Just telling people to apply to domain.com/jobs is pretty lame. So, basically the same door that anyone else goes through when they click the "Careers" link in your site's footer?
Reminds me of when I solved one of the CTF challenges for a website only for my reward to be "We're hiring! Apply at jobs.example.com!"
A perfect "be sure to drink your Ovaltine" moment! If anyone is unfamiliar, it refers to the movie "A Christmas Story". The moment here: https://www.youtube.com/watch?v=zdA__2tKoIU
I first saw that movie a only a couple years ago and quickly realized how many pop culture references come from it. It does such a good job of capturing a period of time in North America. Even before I saw the movie, eating out at a Chinese restaurant was a thing for me and my family. I had no idea it may have been related! Also... one day I'll own that lamp.
> Just telling people to apply to domain.com/jobs is pretty lame. So, basically the same door that anyone else goes through when they click the "Careers" link in your site's footer? Reminds me of when I solved one of the CTF challenges for a website only for my reward to be "We're hiring! Apply at jobs.example.com!"
That reminds me of MI5’s Coding Challenge [1][2][3].
When Google was working on the first Chromebook, they decided to give away some prototype Chromebooks to developers for free. There was a web form to request one. A small portion of the requests were granted.
But they also took a more targeted approach: If you appeared to be a frequent user of the Dev release channel of Chrome (unstable), an offer would appear on the New Tab page to immediately claim a prototype Chromebook for free.
I only know this because that’s how I got mine. A coworker of mine was interested in developing a ChromeOS app, tried switching to the Chrome Dev channel like me, and received a similar offer in a few days.
It was great targeting. We both ended up making ChromeOS-specific improvements to a popular web app. When you compare this to the cost of paying a company to port their app to your platform, this was a good deal for them.
Ah, the CR-48! I was watching the Google I/O when it was announced, and they shared a link to request the prototype. I filled it out right as they showed it and a couple weeks later I had a new laptop on my doorsteps. I was around 11 at the time so my mom so it first and thought it was like a bomb. The packaging for it was really cool, I won't forget it and it came with a bunch of dope stickers.
I'm even still in the Google Group for the testers, but now and days it's mostly people talking about how the hinges broke on theirs.
I stumbled across "we hire" messages across Paypal, Techcrunch, and dozen of other websites, even no-name startups. You can find them in headers, CSS, HTML, JS and all over different places.
The thing is: the message neither changes the recruiting process nor company values, so it does not matter if you come from X-Header or company/careers. This cryptic message thing will only get you "oh cool" reply from recruiters. If you are a good engineer you'll be hired no matter of these messages, if you don't fit the company because of who knows why - you'll not get there anyway.
Engineers, thank you for giving me a bit of hope or fun ¯\(°_o)/¯
> If you are a good engineer you'll be hired no matter of these messages
That's a bit idealistic. When one job has 100 applicants, the unfortunate reality is not all 100 resumes will get read. If you've already got a couple years to a decade of experience under your belt, your resume will naturally surface to the top of the pile, but if you're just starting out, it can be impossible.
Recruiters may only say "oh cool" to you, but, especially if your resume shows zero years of professional experience, there's a tiny bit more effort that goes on behind the scenes. You're right that you still go through the exact same flow, but it's a (tiny) shibboleth that helps show that the candidate fits the mold.
We worked at a megacorp rental car company. Top-notch risk guy noticed the x-hacker header on our wordpress.com blog and launched a CSIRT. Automattic corp was trying to hack us. I had the infosec director sitting on my desk in minutes. They fired up a conference bridge with a half dozen VPs while we waited for the CIO.
"Get our wordpress account executive on the phone!" - yeah, don't have one, we pay 9.99 a month for a blog, they also don't have a phone number
"Open up a SEV1 support ticket" - yeah, it says their support team is on vacation this week
After about 90 minutes of hand-wringing on the conference call, I guess enough of them googled the message to figure out it was a recruiting pitch. I got confirmation from the community support forum a week later that we were indeed not hacked.
Is anyone else annoyed this is being publicized? It pretty much destroys any value that noticing the header might have as a signal. Granted the signal strength was probably pretty low already, as other commenters have pointed out, but blog posts like this must decrease it even further.
No, because all these headers just lead to the stock standard hiring page. It literally has no effect.
I first noticed these kinds of "hidden" hiring messages almost 10 years ago. I thought it was cool for like 20 seconds until I realised that it is no different than just applying normally on their normal hiring page.
So the fact that more people find out about this, is like people discovering that a hiring page exists on companies websites. Which they already knew.
What I'm actually annoyed by is that companies are still doing this stupid thing.
Low signal strength for sure - all it says is "I know how to open Dev Tools." Rather than worry about trying to retain some value, I looks at these posts as an educational opportunity. They can encourage people who don't know how the web works to dig deeper, learn more.
