Maker Riley Walls revealed the technical secret behind his viral app that tracked SF parking officers in real time. The city's ticketing system used predictable, sequential ticket IDs. This common flaw in public databases allows anyone to systematically check for the 'next' entry, effectively creating a real-time feed from a system with no public API.
Related Insights
Instead of trying to build an impenetrable fortress, early-stage founders should focus security efforts on mitigating the *volume* of potential damage. Simple tactics like rate-limiting all endpoints and creating easy-to-use IP/account banning tools can prevent catastrophic abuse from succeeding at scale.
When a key software tool like Gong lacked a direct data feed, a workaround was created by identifying URL patterns. A scraping tool was used to grab a unique Call ID, which was then appended to a base URL to access and scrape the full transcript, unblocking a complex automation workflow.
Unlike human attackers, AI can ingest a company's entire API surface to find and exploit combinations of access patterns that individual, siloed development teams would never notice. This makes it a powerful tool for discovering hidden security holes that arise from a lack of cross-team coordination.
An analysis suggests most AI startups claiming proprietary tech are just wrappers around major LLMs. This can be verified by 'fingerprinting' their APIs; if a startup's service has the exact same unique, exponential rate-limiting pattern as OpenAI's, it's a clear sign they are just reselling the underlying service.
Treat product data as a reflection of human behavior. At DoorDash, realizing the order status page had 3x more views than the homepage revealed intense user anxiety ("hanger"). This insight, derived from a data outlier, directly led to the creation of live order tracking.
The NCIC, a key FBI database for warrants and stolen vehicles, is more like a daily CSV file than a real-time system. This lag, combined with a lack of data integrity protocols, means outdated information, like a recovered rental car still listed as stolen, persists and puts civilians at risk.
Basim Hamdi's initial "Construction Data Cloud" concept failed because the industry's 30-year-old legacy systems lacked APIs. This critical oversight forced a pivot to Robotic Process Automation (RPA) to extract data, which unexpectedly became the core of his successful business.
The data infrastructure for law enforcement is fragmented and archaic. Until recently, some major US cities ran on paper, and states even outlawed cloud storage. This creates massive data silos that hinder investigations, as criminal activity crosses jurisdictions that don't share data.
Flawed Social Security data (e.g., listing deceased individuals as alive) is used to fraudulently access a wide range of other federal benefits like student loans and unemployment. The SSA database acts as a single point of failure for the entire government ecosystem, enabling what Elon Musk calls "bank shot" fraud.
While most local government data is legally public, its accessibility is hampered by poor quality. Data is often trapped in outdated systems and is full of cumulative human errors, making it useless without extensive cleaning.
