freddykrugerDelve – Fake Compliance as a Service
https://deepdelver.substack.com/p/delve-fake-compliance-as-a-service
Forbes 30u30 pipeline remains undefeated.
How did none of this come up during diligence? Feels like a prime example of too good to be true.
You mean from the beginning? They could’ve just done it properly initially then moved to this scam process later
> How did none of this come up during diligence?
The article states that, "Even though we knew we’d technically be lying about our security to anyone we sent these policies to for review ... we decided to adopt these policies because we simply didn’t have the bandwidth to rewrite them all manually."
This is the next one...
FWIW I think the 30u30 to fraud pipeline is overstated. There are 600 people on the American Forbes 30u30 list every year (it's "30 under 30 each year in each of 20 categories"), with 20ish notable instances of fraud, so maybe a quarter percent of the people on the 30u30 list will later become famous for fraud.
I think the pipeline is not really about the 30u30 list as a whole, but about the cover of the magazine, which I feel has had a very high rate of fraud.
This was such as interesting read, but I found this link via LinkedIn rather than hackernews.
I would have expected this to be somewhere at the top right now given how deep the article digs and evidence seems legit.
I think it may be getting (intentionally?) suppressed from the homepage. Given this is a YCombinator website, I wouldn't rule that out.
Regardless, it's been an ongoing issue. I know a few involved companies — it takes basically 5 days to get a SOC 2 Type 2 report through Delve. And, of course, they market this way too: "SOC 2 in days". Unbelievable.
Surprised/not surprised that this is getting buried from the homepage
I just got blocked by another YC founder (and potential investor in Delve?) for refuting his handwavey argument that "all compliance companies do this" [0] — this is beyond just marketing, it is active and blatant/intentional fraud. I don't see how it can be defended. But in that sense it is a major crisis for anyone who invested in the company.
It's a trending story on X. Was surprised there was no meaty discussion here on HN.
I see the submission time as an hour ago, so it actually looks like it got a second-chanced, i.e. boosted by the site admins.
That's correct - you can see from https://news.ycombinator.com/submitted?id=freddykruger that this post was actually submitted 23 hours ago. The timestamp at the top of the thread is relativized to fit the second-chance pool (https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...).
In case anyone hasn't seen my other posts about this:
(1) I had no idea this story existed and woke up to claims that I was obviously* suppressing it.
(2) I looked into it and found that no moderator had touched either of the two submissions of the story, but that both submissions had set off HN's voting ring detector. (Whether there was a voting ring or not, I don't know - that software isn't perfect. It has held up well over the years though.)
(3) We merged the two discussions and placed the merged thread on the front page.
(4) Why? Because we moderate HN less, not more, when YC or a YC startup is part of a story: https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu.... This is literally the #1 principle of moderation in the sense that it was the very first thing that pg drilled into me: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que....
HN would be an entirely different place if people could just arrange to get their stuff upvoted onto the front page! We've spent hundreds of hours working on this over the years. Still not perfect of course.
Even if this is a hit piece made by a competitor, the evidence put forwards is very damning:
> Conclusions present before customer signs or provides info
If false, the defamation damages here would be in the tens of millions. Huge respect to whoever stuck their neck out to post this.
Delve has released a response
> These are starting points only: customers are responsible for reviewing, modifying, and finalizing their own materials. Draft templates are not the same as “pre-filled evidence.”
Yeah, ok. BRB to start a bank where I template everyone a billion dollars, its up to you to be honest with how much money you have.
> “Non-denial denial” is a term of art in PR. Never read one? They’re fun.
— patio11 about this response (https://x.com/patio11/status/2035115379169677717)
To me this is the money shot (but it takes a couple of passes to understand):
> No small amount of criticism of LLMs is downstream of past decisions to reify form over function, resulting in the substance having been optimized out. Now the LLM threatens to make the form available in seconds
They’ve possibly dug an even deeper hole now.
None of their ISO 27001 certificates, aside from the premium one-offs with the vCISO, are accredited by any reputable ISO accreditation body. I would even argue that IAS, who accredited Prescient Security (mentioned as a reputable body in the article), has a questionable reputation and certainly gives off a pay-to-play impression.
You can look up the names of their partners below. The one body I found that is on the register (Accorp) is accredited by UAF, a known cert-mill accreditation body, and I’m not even sure it’s the same Accorp that Delve has partnered with.
