When I was 20 or so I hacked a Y Combinator company called Tutorspree.

I wasn’t going out of my way to hack anything and had no malicious intent. Out of boredom, I poked around their site and after making a profile, tried to upload non images to the site. Whoops looks like it worked.

I had just learned about reverse shell scripts and was following the Y Combinator demo day that year. So I uploaded an reverse shell and oh no this was not good, it actually had full control of their website.

I immediately used the live chat on their site and asked for their CTO to tell him how to fix it before my friend tried to hack them (and I knew he had not so good intentions).

>hello?
Ryan : hi
Ryan : how can i help ya?
>are you the cto?
>I recently signed up as a hacker from your blogpost
Ryan : yup
>um
>you have some interesting holes
>I want to explain to you
Ryan : oh, shoot, thanks
>no problem, i've been hacked many times
>so the most important first
>when you sign up
>you can see all the images from a folder called uploads
>http://www.tutorspree.com/uploads/
>im not sure if people want me to be able to see these all, maybe they do
>but then i realized you let people upload anything
>they can even upload php files
>:-O
>and your server will run them
>ctrl+f shows some people already have done this
Ryan : oh shit
>this one is my friend 113215659ohgod2.php
Ryan : crap, thanks for letting us know
Ryan : that's realy bad
>actually
>its only been my friend
>yeah, please fix it
>where is your startup located?
Ryan : thanks so much for the heads up
>yeah
>i just get frustrated why people want to destroy startups
Ryan : another title for cto = only programmer. so ive been swamped a lot of the signup stuff is ugly
Ryan : we're in mountain view
>im a sophomore in college and people have been destroying the sites i make too :-(
>this is a really cool idea byw
>btw*
Ryan : thanks!
Ryan : we're moving back to new york after ycombinator
>woah you got in?
Ryan : if you are looking for a job, hit me up [email protected]
>thanks
>can you give paul a heads up for me, i havent applied yet
>lol
>im going to be in china this semester, so i cant try until next year
Ryan : is your friend paul?
Ryan : ohh PG
Ryan : lol
>yeah
>its going to be impossible to get in now that they
>offer 150k to everyone
Ryan : it will make things difficult
>maybe helping startups not get hacked before they've even launched will give me an advantage
>hey here's another thing
>http://www.tutorspree.com/thumbs/phpThumb.php?src=../index.php
>im not sure if you can do anything by choosing the src
>i think the php uploading is more important
>and you might want to delete the existing php files already
Ryan : hmm thanks
>also change all your passwords x_X
Ryan : were all our passwords exposed?
>uh my friend...
>did a stupid script
>let me check
>yeah...
Ryan : lol
>sorry, I can't control him
>he won't do anything
Ryan : thanks a ton dude. your friend, too.
>sure man
>i think hackers care more about breaking in than doing damage anyway
Ryan : ask him if he wants a job
>nah, we're trying to do our own startup
Ryan : haha fair enough
Ryan : where do you guys go to school?
>he goes to texas university
>I go to northeastern in boston
>theres a ton of people here who would jump at the chance to move off to palo alto for a semester
Ryan : for sure
>any tips on getting in?
Ryan : being able to hack helps, but it's really all about your idea, from imo
>lol yeah i might put this on the resume if you don't mind
Ryan : well what might help more is if you guys apply reach out to me first
Ryan : and send me the app
>yeah, we should keep in touch
>also, pro move on the live chat here
>this would have taken days to get the hack shown
Ryan : haha thanks
>are you tutoring on your own site?
Ryan : not yet
Ryan : i'd like to try
Ryan : we've been getting a good amount of people work
Ryan : which is encouraging
>yeah, its cool
>feel free to lend me a recommendation :-D
>http://www.tutorspree.com/recommendations-add/4595
Ryan : lol, i will for sure
Ryan : done!
>I'll send you an email later, thanks
>don't forget to delete the .php files so no one else uses those scrips
Ryan : already did
Ryan : cant thank you enough, james
Ryan : !
Ryan : shoot me an e-mail anytime
>thanks bye

Hilariously, they had just increased their funding to $150,000 that year which I assumed would make it impossible to get in. These days it’s at least $500,000.

Ryan offered me a remote job and I narcistically said we’ll just get in with out startup. It would take another few years before I actually did get in.

Y Combinator

Y Combinator was fantastic. They had just started making a concerted effort funding hardware startups 6 months prior so there was hype around tools for that.

Every 2 weeks we did a group meeting session where we share metrics and problems we encounter. I became friends with some extremely smart people, someI still talk to.

Every Tuesday we had the big dinner and another huge personality in Silicon Valley came to speak. Peter Thiel, The Airbnb guys, The 23andMe Ceo, and more.

We got most of our early customers from Kickstarter which had a lot of hype at the time. We had 10 customers by demo day and were in talks with Walmart.com and Soylent who were shipping huge amounts.

Our pitch was good. Nobody else was doing what we were except multibillion dollar companies like Amazon so we stood out and looked crazy. Crazy works in this industry. We were saying things like this would be the AWS for logistics.

Our metrics (items shipped) was good, but not amazing.

But we raised $1.7 million in the same week as demo day without giving a board seat.

The lead VC partner went to the same school as my cofounder’s dad in a foreign country. He hammed that up.

The Downfall

While attempting to make sales by providing logistics as a service, one company kept popping up. Pakible.

They were the first startup to provide branded packaging as a service. And whenever a customer wanted to work with us, the first thing they would ask is how to get some nice packaging when we ship out.

We repeatedly sent them business. In return, they kept customers asking where they could store and ship out their products so sent people our way.

At one point we were doing a call multiple times a week referring people. We started to joke about merging. In retrospect, that would have been an amazing idea. I think more startups should merge in general. We would have dominated this industry.

Instead both our companies failed at the same time.

In my case, my cofounder started to act more and more unhinged after we raised the money. He started to work less and become more abrasive. I knew the guy for about 5 years now since college and he started requesting code reviews over everything I wrote, even fighting over variable names. It’s not like we had a ton of customers – just a lot of money in the bank. He would disappear for days at a time and come back saying we should completely pivot the company to this idea he just came up with. It started to feel like I could build faster and have more fun without him so I left. With a little more tact, maybe we could have agreed on splitting parts of the company between us but I just wanted to get away from him.

With Pakible their cofounder relationship fell apart too. The cofounder started a second version of the company with exactly the same service and quite a similar looking website. I suspect the same developer did both. I went to visit his office at one point and talked to his intern.

Within a few months she had left and started a third version of this company with exactly the same service of providing branded packaging and a similar looking website. I heard they may have used the same developer for all 3 companies. During Covid this type of business boomed, last I heard her was acquired by private equity and she went off to Germany to become a DJ.

Aftermath

I still run into Ryan from Tutorspree at events and remind him every time which I think he finds less and less funny each time.

He ended up forgetting to say hi to Paul Graham when I asked him to. I was able to myself. 🙂

What an impression that guy makes.

When Paul heard our company he said “Warehousing and logistics. When a company hears they have to deal with that they will think ‘oooh scary’.”

Paul then said we were a terrific example of his essay about schlepping: http://www.paulgraham.com/schlep.html

I told him our sales Sam Altman sine wave wave going up
pg said he got that from me!

As we were leaving, I told him we had the domain theshotput.com and were talking with the owner of shotput.com but he was playing hardball, was it worth changing?

He said “Drop the ‘the’. Just shotput.”