cool, it's a great idea and would potentially produce positive results if done well, but the roles pay half the engineering roles, and the interviews are stacked towards compliance frameworks.
There's very little ability to fix a large public company when HR is involved
I do agree that the pay isn't great, but it's the fact that it's considered a cost centre that's been the issue for me.
So many controls are dubious, sometimes even actively harmful for some set-ups/situations.
And even moreso, it's also perfectly feasible to pass the gates with a burning pile of trash.
We don't deal with the military though, only fintech (prime brokers and major banks, funds) some government. Plenty of certifications (have someone all site all year round),!no silliness.
Ook goeiemorgen...
I’ve been at companies where we cared deeply about security, but certain compliance things felt like gimmicks on the side. We absolutely wanted to to do the minimum required to check that box so we could get back to the real work.
Compliance gets taken quite seriously in an industry where one of your principal regulatory bodies has the power to unilaterally absorb your business and defenestrate your entire leadership team in the middle of the night.
I've seen this up close. The regulatory bodies as a rule are understaffed, overworked and underpaid. I'm sure they'd love to do a much better job but the reality is that there are just too many ways to give them busywork allowing the real crap to go unnoticed until it is (much) too late.
None of those are likely.
This is the industry that missed Enron, WorldCom, Wirecard, Lehman, and many others.
Don't get me started. That hasn't even properly ended yet, the fall-out is continuing to today.
I’m sure if Delve has only engaged in fraudulent audits or had only resold another YC company’s product, they would have been allowed to stay, the problem is all of that combined pissed off enough other YC companies.
Formally they might not be (depends on the case), but morally they are.
Of course they're responsible for their investments; they're just not liable. YC has a lot to answer for in the damage it's wreaked over the years.
What damage is that? (excluding the present case)
That seems to be an introspective question.
They should pretty much die in a grease fire.
I find it unlikely, for example that there would not be a dominant centralized forum platform. People would have certainly started problematic communities on the dominant platform, and it's unlikely a platform with strict moderation would have gained dominance before 2015 or so. I do think a dominant player would have been established by 2015.
Do you think whatever you see as harmful about Reddit would not have occurred if the company didn't exist?
It would surprise me if the winner in that space didn't have a public voting mechanism. Digg, Reddit's early major competitor had one, and heavy-handed moderation surrounding the HD-DVD decryption key leak was one of the major inflection points that drove users from Digg to Reddit. Stricter moderation during that time period would have been a losing strategy.
The corporate shield for accountability is so annoying in this way. Nobody’s ever responsible for things that they did as human beings.
They thought it was a social bookmarking thing for people to find and share blog posts. It didn't even have comments for the first half year. For two more years, self-posts only existed as a hack where the poster had to predict the post's ID to make it link to itself. User-created subreddits didn't show up until about 2.5 years after the site launched.
I don’t really care to defend the morality of extremely wealthy VC firms like YC. They know the enshittification process that happens with 100% of the companies they fund.
They could create companies with charters and ownership structures that ensure they exist to better the world and make good products as their binding guiding principals, but they choose not to.
More fun with this subject: https://theonion.com/sam-altman-if-i-dont-end-the-world-some...
The delusions people establish to feel better about their or someone else they like mistakes...
That's not the right metaphor here.
I don't see how "they got caught doing X" is more complicated than "they got caught doing Y", but at any rate think it's worth being correct and precise in order to reason from accurate premises. If you absorb a lot of false information you'll start coming to incorrect conclusions and it'll be difficult to understand why. It took me years to unlearn all the bullshit I absorbed from when I used to spent a lot of time watching History channel documentaries.
> What for or how they got caught, does not matter.
So if they were ejected for jaywalking or for murder, that's all the same to you?
I don't know who this person is or whether they are legit but it doesn't surprise me that someone would do this.
It's also still unclear to me how much fraud they actually were involved in, and how much of the fault falls on them. SOC2 Type II and ISO 27001 are not audited by them, but by actual accredited auditors (apparently mainly Accorp and Gradient), which must have been just as complicit/negligent. As customers of Delve are free to chose their auditors I'm wondering how this hasn't blown up earlier.
I have no direct knowledge of the accuracy of any of this. This is not my account.