For reference, you want a ISO certificate issued by a body accredited by UKAS (UK gov. adjacent non-profit), ANAB (ANSI), or equivalent, all government-recognised. This is normally the first thing I check whenever someone claims ISO 27001 certification and it is a great heuristic to validate certification rigour.
https://www.iafcertsearch.org/search/certification-bodies
Shockingly low levels of DD by everyone involved here.
wow! they confirmed it in the last paragraph. "we are investigating possible leaks", not "we have filed a libel suit". A leak means an insider spilled the beans
80% of Compliance has always been a performative box checking exercise.
They delivered the product that every company wanted - make the box checking faster.
There is a legal liability that comes with the bow checking. Nobody cares about box checking. Everyone cares about legal liability.
Nah. I’m gonna name some names.
I had a client in the compliance space - they handle detailed product information for Apple, Boeing, BAE systems, Philips, Siemens - you know, nothing important, just literally classified material and incredibly sensitive corporate material.
Anyway. We did ISO27001. We did it well, audited by Lloyds register, reputable stuff all the way down. Built actual meaningful processes.
Anyway, a massive PE entity bought them in a hostile takeover, fired everybody, binned the ISMS, moved to some “compliance” goons.
I saw the box ticking chicanery as it happened - as after firing everyone they of course didn’t follow the off boarding process, so I retained full access to their JIRA. I only lost access a year later when atlassian terminated the account for non-payment.
Nobody actually gives a shit, about anything.
Yeah - probably. Didn’t Microsoft have Chinese engineers work classified government stuff?
I guess if you have the muscle to brush off legal action from the govt you’re ok. If you’re an unsuspecting startup - that could be a problem.
> I’m gonna name some names.
*Doesn’t name any names.*
Not that I want you to, I feel it would open you up to libel exposure. But can we both acknowledge that you didn’t name the entity that coasted through their audit?
>Nobody actually gives a shit, about anything.
That's the case until there is the threat of discovery. The real issue is if the PE firm bought the company for the value of the IP and any damages awarded was included in the 'cost of business', which is why liability needs to be extended to those persons who make that decision, not just the corporate entity.
These days, nobody cares about legal liability, which is the likelihood of losing a lawsuit if there's a lawsuit, either. They only care about actual lawsuits against their company. They have noticed they're pretty rare and if the company's going to go under it's going to go under anyway, so might as well take the extra profits from not worrying about it
If someone checked one box, and the company goes under because of a lawsuit linked to not doing what this box said, then the individual who checked that box becomes personally liable of the damages done to the shareholders asset (the value of the company).
You don't want to be in this position, really. And that's the whole point of compliance.
Maybe. If their boss told them to do it and their boss is the CEO, probably not. It's on the prosecutor to prove the individual employee committed a crime worthy of piercing the corporate veil.
> If their boss told them to do it and their boss is the CEO, probably not
Then it becomes the CEO who's responsible. “Compliance” is there to protect the shareholders!
In practice the only liability you might wind up with is whether you technically met the conditions for checking the box (instead of just checking falsely). But the liability for the overall consequences of not doing the actual job the checklist sets out to do tends to stay where it is.
Okay, so who are we supposed to go to for SOC 2 compliance now if any number of the compliance automation companies might be charging 5 figures to do it fradulently?
If you want to do it right, hire a CPA who takes it seriously and spend the time to complete it in-house and fully understand it. Then engage one of the big 4 to sign off on it. The big 4 don’t offer much for SOC2 above what Delve does, it’s all smoke and mirrors unless you personally take it seriously.
Pay to play and keep selling. Understand the liabilities and cover your ass, address the biggest risks.
The point of SOC2 is really demonstrate that you have controls. The other fake compliance areas are scarier for sure. You used to see really blatant issues — I recall early SaaS companies pitching to my enterprise with sales engineers showing me customer data.
Microsoft refused to provide diagrams to the Feds detailing how Azure works. They got the FedRAMP High stamp anyway, because they already sold it to half the Fed. That’s more real… as a situation where a Chinese hacker could compromise data in a dedicated “government cloud” by compromising a certificate in an onprem dev environment should be impossible… yet it happened.
Big four have been caught approving fraudulent accounts too, so why not SOC? :)
Last time I went through SOC 2 we talked to our auditor about this. His view was that there are and basically always have been auditors/companies that will sign off on anything without verifying it if you're paying them. The rest of the industry knows who they are though. If you are taking things seriously and hire an auditor who does, that's one of the things that they look at when you're reviewing the reports from the services/subprocessors that you use. Ie, you can get a SOC 2 that doesn't mean anything but then any of your customers who know/care will flag it and it won't be worth anything.
