Just telling people to apply to domain.com/jobs is pretty lame. So, basically the same door that anyone else goes through when they click the "Careers" link in your site's footer?
Reminds me of when I solved one of the CTF challenges for a website only for my reward to be "We're hiring! Apply at jobs.example.com!"
A perfect "be sure to drink your Ovaltine" moment! If anyone is unfamiliar, it refers to the movie "A Christmas Story". The moment here: https://www.youtube.com/watch?v=zdA__2tKoIU
I first saw that movie a only a couple years ago and quickly realized how many pop culture references come from it. It does such a good job of capturing a period of time in North America. Even before I saw the movie, eating out at a Chinese restaurant was a thing for me and my family. I had no idea it may have been related! Also... one day I'll own that lamp.
This is great, thanks. I haven't seen this movie or heard of it. This scene is delivered very well and really explains the 'be sure to drink your ovaltine' concept
The movie was a childhood staple, but the book is even better - literally LOL'ed, snorted, etc.
"In God We Trust: All Others Pay Cash" by Jean Shepherd.
There are lots of additional short stories there not featured in the movie.
Growing up in the 90's my family would make it a point to watch this every year around the holidays, good times. If you are ever in Cleveland, OH, you can actually tour the house they filmed most of it in.
Seems meta. As far as references to ads in movies I enjoy Demolition Man. I loop the classy cover of the jingle for Jolly Green Giant from time to time to endear me to my (close) colleagues. It's burnt deep, whelp time for a listen.
Fascinating aside on Demolition Man: some versions have all restaurants as Pizza Hut rather than Taco Bell [1]. The version I saw as a kid was Pizza Hut, so when I said “in the future all restaurants are Pizza Hut”, a friend said “you mean Taco Bell” and we both learned something :).
> For some non-American releases, references to Taco Bell were changed to Pizza Hut. This includes dubbing, plus changing the logos during post-production. Taco Bell remains in the closing credits. In the Swedish release the subtitles still use Taco Bell while the sound and picture has been altered as above. The original version released in Australia (on VHS) contained Taco Bell, yet the newer version on DVD was changed both in logo and dubbing to Pizza Hut (in the scene where the restaurant patrons are looking through the glass windows to the fight scene outside, Taco Bell can be seen etched into the glass, even in the modified version).
Indeed, in my youth I downloaded a version that had this and I was alarmed at first. Some further research showed that it was an international release as Pizza Hut has a broader brand globally. The scene in San Angles where Westley Snipes attacks a bunch of police and he learns of his programming was filmed in Irvine, CA. I've got a few photos of the location and now would be a good time to take some shots since it isn't as busy. Also tripped out that the Mall scene in Kindergarten Cop was shot at the Main Place Mall in Santa Ana.
> Just telling people to apply to domain.com/jobs is pretty lame. So, basically the same door that anyone else goes through when they click the "Careers" link in your site's footer? Reminds me of when I solved one of the CTF challenges for a website only for my reward to be "We're hiring! Apply at jobs.example.com!"
That reminds me of MI5’s Coding Challenge [1][2][3].
One of the defence agencies in Australia made a puzzle quite a long time ago; I can't find it now. It was a bunch of hex in a banner advert; the hex was actually x86 assembly, which if 'run' would write a string into memory.
The string was just the URL of their recruitment portal. I was so disappointed, once I got it running I was hoping to hear helicopters or a knock on the door!
The point is that if you crack it, they should send you to some unique link. Even if it's not super hard, it at least proved some level of technical competency and do should allow you to prioritised interview access (maybe at least skipping initial screening).
Not everyone is working on awesome stuff at an intelligence agency. They still need people to work on their 20 year old hellscape of an ERP system in hated language(java,ada,cobol, etc).
sure, but how much of the actual job will be solving puzzles? Seems unlikely to be representative of the work so the people who enjoy the actual work might begrudge the interview and the people who enjoy the interview might not enjoy the work.
I assume the solutions to these can be found publicly pretty quickly. So your secret bypass first filter loses utility after the first couple of people.
The reason you put this riddles online is to get to know people who love this kind of challenge. This is still the case if the solutions are available online, even though I would include a plead into my job ad not to post solutions online for fairness with respect to other potential applicants who mananged to solve the riddle.
When in a job interview, it should be very easy to find out whether the person found the solution online or he "cheated"; simple ask some detailed questions how the person came up with this and that part of the approach.
Perhaps filtering out the people who can neither solve it nor Google it is enough of a filter by itself. Not suggesting it should bypass more than initial screening, naturally.
'Ovaltine was developed in Bern, Switzerland, where it is known by its original name, Ovomaltine (from ovum, Latin for "egg", and malt, which were originally its key ingredients).' [1]
Ha, as a Swiss, from the Bern region, I was thinking whether this strange sounding Ovaltine has anything to do with Ovomaltine and was about to look it up.