That may not automatically mean you wish them harm in return, but I believe it would be very uncommon to not.
One way in which they do that is to ride or effectively are selected by the system for their mastery of the psychological trick of positivity and optimism that predisposes people to follow and trust, e.g., even when someone betrays you, you “wish them well.
In such systems, courage and hard lines that enforce strict rules, discipline, and principles does not provide the leaders in that system the affordances and benefits of leadership. As has been indicated, the subject behaviors are not only not novel, nor are they unique. What precipitated this current action appears to be the egregious and probably violative nature of the behavior, not the behavior itself. The veneer of perception was pierced, which is the real trigger of action.
Just use my saying what I just said above as an example, there will be people who have not even read this last paragraph and will it will have the urge to down vote what I said solely on the basis that they want to punish me, the messenger, because I’m pointing out things that are very much true and not saying it in a positive manner. It causes feelings of discomfort and especially in American society today where everything is geared towards positivity and good feelings opium, not bad feelings, even if you’re being scammed or defrauded or lied to, you have to remain positive, say things in positive ways, be “constructive”.
I don’t know if it’s sustainable because it’s such a con job at its very core, an abusive confidence trick, maintaining the perception of confidence and optimism to keep people happy and positive and optimistic regardless of red flags; however, we shall all find out one day if no one being able to deal with reality anymore if it’s not wrapped some nicety, is sustainable. Hence, “They violated us/me” but “I wish them well”. See, they are wished well, so everything is fine and we just removed the bad apple, nothing to see here, keep being positive as the telescreen instructs you to.
Kinda like "bless your heart", which means nothing of the sort.
For folks who don't know, here's the best explanation I can offer from growing up in the Atlanta area (but well outside the perimeter):
"Bless your heart" is most commonly an expression of sympathy.
Sometimes, it's sympathetic towards the hardship someone's going through (e.g. "and right after his grandma passed, bless his heart.")
Sometimes it's sympathetic to the trouble someone went through (e.g. "oh bless your heart, you didn't have to go out of your way to bring extra! Thank you so much!")
And yes, sometimes it's an expression of sympathy for the fact that life must be hard for you because of your ignorance, stubbornness, stupidity, or arrogance (or some other such stunting quality) (e.g. "and he thinks he can graduate from Tech with those grades, bless his heart," or "bless his heart, I just don't think he's ever had anyone tell him no in his entire life.")
It is often used an expression of thanks or appreciation, but I associate that more with an elder speaking to someone younger.
Most of the time, it is an genuine expression of true empathy, but it's not uncommon to be used as a passive aggressive expression of false empathy. It's that childish connotation that give it the extra bite when used passive aggressively.
And that plausible deniability, where the phrase is used in a genuine context often enough that sometimes you can't tell that someone is throwing shade, is very much a reflection of southern culture.
Source: Grew up in Georgia and North Carolina, with some family in Alabama.
My comment is an internet comment about idioms, not a comprehensive linguistic treatise.
You seem like you're looking for something to be upset about. I wish you well.
Trump On Ghislaine Maxwell: "I Just Wish Her Well" | NBC News
https://www.youtube.com/watch?v=jC2jsRrzCrs
That’s an oversimplification of what your parent comment said, which was someone who has betrayed your trust.
> It would be interesting if you didn't
Why? What’s interesting about it? You don’t have to actively wish harm on people who harmed you, but there’s nothing strange about not wishing them well.
We throw around words like "interesting", which is a subtle way to say "not normal", which is a subtle way to say that that's not how we would behave and that we think that others shouldn't behave that way either. So I take back what I said about what is interesting to me, and I'll just say that I wish it was normal to wish well to others, regardless of their actions or repercussions you impose on them.
It looks like you've misinterpreted both what I said and what latexr said. Allow me to clarify and reorient the conversation back to the original direction...
First, neither of us is the universal subject. Your default feeling and my default feeling are not "the" default feeling. There's no such thing as "the" default feeling.
Second, nothing I or they said has anything to do with any "default passive state", because this is not a "default passive" situation. The word "betray" here is important. "Betrayal" happens actively, not passively. Feel however you want to feel about your passive default situations. This situation is different.