It didn't have any value to begin with, honestly. Websites have the exact same message in their code simply by inspecting source or opening a console, and that certainly doesn't show you have any sort of skill or curiosity.
It's not like the sites are offering you a job, they're saying you should interview with them. I have not heard of anyone getting hired because of this.
I remember several years ago when I still had a Reddit account I found internship opportunity advertisements in web socket payloads. I asked about that on the reddit channel on Freenode, I think, and was politely told to not mention it on r/JavaScript.
A long time ago my friend was one of the first to adopt ipv6. Some company had a special page for him saying he was the first to connect over ipv6 and instructions for claiming his prize. Called them up, and they had no idea they had that page, they had to check and "oh huh we really do have that page". Had had it up for so long that it had slipped from institutional memory.
I had a similar idea for financing Open Source software projects. The contributing sponsors would get their URL and add-text into a comment at the top of the source-code. The bigger your sponsorship the higher up in the list your company will be.
The adds would of course be targeted at hackers, such as come work for us, since only hackers read source-code. So it would be a very targeted ad (like the http-header thing).
I don't know if this has been tried out in practice but why not, if even HTTP-headers are used for a similar purpose?
maybe I'm behind the times, but is 'hacker' now colloquial to mean 'anyone who codes'? Plenty of normal software engineers / devs, who are by no means 'hackers' (myself included) read the source code.
I like adding "Server: Windows 95", "X-Powered-By: PHP 2.0" or something like that. You know, just to mess with people. Make them wonder what the fuck they just stumbled upon.
I saw a job ad in the output on the JavaScript console. Very good targeting - someone poking around the JS for the site is likely to be a good fit for the frontend dev role for that site.
Well, maybe not super likely in absolute terms but still infinitely more likely than a random person reading a dev job board.
> "…in practice the benefits [of the "X-" convention] have been outweighed by the costs associated with the leakage of unstandardized parameters into the standards space."
Honestly, prefixing silly, fun or extra headers with X- like in this scenario seems pretty harmless.
>>That specific header seems to be a "default" one if you host your site on WordPress VIP, the enterprise WordPress hosting solution managed by Automattic.
I see this in a lot of websites i visit.
I usually inspect them just out of curiosity.
Some of them get pretty clever,
like a hidden element that says something funny
The funniest thing I saw, is I was looking at an API from a top-tier tech company and the person who wrote the software had message in it containing words of frustration. Like swear words.
But, the weirdest thing I usually see is how the flagship of some top tech company can't make their website responsive when all you have to do is change a few of lines of code.
Or when they upgrade their UI/UX and they just broke a lot of features.
[+] [-] hombre_fatal|5 years ago|reply
Reminds me of when I solved one of the CTF challenges for a website only for my reward to be "We're hiring! Apply at jobs.example.com!"
Real "be sure to drink your Ovaltine" moment.
[+] [-] dylanz|5 years ago|reply
I first saw that movie a only a couple years ago and quickly realized how many pop culture references come from it. It does such a good job of capturing a period of time in North America. Even before I saw the movie, eating out at a Chinese restaurant was a thing for me and my family. I had no idea it may have been related! Also... one day I'll own that lamp.
[+] [-] guessmyname|5 years ago|reply
That reminds me of MI5’s Coding Challenge [1][2][3].
[1] https://cixtor.com/blog/mi5-coding-challenge
[2] https://www.mi5.gov.uk/careers/opportunities/coding-challeng...
[3] https://www.mi5.gov.uk/sites/default/files/styles/puzzal_ima...
[+] [-] cerved|5 years ago|reply
The mug is round. The jar is round.
They should call it Roundtine.
[+] [-] saagarjha|5 years ago|reply
[+] [-] Gaelan|5 years ago|reply
[+] [-] m0dest|5 years ago|reply
But they also took a more targeted approach: If you appeared to be a frequent user of the Dev release channel of Chrome (unstable), an offer would appear on the New Tab page to immediately claim a prototype Chromebook for free.
I only know this because that’s how I got mine. A coworker of mine was interested in developing a ChromeOS app, tried switching to the Chrome Dev channel like me, and received a similar offer in a few days.
It was great targeting. We both ended up making ChromeOS-specific improvements to a popular web app. When you compare this to the cost of paying a company to port their app to your platform, this was a good deal for them.
[+] [-] isiahl|5 years ago|reply
I'm even still in the Google Group for the testers, but now and days it's mostly people talking about how the hinges broke on theirs.
[+] [-] Maxious|5 years ago|reply
[+] [-] tarasmatsyk|5 years ago|reply
The thing is: the message neither changes the recruiting process nor company values, so it does not matter if you come from X-Header or company/careers. This cryptic message thing will only get you "oh cool" reply from recruiters. If you are a good engineer you'll be hired no matter of these messages, if you don't fit the company because of who knows why - you'll not get there anyway.