From the article, OP dealt with this.
> But what do you do when the enterprise you are selling to asks you to show that pen-test report (which you never did despite paying for it, because Delve told you a pentest-tools.com vulnerability scan sufficed)? When they ask for your most recent risk assessment, do you just screenshot Delve’s pre-fabricated assessment and pray nobody will pay attention?
> It was that point where the realization sank in. We knew we messed up. We were unable to answer most questions honestly without jeopardizing the deals we were trying to land. We scrambled to get things done the proper way outside of Delve, in an effort to pretend to know what we were doing, but it ended up simply being too much work to get done quickly enough to save things.
> 80% of Compliance has always been a performative box checking exercise.
You're making the same mistake as most people do: it's 80% box checking but that doesn't make it performative, the box checking is here so that the dude who checked the box become legally responsible for what's happening if they haven't done what they said they did.
If you didn't check that box you could always claim you didn't know you weren't supposed to do what you did. As soon as you've checked “yes, I'm doing things in the approved way”, this excuse disappears.
> the box checking is here so that the dude who checked the box become legally responsible for what's happening if they haven't done what they said they did.
Maybe so, but how often are small companies actually sued for compliance survey misrepresentations? My most positive look at such surveys, after filtering out all the nonsense, is sometimes they flag something we've missed in our self-directed efforts.
Not really, and I kinda envy you that you haven't really worked up close with compliance-related people.
A lot of compliance is basically corruption - while in country A, you might fall out of a window if you don't buy from the right people at 10x prices, but in 'civilized' country B, you have to buy from vendor X (who has the necessary paperwork), at 10x prices, or you wont be able to sell the product - and there are a million ways that they can turn the levers to kick you out of their markets, or at least make you pay protection money to these compliance organizations.
The systems of grift are very sophisticated, and very obvious to anyone but the people perpetuating and participating in them. As they say,iyt is difficult to get a man to understand something, when his salary depends upon his not understanding it.
A lot of compliance software is griftware - Sonarqube is a prime example - most engineers don't think it adds value, and the 'analysis' it produces is incredibly shoddy, but like a lot of cybersecurity products, it relies on a authoritarian company culture, certification TP conditional on using the software and achieving a good score etc and alarmist language with nice dashboards. A classic example, is it tags public fields in Java as a security issue. And then the management see that you are writing 'insecure code'.
And literal mouthbreathing idiots in upper management eat this shit up, or use it as a punitive measure against the devs who by their very nature do all the meaningful work.
I'm not saying all compliance is worthless, but if you approach quality from first principles, a 'compliant' product usually has to clear a very low bar of quality. And compliance usually keeps the quality low, and prices high, by forcing potential competitors out of the market.
And compliance can keep quality low in other ways, I've seen firsthand - by making devs work on BS tasks, or preventing improvements and fixes to codebases, because they're not tracked appropriately by whatever change management system.
I was incredibly wary of doing hacky solutions in these places, not out of a sense of commitment to quality, but the fact that once management sees your hacks WORK (kinda), all requests to clean up the garbage will be stonewalled.
Thankfully LLMs make this busywork very easy, through making this papermill garbage, and nitpicking busywork very easy, which I feel will bring at least some positive change in the world (at least to those who do meaningful work)
Sonarqube did not flag public fields as a security issue by default the last time I used it — however it has found several real vulnerabilities for me before.
It did by default for me, and there are a bunch of other poorly implemented analyses, such as it incorrectly flagging Dictionary keys in C# as mutable, or opinionated stuff like it disliking certain names and patterns, forcing me to make arbitrary changes that often cost performance, readability or API cleanliness.
Or insane stuff like it doing a blanket-ban on security related code in the app (but importing a third party lib that does the same is fine).
The analyses in general are low quality and you can see not a lot of effort or thought went into them.
They are not the product - compliance, and dashboards for boomers is.
I'm curious about what did it detect for you? In my experience it stops very obvious bad patterns like using string manipulation to submit SQL (which in certain circumstances might even be fine, even necessary), but it can't really trace non-obvious security issues (like tracing a value through the code, making sure its valid on every codepath), it just doesn't have the compiler machinery to do that.