The only way someone can "betray" trust is by invalidating trust on purpose. If they harm you on purpose without trust, they have not betrayed any trust because there was none. If they invalidate trust accidentally, they have not "betrayed" the trust. They only "betray" your trust if you put trust in them and then they invalidate the trust intentionally.
> I'll just say that I wish it was normal to wish well to others, regardless of their actions
How very noble. Anyway, sorry Siddhartha, if someone actively "betrays" me they can go die in a fire. That has nothing to do with my "default passive" feeling about people.
I've not read Siddhartha. I take it you didn't like it.
Not what I said.
> To me the default posture is not indifference, but wishing wellness.
Same here. I’m not convinced that’s the default state for everyone, though. David Foster Wallace’s “This is Water” comes to mind.
> We throw around words like "interesting", which is a subtle way to say "not normal", which is a subtle way to say that that's not how we would behave and that we think that others shouldn't behave that way either.
Sure, I get that. Though you’re still answering as if what was in question was the neutral state of “people you don’t associate with” rather than the negative state in question mentioned by your original parent comment of “someone who has wronged you”.
> I'll just say that I wish it was normal to wish well to others, regardless of their actions or repercussions you impose on them.
Interesting. No criticism on my part. My wish would rather be that we don’t wrong each other (which, crucially, requires intentionality) in the first place. And while I don’t typically wish ill on others, I don’t think it’s wrong to not wish well on those who cause harm. If you’re a despot oppressing millions of people for your own selfish benefit, I don’t really think wishing you well is a positive action.
But again, no judgement, I was trying to understand your position, so thank you for clarifying. Have a nice weekend.
As Donald Draper once said "I don't think about you at all."
What makes you say that wishes are finite? Do you ration them out to your loved ones?
Considering they do due diligence before investment and are experts in IT and legal, how could they not know what is the business model when it was the unique selling point ?
But Delve themselves can’t really do any of that. They’ve screwed up on a fundamental piece of their own business model. Their core offering *is* Compliance as a Service!
How could I trust their word that they’ll ensure my company is compliant? How could I trust their word that a company I’m doing business with is compliant? They can’t even handle their own Apache 2.0 licensed works, and that’s child’s play- relatively speaking. I’m supposed to trust that they can handle PCI and HIPPA and all the rest for other companies?
This is like having a dentist who doesn’t brush and floss their own teeth. Or a building inspector working out of a moldy office suite with exposed rebar. Or an editor with a personal website full of typos and grammatical errors. It’s a dealbreaker to anyone with common sense.
Unlike Zenefits, which had (allegedly?) committed fraud for part of their business in the interest of moving faster, and then Parker came back with Rippling…
These guys’ entire and actual business model was fraud.
the car was real, but there was no drivers licence. 'licence fraud' -> fraud
delve is an actual scam
If you can't trust your batch mates for something as crucial as compliance, the model doesn't work.
They scaled up massively the size of each batch and their frequency to a point where they are incapable of auditing them.
it's all just very strange and stupid, ironically from the the startup posing as auditors..
Shows the “compliance theatre” of what SOC2 has become
Every single technical auditor I've dealt with has been majorly incompetent and wanted to do things that would decrease security. And these were not some cheap bottom of the barrel companies but the big "industry leaders".
That looks like what happened here.
https://www.forbes.com/profile/delve/
30U30 never ceases to amaze.
Holmes, SBF, Shkreli, Charlie Javice, Ishan Wahi...
Hypercompetitive fields will always surface cheaters given enough time. Then regulations pile on to fight the cheating, which makes it harder for honest people to do the good work.
We do not punish cheaters like these as much as we should.
Karma and integrity seem to be treated as an overdraft. But these folks are hardly held back by the systems they work in.
colour me surprised
people still seem to think that forbes scouts the world for the best talents instead of the lists being basically a paid ad
So, I'm fairly certain lists like that will attract some amount of unscrupulous narcissists.
https://30u30.fyi/
Not "Pay2Win" but possibly something less involved
Forbes MOST WANTED
https://delve.co/blog/response-to-misleading-claims
> Below are just some of the many inaccuracies in the story and then the truth.
> The Substack inaccurately said Delve relies on “Indian certification mills operating through front companies” and cannot pass legitimate audits. This too is not accurate.