In Switzerland, Ovomaltine is among the products with highest brand recognition ever and has a cult status because of their advertisement in the 80s and 90s.
I am from South America and I drink Ovomaltine every day. It has a lot less sugar than the local brands, which is a plus in my book. More actual taste than just sugary overload.
Used to be pretty big in Italy in late 70s/early 80s, then Nestlé destroyed all competition with their Nesquick. You can still find Ovomaltine in large supermarkets but it's clearly a bit player.
Has Google even bothered with Foobar for like past 2-3 years? It appears so frequently on non-incognito searches that surely every developer must have seen it by now.
I've never got it and I've been googling programming stuff for almost a decade now.
However, maybe I'm remembering wrong, but a few years ago I was reading an article about it and someone showed a search term that brought it up for them and I tried that term and got it. Dont remember what the search term was, but I think it was something related to one of the popular leetcode-esque algorithms I've never had to do in my hobbyist or professional work.
I've never seen it, but other people in my (non-US) country claim to have seen it. I always assumed it was either my taste in porn or the fact that I'm usually logged out and regularly clear tracking cookies.
FooBar is still being considered. I solved some problems few months ago and was contacted by their recruiter one month after that, they did mention FooBar as the main signal.
I’ve never seen it, live in the US, and I google developer things all the time. Maybe it’s because I work in Ruby and not one of the more googley languages?
When Google was working on the first Chromebook, they decided to give away some prototype Chromebooks to developers for free. There was a web form to request one. A small portion of the requests were granted.
But they also took a more targeted approach: If you appeared to be a frequent user of the Dev release channel of Chrome (unstable), an offer would appear on the New Tab page to immediately claim a prototype Chromebook for free.
I only know this because that’s how I got mine. A coworker of mine was interested in developing a ChromeOS app, tried switching to the Chrome Dev channel like me, and received a similar offer in a few days.
It was great targeting. We both ended up making ChromeOS-specific improvements to a popular web app. When you compare this to the cost of paying a company to port their app to your platform, this was a good deal for them.
Ah, the CR-48! I was watching the Google I/O when it was announced, and they shared a link to request the prototype. I filled it out right as they showed it and a couple weeks later I had a new laptop on my doorsteps. I was around 11 at the time so my mom so it first and thought it was like a bomb. The packaging for it was really cool, I won't forget it and it came with a bunch of dope stickers.
I'm even still in the Google Group for the testers, but now and days it's mostly people talking about how the hinges broke on theirs.
I stumbled across "we hire" messages across Paypal, Techcrunch, and dozen of other websites, even no-name startups. You can find them in headers, CSS, HTML, JS and all over different places.
The thing is: the message neither changes the recruiting process nor company values, so it does not matter if you come from X-Header or company/careers. This cryptic message thing will only get you "oh cool" reply from recruiters. If you are a good engineer you'll be hired no matter of these messages, if you don't fit the company because of who knows why - you'll not get there anyway.
Engineers, thank you for giving me a bit of hope or fun ¯\(°_o)/¯
> If you are a good engineer you'll be hired no matter of these messages
That's a bit idealistic. When one job has 100 applicants, the unfortunate reality is not all 100 resumes will get read. If you've already got a couple years to a decade of experience under your belt, your resume will naturally surface to the top of the pile, but if you're just starting out, it can be impossible.
Recruiters may only say "oh cool" to you, but, especially if your resume shows zero years of professional experience, there's a tiny bit more effort that goes on behind the scenes. You're right that you still go through the exact same flow, but it's a (tiny) shibboleth that helps show that the candidate fits the mold.
I agree, & it's even worse than that: hiring pipeline will only measure how well you do on the day, which is a noisy measurement of underlying ability.
If you get asked a coding problem in an interview and don't go so well, it doesn't matter if you would have had a strong answer for the 10 alternative interview problems that weren't asked.
We worked at a megacorp rental car company. Top-notch risk guy noticed the x-hacker header on our wordpress.com blog and launched a CSIRT. Automattic corp was trying to hack us. I had the infosec director sitting on my desk in minutes. They fired up a conference bridge with a half dozen VPs while we waited for the CIO.
"Get our wordpress account executive on the phone!" - yeah, don't have one, we pay 9.99 a month for a blog, they also don't have a phone number
"Open up a SEV1 support ticket" - yeah, it says their support team is on vacation this week
After about 90 minutes of hand-wringing on the conference call, I guess enough of them googled the message to figure out it was a recruiting pitch. I got confirmation from the community support forum a week later that we were indeed not hacked.
Is anyone else annoyed this is being publicized? It pretty much destroys any value that noticing the header might have as a signal. Granted the signal strength was probably pretty low already, as other commenters have pointed out, but blog posts like this must decrease it even further.
