I Got Rejected from Y Combinator

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to dogelog index eight this is a series where i share the business and development process of taking a project i started as a joke called doge house and turning it into a billion dollar unicorn company that is going to the moon for a little bit now when starting a startup the best place to go has been y combinator and also therapy it's an accelerator with a very good track record and when you have yc or yc alum in your bio you instantly earn the respect with anyone wearing all birds or a patagonia vest which can be very valuable given that i'm not an ex-googler an ex-facebooker or an ex-millionaire my bio has been looking quite weak lately i know i've had a pretty rough life so for a hot minute i thought becoming a yc alum would be the solution and for a while now i've been a low-key yc sexual anyway this is something that affects a lot of young individuals if you're subconscious about it you can treat it by reducing your hacker news intake and avoiding your friends that went through yc and now own a yacht long story short i applied to yc with doge house and this week i received the email officially rejecting me they don't give any personal feedback but if i were to pretend to be a yc reviewer i would reject doge house for three reasons first it has a solo founder and startups are more likely to succeed with co-founders secondly the idea of doge house is what paul graham would consider a derivative idea which is one of the 18 mistakes that kills startups third i'm a cat person and i don't like doges now those of you that have been following along with the doge log know that this doesn't really change anything except for my self-esteem because two weeks ago i decided that i'm not going to raise any money for the project that way i could raid quit it whenever i wanted but i still wanted to share an update because heck benawan got rejected again and he needed some kind of explanation for why his bio is lacking so many keywords moving on to the oopsie of the week i have a very basic avatar url exploit to share with you that's kind of related to social logins a lot of people have asked why you can only log into doge house using social logins like github and twitter and not username and password and i did this for two reasons number one is for spam protection you can only create so many github accounts until their spam system starts to block you and so therefore you can only create so many doge house accounts number two i wanted avatars and all the oauth providers give you avatars and they also have reporting systems in place that make sure people don't put naked bodies as their profile images i'm going to eventually set up my own system but it saves me time to use social logins for now so i can work on other features and i can come back set my own login system later and do all that fun stuff with spam protection now of course people want to be able to change their avatars so i made a compromise and let them change the url to where they want their avatar to come from i had a regular expression on it so people could only set urls from twitter github and discord because if you let any url being set bad things can happen and i'm not just talking about inappropriate images we've been making a lot of changes to the api and somewhere along the way the validation to check the urls stop being applied and the test checking to make sure you can't pass an invalid urls disappeared i wish i was kidding but i'm not this resulted in somebody saying their profile image to a url on a server they owned so whenever i joined a room for example with them my browser would make a request to their server to get their avatar the bad part is their server was logging the ip address of every request that came in so all they needed to do was join a room and then all the people's computers in that room would make a request to their server and he would then have the ip of everyone in the room which is not good i don't think they had malicious intent they said they deleted the entire list of ips once they got patched but the moral of the story is all the images that you load on your website you should either be hosting proxying or have a white list of accepted urls that you know are legit i'm just hoping the next oops of the week like we get hacked in more elegant manner i want to now respond to some comments regarding ip bands one consideration is that most ip addresses are dynamic nowadays especially on mobile devices an ip band shouldn't last more than a day or so otherwise other users might get the ban when eyepiece rotate and wouldn't know why currently we don't do any ip bands on a site-wide level and i don't have any plans to do so a room creator can ip ban somebody and it will last the duration of the room and is only scoped to that room so i think the situation is going to be pretty rare where someone's ip changes that got ip banned and then another person happens to get that ip and they want to join the same room that the other person got banned in i think the situation that's going to come up a lot more is if i'm sharing ips with somebody in the entire building and somebody gets ip banned from that room then everyone in the building can't join the room i don't know how often this is going to happen in practice so i'm curious to see maybe we should just not have ib bands for that reason but at the end of the day room creators get the choice they can choose to ip bam people or they could do regular bands hopefully you don't even have to ban people from your room but this is the internet so i think one of the best options for uniquely identifying people is to require a phone number i'm not gonna add this right now because one i just hate giving up my phone number and two it's expensive actually programmatically sending texts so i'm gonna wait until the website actually makes some money and then possibly add it i saw several comments recommending i use some sort of hardware identifier or mac address instead of an ip but as far as i'm aware you can't get that sort of thing using javascript in a browser if you can let me know i can find anything on it but what i am going to try is fingerprinting browsers it's a technique where you generate a unique id based on the attributes of somebody's browser and something that doesn't change when you open up new tabs in incognito or when you clear cookies i'm going to be using a combination of that and ip bands for now and we'll see how well they work in practice if it turns out to be super ineffective or doing too much collateral damage i can always take them out later someone recommended that instead of storing raw ip addresses to do ip bands you hash the iep and store that to protect privacy and i quite like the sound of that so instead of storing an ip like 127.0 0.0.1 i would put it through a hashing function and that would spit out just a garbled string and the garbled string is what i would store but there's only like 4 billion ip addresses so you can easily brute force the ip address if you have the hashed version to combat this i'm going to be using the hmac hash which you can give it a secret and so now it's virtually impossible to brute force the ip if you just have the hash ip you would need the hash ip plus the secret so hopefully i don't expose both of those things i added the first shadow feature to be able to turn off your whispers and whispers are just like direct messages for rooms and what makes this shadow is if i send you a whisper it looks like the whisper gets sent on my side but on your side if you have whispers off you just won't see the message i don't know if this actually should be a shadow feature because there could be legitimate people trying to whisper you that think you're just ignoring them but there has been a situation where people were sending sexist whispers to somebody so i did want to start this off being a shadow feature just to see if this totally stops the problem for that person i did go ahead and also add follower only mode to chat which allows room creators mods speakers and listeners who have followed the room creator for at least 30 minutes to talk and chat this has been very effective so far spammers have come into rooms blasting messages and the room creator just flips on follower only mode and the room is instantly secure i'm curious to see if anyone will end up waiting 30 minutes and maybe i should increase the threshold or i might just make it like a customizable value that the room creator can set but that's it for this doge log i'm currently deep in the weeds of getting room recordings to work it's a little bit more of a rabbit hole than i first anticipated but i should have some stuff for the next doge log so stay tuned for that you
Info
Channel: Ben Awad
Views: 154,322
Rating: undefined out of 5
Keywords:
Id: IKc_RH33-uM
Channel Id: undefined
Length: 8min 7sec (487 seconds)
Published: Wed May 12 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.