At least it's not GPT but my goodness - you can definitely sense the panic. I think Karun is a little worried.
This has zero bearing on equity, which would be a different conversation. In this case, I think the YC SAFE is likely to remain as-is, unless the founders choose to return the money, or YC chooses to levy a heavier allegation of fraud (which they don't seem to have done here).
And I don't think this is just not "getting locked out of the website", but losing the YC "nod" is a greater deal in itself
Good riddance to bad rubbish.
https://delve.co/blog/delve-sets-the-record-straight-on-anon...
https://www.ycombinator.com/companies/?query=delve
And please stop investing in slop/wrappers. They do not solve World's problems.
I feel there has been complacency set into investing in general where investors are chasing quick money (first crypto and now AI slop) over solving hard/grueling problems that take a long time to fix but have huge returns down the line.
And we have a lot of tough problems that still need solving. AI won't magically fix that, despite being a great tool.
YC since then seems to have moved into a "spray and pray" approach where the ideas don't matter at all, they're 150% in on the "We invest in founders" idea now, almost too much, although I know that's always been a thing they've thought about. But all the batches since some years ago are just so uninspired and seem to be quick cash grabs, or obviously acquisition targets, rather than "solve a problem you experience yourself" which seemed to be much more popular (and realistic) before.
It means everything for YC's model.
YC does not care about the software.
They care about the founders.
YC's model and ecosystem is explicitly designed to be a who's who club of interconnected founders that are very, very encouraged to """rely""" on each other when building their companies.
YC uses a lot of double speak regarding this ecosystem, but if you explained the concept to a layman on the street they'd tell you exactly what this concept is in just a very few, very blunt words.
Elite-class founders and lots of cheap, imported, or "passionate" labor.
Let's get real here folks.
yc is explicitly an imitation of harvard , right down to calling people 'alumni'
this is how to find supertalent. much like american idol it works well but not for everyone
Their value prop had to be strong enough to get past YC, past the other founders in the batch, past due diligence. Given that, I'm no longer comfortable casting "fraud" as a clean binary.
To be clear — I do genuinely believe they are a fraudulent company that lied and deserved to be removed. But introspectively, I have to sit with the fact that the space between "working around dumb regulations" and "outright fraud" is murkier than we'd like to admit.
...is breaking the law
1. Customers want to do something, you help them do it, but it's illegal.
2. Customers want to do something, you tell them you did it, but you were lying and defrauding them.
3. Customers want to do something, you help them do it, and nobody has done it before, so whether it's legal or not is kind of up in the air.
E.G. Uber exploited a legal loophole that distinguished the kind of taxi service you hail on the street from the kind of taxi service you call on a phone.
The latter were much less regulated, and usually much more exclusive and pandering to a richer crowd. Nobody really knew which kind Uber should be classified as, it was the first kind in practice (same customer base as normal taxis) but the second in theory (ordered, not hailed).
It is clearly different because in one case you are not guilty of fraud.
Being guilty of a crime plus fraud is obviously worse than just being guilty of the crime.
Breaking the law by stealing a loaf of bread is obviously different to killing one million people but "both boil down to breaking the law" - I'm not sure that comment contains that much information.
Also, there was no “endgame.” They weren’t trying to change the law; they were exclusively breaking it for profit.
But I agree that Delve is a special case and should naturally be held to a higher standard here because their whole business is around being compliant with the law. When most other startups break the law, they do it to get an advantage over competition. Delve did it in a way that sacrificed their core value towards customers.
this will literally get them in court
This is something Airbnb has facilitated for a very long time, no? And Uber, back when it started.
From a legal perspective I don’t see that it matters whether you’re trying to change the law or not. You’re either following it or breaking it.
In reality, it makes quite a difference if public opinion is on your side or not.
“We decided to commit fraud by providing fake compliance reports” reads very differently from “we let homeowners make money by renting a room”
Huh? In a legal sense I'm pretty sure they're the same thing.
How and why matters, though.
How and why you break a law matters (to a judge / jury). Whether you frame it as "ignoring" vs "breaking" in your legal defense, not so much.
> I ignore the law every day when I jaywalk.
Means the exact same thing as “I intentionally break jaywalking laws every day”. They are equivalent sentences.