No, because all these headers just lead to the stock standard hiring page. It literally has no effect.
I first noticed these kinds of "hidden" hiring messages almost 10 years ago. I thought it was cool for like 20 seconds until I realised that it is no different than just applying normally on their normal hiring page.
So the fact that more people find out about this, is like people discovering that a hiring page exists on companies websites. Which they already knew.
What I'm actually annoyed by is that companies are still doing this stupid thing.
Low signal strength for sure - all it says is "I know how to open Dev Tools." Rather than worry about trying to retain some value, I looks at these posts as an educational opportunity. They can encourage people who don't know how the web works to dig deeper, learn more.
It didn't have any value to begin with, honestly. Websites have the exact same message in their code simply by inspecting source or opening a console, and that certainly doesn't show you have any sort of skill or curiosity.
It's not like the sites are offering you a job, they're saying you should interview with them. I have not heard of anyone getting hired because of this.
I remember several years ago when I still had a Reddit account I found internship opportunity advertisements in web socket payloads. I asked about that on the reddit channel on Freenode, I think, and was politely told to not mention it on r/JavaScript.
A long time ago my friend was one of the first to adopt ipv6. Some company had a special page for him saying he was the first to connect over ipv6 and instructions for claiming his prize. Called them up, and they had no idea they had that page, they had to check and "oh huh we really do have that page". Had had it up for so long that it had slipped from institutional memory.
I had a similar idea for financing Open Source software projects. The contributing sponsors would get their URL and add-text into a comment at the top of the source-code. The bigger your sponsorship the higher up in the list your company will be.
The adds would of course be targeted at hackers, such as come work for us, since only hackers read source-code. So it would be a very targeted ad (like the http-header thing).
I don't know if this has been tried out in practice but why not, if even HTTP-headers are used for a similar purpose?
Other than the Caddy debacle, there was a short-lived attempt to run ads in the output of npm install, which also backfired spectacularly: https://news.ycombinator.com/item?id=20786981.
I think if there was a magic button to remove any and all advertising from the internet, most people would press it, consequences be damned. You really need to think hard before hitching your cart to that horse.
He's speaking from experience. But, if your circumstances aren't exactly the same, the outcome may be different.
Credits pages in software, accessible from the main UI, used to be very common, and having names there -- or embedded in source code -- doesn't violate a user expectation.
Server software sending 'Server:' headers also doesn't violate user expectation, though some people prefer to turn these off.
Custom headers that cannot be turned off have a higher likelihood of violating user expectation.
To the OP: in open source projects, some users will attempt to remove undesired behavior, within the rights afforded by the license, but these exercises of copyright can interact adversely with trademarks and other brand protections, and with the surrounding (human) infrastructure and information-space around a project (e.g. names, URLs, references to services, secrets).
Your attempts to reconcile such a situation are nontrivial, and both inaction and action have a high likelihood of resulting in bad press (e.g. user confusion about fork, or heavy-handed enforcement). The harm will persist long after the original situation has been resolved or mitigated.
> some users will attempt to remove undesired behavior,
Surely. But a link in a comment to a supporter who helped finance the project is not really "behavior" is it? It is not part of the program that executes.
So it is not "undesired behavior" since it is not behavior at all.
But is it "undesired" in other ways?
If you put in a copyright notice into the source code, that is a kind of advertising for whoever's name is in it. Often comments contain links to the website of whoever maintains the source-code. Is that undesired? If not then what would be so undesirable about putting in a link to the website of whoever supported the project financially.
And if they paid for that, they would be supporting the project financially. And in the end isn't that what we want, financial support for Open Source projects?
maybe I'm behind the times, but is 'hacker' now colloquial to mean 'anyone who codes'? Plenty of normal software engineers / devs, who are by no means 'hackers' (myself included) read the source code.
My understanding of hacker is specifically someone who exploits vulnerabilities in code. Regular programmers are like building architects, hackers are like people holding up a mask so that the facial recognition powered NEST lock will let them inside the building.
"crackers" or "security hackers". I'm sure most people on this site would consider themselves to be some form of "hacker", after all, this is "Hacker News".
Every programmer of course reads some source-code because they must read their own source-code. But such a programmer might use an Open Source library without reading its course. Whereas if you are truly hacker you are interested in how things work and you would more likely be reading such source.
I agree that definition of "hacker" is somewhat vague but mostly people understand it the same way depending on context.
I assume that reason dedicated programmers are called hackers is that earlier the the word "hack" referred to writers.
I like adding "Server: Windows 95", "X-Powered-By: PHP 2.0" or something like that. You know, just to mess with people. Make them wonder what the fuck they just stumbled upon.