Engineers, thank you for giving me a bit of hope or fun ¯\(°_o)/¯
[+] [-] fragmede|5 years ago|reply
That's a bit idealistic. When one job has 100 applicants, the unfortunate reality is not all 100 resumes will get read. If you've already got a couple years to a decade of experience under your belt, your resume will naturally surface to the top of the pile, but if you're just starting out, it can be impossible.
Recruiters may only say "oh cool" to you, but, especially if your resume shows zero years of professional experience, there's a tiny bit more effort that goes on behind the scenes. You're right that you still go through the exact same flow, but it's a (tiny) shibboleth that helps show that the candidate fits the mold.
[+] [-] jedberg|5 years ago|reply
[+] [-] arethuza|5 years ago|reply
http://www.cypherspace.org/adam/shirt/spook.html
[+] [-] ahmetkun|5 years ago|reply
[+] [-] jalfresi|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] achillean|5 years ago|reply
https://beta.shodan.io/search?query=x-recruiting
https://beta.shodan.io/search?query=x-hacker
You can also find tributes to people such as Terry Pratchett:
https://beta.shodan.io/search?query=x-clacks-overhead
[+] [-] davio|5 years ago|reply
"Get our wordpress account executive on the phone!" - yeah, don't have one, we pay 9.99 a month for a blog, they also don't have a phone number
"Open up a SEV1 support ticket" - yeah, it says their support team is on vacation this week
After about 90 minutes of hand-wringing on the conference call, I guess enough of them googled the message to figure out it was a recruiting pitch. I got confirmation from the community support forum a week later that we were indeed not hacked.
[+] [-] twicetwice|5 years ago|reply
[+] [-] executesorder66|5 years ago|reply
I first noticed these kinds of "hidden" hiring messages almost 10 years ago. I thought it was cool for like 20 seconds until I realised that it is no different than just applying normally on their normal hiring page.
So the fact that more people find out about this, is like people discovering that a hiring page exists on companies websites. Which they already knew.
What I'm actually annoyed by is that companies are still doing this stupid thing.
[+] [-] naniwaduni|5 years ago|reply
[+] [-] codingdave|5 years ago|reply
[+] [-] WilliamEdward|5 years ago|reply
It's not like the sites are offering you a job, they're saying you should interview with them. I have not heard of anyone getting hired because of this.
[+] [-] justin66|5 years ago|reply
I don't know about annoyed, but I wouldn't want to talk about any movies I haven't seen with the author, or involve them in planning a surprise party.
[+] [-] runemadsen|5 years ago|reply
https://chrome.google.com/webstore/detail/headerhunter/almeo...
[+] [-] austincheney|5 years ago|reply
[+] [-] im3w1l|5 years ago|reply
[+] [-] galaxyLogic|5 years ago|reply
The adds would of course be targeted at hackers, such as come work for us, since only hackers read source-code. So it would be a very targeted ad (like the http-header thing).
I don't know if this has been tried out in practice but why not, if even HTTP-headers are used for a similar purpose?
[+] [-] mholt|5 years ago|reply
People will hate you for it... and never, ever let you live it down. :-/
[+] [-] fullstackchris|5 years ago|reply
maybe I'm behind the times, but is 'hacker' now colloquial to mean 'anyone who codes'? Plenty of normal software engineers / devs, who are by no means 'hackers' (myself included) read the source code.
[+] [-] Maxious|5 years ago|reply
[+] [-] AegirLeet|5 years ago|reply
[+] [-] voltagex_|5 years ago|reply
[+] [-] ruffrey|5 years ago|reply
[+] [-] saagarjha|5 years ago|reply
[+] [-] tyingq|5 years ago|reply
x-hacker: If you're reading this, you should visit wpvip.com/careers and apply to join the fun, mention this header.
So Wordpress is advertising via end users of it's software.
Edit: Ahh, as mentioned in the article...
[+] [-] praptak|5 years ago|reply
Well, maybe not super likely in absolute terms but still infinitely more likely than a random person reading a dev job board.
[+] [-] esjr|5 years ago|reply
[+] [-] wlll|5 years ago|reply
Honestly, prefixing silly, fun or extra headers with X- like in this scenario seems pretty harmless.
[+] [-] pfranz|5 years ago|reply
[+] [-] kumarm|5 years ago|reply
Now thats terabytes of data moving around :)
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] wenbin|5 years ago|reply
- https://www.baidu.com/
- https://www.zhihu.com/
- https://www.douban.com/
- https://www.jd.com/
...
[+] [-] kevindeasis|5 years ago|reply
Some of them get pretty clever, like a hidden element that says something funny
The funniest thing I saw, is I was looking at an API from a top-tier tech company and the person who wrote the software had message in it containing words of frustration. Like swear words.
But, the weirdest thing I usually see is how the flagship of some top tech company can't make their website responsive when all you have to do is change a few of lines of code.
Or when they upgrade their UI/UX and they just broke a lot of features.