Not illegal here, but I hope you not complain when caught and fined.
Including people doing it in front of police. Including the police themselves!
The law only existed for police to harass and fine blacks and Latinos. And indeed, that was how it was struck down.
It is critical to a just society that victims of unjust laws or uneven enforcement complain!
This is like a line from a Naked Gun movie. The only way that this sentence could be true linguistically is if the party doesn’t break the law that they’re ignoring (e.g. I could ignore the rule against perpetuities while drunk driving through a zoo)
Like, it's a company that sells AI-slop powered regulatory compliance. How many laws do you think the "fake it ill you make it and you'll never make it" AI will break? But "regulatory compliance" is laws that startups hate, so breaking them is good.
Copyright and the copyleft licenses built upon it are the laws that support the software industry instead of just making sure innocent people aren't hurt by all this innovating and disrupting.
Anderson Consulting er I mean "Accenture": "Hey, that's our job!"
PWC: "Yeah! Fuck off!"
KPMG: "Damn straight!"
Ernst & Young: "What they said."
Deloitte & Touche: "Ditto."
( https://en.wikipedia.org/wiki/Accounting_scandals#List_of_th... )
"delve removed from y combinator" removed from y combinator
Notably YC hasn't wished them a farewell.
Why do all start-ups say this? I don't think there are many companies publicly saying "We're going to go 'scorched earth' on everybody."
Saying it in 2026 just makes it sound more insincere than usual.
> One interesting observation I’ve noticed is a lot of top founders did oddly strong at math from a young age.
https://x.com/kocalars/status/2027076198002553159
Nauseating.
who got these kids into compliance? cause it wasn't them
->
You mean like OpenAI, Anthropic and all these other 'unicorns'?
I'm happy we're all clear on how bad Delve is but in essence what they were doing is exactly the same as what these AI companies do.
I'd wager there's some prior art...
The specific fraud allegations are bad (lying about US based auditors) but it's completely normal and common for soc2 reports to be templates with no company specific information. It would be unusual for reports to include anything about the specific information found during an observation window as some have suggested.
SOC2 is basically fake and it isn't possible in practice to fail to be compliant. You really can apply the same template to all companies and automate the audit process.
- proving churned customer data was deleted completely and within the agreed-on period of time
- proving all changes shipped are reviewed and linked to tracked work- proving branch rules are set to require PRs and prohibit changing history on release/trunk branches
- proving you performed penetration testing- proving you performed a disaster recovery test in production with the frequency you claim (e.g. annually)
- proving you have and enforce full-disk-encryption on all your employee laptops - proving you are rotating credentials on the frequency you ascribe to in your policies - perform quarterly access reviews - proving that you act on performance or reliability alertsIt's pretty simple. Compliance is legally important, and faking compliance exposes companies to extraordinary legal liability. Being lied to about your compliance warrants outrage.
>SOC2 is basically fake
This isn't true, but if it were, it would justify outrage in its own right.
And yes SOC2 is fake. Have you ever heard of a startup failing to get soc2 or doing more than a few hours of work to get into compliance?
Is there reason to believe that Delve has been removed from Y Combinator, the organization, or is this more an announcement that Delve has been removed from Y Combinator's website?
The only next product launch is an investigation.
Post now seems deleted.....
Well, can see why...if its fraud you only post it when results of investigation by 3rd party is in due to defame concerns...
They claimed to have a working product and a big list of paying clients while in fact they had a half-assed prototype written by one hapless dude who they paid to the tune of $15 an hour. Which i helped to transform into a somewhat-better prototype and they paid very well for it. But no actual paying clients ever existed and the idea was obviously brain-dead from day one. After they got tired of pretending, they stopped paying, then disappeared. Then years later i read in the news that subsequent investors launched an investigation into fraud and they were put on the list in some countries.
I'm sure no one except themselves ever made any money on it, certainly not YC.
Y Combinator as a concept, and all of its "children" are rotten to the core.
Every single company is "evil" in some form, and not in the usual "private companies are big baddies" kind of way. They grossly and recklessly violate laws and ethical boundaries day in and day out.
The sooner people are even willing to entertain this, the sooner we can have actual conversation around these issues.