I saw a job ad in the output on the JavaScript console. Very good targeting - someone poking around the JS for the site is likely to be a good fit for the frontend dev role for that site.
Well, maybe not super likely in absolute terms but still infinitely more likely than a random person reading a dev job board.
> "…in practice the benefits [of the "X-" convention] have been outweighed by the costs associated with the leakage of unstandardized parameters into the standards space."
Honestly, prefixing silly, fun or extra headers with X- like in this scenario seems pretty harmless.
>>That specific header seems to be a "default" one if you host your site on WordPress VIP, the enterprise WordPress hosting solution managed by Automattic.
I see this in a lot of websites i visit.
I usually inspect them just out of curiosity.
Some of them get pretty clever,
like a hidden element that says something funny
The funniest thing I saw, is I was looking at an API from a top-tier tech company and the person who wrote the software had message in it containing words of frustration. Like swear words.
But, the weirdest thing I usually see is how the flagship of some top tech company can't make their website responsive when all you have to do is change a few of lines of code.
Or when they upgrade their UI/UX and they just broke a lot of features.
Right at the top there's a bunch of junk that their third party scripts add... yuck, but totally common. But there's a bunch of other stuff that they clearly add to the global namespace for normal operations too. Yuck! Is this how you work?
Anyway, not fully caffeinated yet so I just scroll randomly (a standard `window` is enormous as it is, so there are surely needles in this haystack but I'm not getting methodical just yet).
method: "trackPii"
This appears to be a part of their internal analytics. D:
I'm gonna stop right here because I don't really want to learn more, and I'll just continue my personal preference of never visiting Gusto unless my employer requires me to.
SoundCloud used to have something similar in the JS console, which I’ve seen in a few other places as well. Quite clever as a way of filtering but as pointed out they usually point to the regular front door so no magic queue skip which seems like a lost opportunity...
Reminds me of the time google mined my search data in order to redirect me to their recruiting pages, but instead of abusing my data in unforeseeable ways, these guys only require that you are able to switch to the network tab of your browser. Pretty neat.
Maybe engineers who are not concerned about Google mining their search data for recruitment purposes are exactly the kind of engineer Google wants to hire.
Hi there,
If you're sniffing around this file, and you're not a robot, we're looking to meet curious folks such as yourself.
Think you have what it takes to join the best white-hat SEO growth hackers on the planet?
Run - don't crawl - to apply to join TripAdvisor's elite SEO team
Email seoRockstar@tripadvisor.com
Or visit https://careers.tripadvisor.com/search-results?keywords=seo
I haven't seen any of these yet, but ironically, working for the company is probably the last thing on my mind if I'm looking at HTTP headers from a site since I usually do that when I must use it for some reason and need to figure out why it's not working or how to more easily access it (it is often a SPA which shouldn't be, or otherwise something designed with "Chrome is the only browser you should use" mentality.)
That is probably because you are occasionally looking at the headers using browser developer tools, but it’s a whole different experience when you are running something like Snort or Wireshark.
HTTP Headers are user-input for the recipient. I delivered a few security-related talks where my website sends XSS payloads in its HTTP headers. There are many "HTTP Headers checker" websites that fail to sanitize HTTP headers, and they make a good punchline for the talk about sanitizing user-input.
I got one similar message when trying a known exploit of PHP on Facebook. I forgot the bug / exploit it may of even been a easter egg for a single version of PHP but basically you added an argument to a URL path and it showed the PHP files code. Come to think of it, I think someone mentioned it here on HN but I can't remember what it was.
It's pretty clever advertising really. I don't imagine that having noticed an HTTP header would really give an applicant much of a boost in the interview process, but to some it probably feels like finding a ticket to Willy Wonka's factory and may motivate them to apply in the first place.
I found one in my favorite niche streaming audio site. I actually went through the process - there were actually a few steps to get to the actual email address. I sent them an email even though I wasn’t on the market :-)
Can someone share what header the author added to their site? I only have my iPhone for the next 6 days. Anyone know of a way to see headers on an iPhone out of curiosity?
For headers alone, use a HEAD request with `curl --head`, short form `curl -I`. `curl -D-` emits the body as well, which is just noise if you’re only interested in the headers.
A HEAD request doesn’t necessarily return the same headers as the corresponding GET request. Just use -o/dev/null to suppress the body (which I omitted for brevity).
We did this in our binary - adding a message in there which would be seen if attempting to reverse engineer or crack it. No emails from that yet though :)
these are pretty low effort and these don't even give an indication you found their SUPER HIDDEN /career page by typing "shitty company open positions" on a search engine or by analyzing their header
Reminds me of when I solved one of the CTF challenges for a website only for my reward to be "We're hiring! Apply at jobs.example.com!"
Real "be sure to drink your Ovaltine" moment.