Reminds me of when I solved one of the CTF challenges for a website only for my reward to be "We're hiring! Apply at jobs.example.com!"
Real "be sure to drink your Ovaltine" moment.
I first saw that movie a only a couple years ago and quickly realized how many pop culture references come from it. It does such a good job of capturing a period of time in North America. Even before I saw the movie, eating out at a Chinese restaurant was a thing for me and my family. I had no idea it may have been related! Also... one day I'll own that lamp.
> For some non-American releases, references to Taco Bell were changed to Pizza Hut. This includes dubbing, plus changing the logos during post-production. Taco Bell remains in the closing credits. In the Swedish release the subtitles still use Taco Bell while the sound and picture has been altered as above. The original version released in Australia (on VHS) contained Taco Bell, yet the newer version on DVD was changed both in logo and dubbing to Pizza Hut (in the scene where the restaurant patrons are looking through the glass windows to the fight scene outside, Taco Bell can be seen etched into the glass, even in the modified version).
That reminds me of MI5’s Coding Challenge .
The string was just the URL of their recruitment portal. I was so disappointed, once I got it running I was hoping to hear helicopters or a knock on the door!
They probably need a lot of people with some tech knowledge. This way they can probably gain the widest audience that is still useful.
If it's too hard to crack, it's unlikely your investment of time in this recruitment measure will actually yield results.
When in a job interview, it should be very easy to find out whether the person found the solution online or he "cheated"; simple ask some detailed questions how the person came up with this and that part of the approach.
The mug is round. The jar is round.
They should call it Roundtine.
'Ovaltine was developed in Bern, Switzerland, where it is known by its original name, Ovomaltine (from ovum, Latin for "egg", and malt, which were originally its key ingredients).' 
In Switzerland, Ovomaltine is among the products with highest brand recognition ever and has a cult status because of their advertisement in the 80s and 90s.
Never knew it was a thing outside of Switzerland
However, maybe I'm remembering wrong, but a few years ago I was reading an article about it and someone showed a search term that brought it up for them and I tried that term and got it. Dont remember what the search term was, but I think it was something related to one of the popular leetcode-esque algorithms I've never had to do in my hobbyist or professional work.
But they also took a more targeted approach: If you appeared to be a frequent user of the Dev release channel of Chrome (unstable), an offer would appear on the New Tab page to immediately claim a prototype Chromebook for free.
I only know this because that’s how I got mine. A coworker of mine was interested in developing a ChromeOS app, tried switching to the Chrome Dev channel like me, and received a similar offer in a few days.
It was great targeting. We both ended up making ChromeOS-specific improvements to a popular web app. When you compare this to the cost of paying a company to port their app to your platform, this was a good deal for them.
I'm even still in the Google Group for the testers, but now and days it's mostly people talking about how the hinges broke on theirs.
The thing is: the message neither changes the recruiting process nor company values, so it does not matter if you come from X-Header or company/careers. This cryptic message thing will only get you "oh cool" reply from recruiters. If you are a good engineer you'll be hired no matter of these messages, if you don't fit the company because of who knows why - you'll not get there anyway.
Engineers, thank you for giving me a bit of hope or fun ¯\(°_o)/¯
That's a bit idealistic. When one job has 100 applicants, the unfortunate reality is not all 100 resumes will get read. If you've already got a couple years to a decade of experience under your belt, your resume will naturally surface to the top of the pile, but if you're just starting out, it can be impossible.
Recruiters may only say "oh cool" to you, but, especially if your resume shows zero years of professional experience, there's a tiny bit more effort that goes on behind the scenes. You're right that you still go through the exact same flow, but it's a (tiny) shibboleth that helps show that the candidate fits the mold.
If you get asked a coding problem in an interview and don't go so well, it doesn't matter if you would have had a strong answer for the 10 alternative interview problems that weren't asked.
x-Bender: Bite my shiny metal ass
Server: '; DROP TABLE servertypes; --
There was a whole thread on reddit about it a decade ago when someone first discovered the drop table header: https://www.reddit.com/r/programming/comments/c0m9v/reddits_...
You can also find tributes to people such as Terry Pratchett:
"Get our wordpress account executive on the phone!" - yeah, don't have one, we pay 9.99 a month for a blog, they also don't have a phone number
"Open up a SEV1 support ticket" - yeah, it says their support team is on vacation this week
After about 90 minutes of hand-wringing on the conference call, I guess enough of them googled the message to figure out it was a recruiting pitch. I got confirmation from the community support forum a week later that we were indeed not hacked.
I first noticed these kinds of "hidden" hiring messages almost 10 years ago. I thought it was cool for like 20 seconds until I realised that it is no different than just applying normally on their normal hiring page.
So the fact that more people find out about this, is like people discovering that a hiring page exists on companies websites. Which they already knew.
What I'm actually annoyed by is that companies are still doing this stupid thing.
It's not like the sites are offering you a job, they're saying you should interview with them. I have not heard of anyone getting hired because of this.
I don't know about annoyed, but I wouldn't want to talk about any movies I haven't seen with the author, or involve them in planning a surprise party.
The adds would of course be targeted at hackers, such as come work for us, since only hackers read source-code. So it would be a very targeted ad (like the http-header thing).
I don't know if this has been tried out in practice but why not, if even HTTP-headers are used for a similar purpose?
People will hate you for it... and never, ever let you live it down. :-/
I think if there was a magic button to remove any and all advertising from the internet, most people would press it, consequences be damned. You really need to think hard before hitching your cart to that horse.
Credits pages in software, accessible from the main UI, used to be very common, and having names there -- or embedded in source code -- doesn't violate a user expectation.
Server software sending 'Server:' headers also doesn't violate user expectation, though some people prefer to turn these off.
Custom headers that cannot be turned off have a higher likelihood of violating user expectation.
To the OP: in open source projects, some users will attempt to remove undesired behavior, within the rights afforded by the license, but these exercises of copyright can interact adversely with trademarks and other brand protections, and with the surrounding (human) infrastructure and information-space around a project (e.g. names, URLs, references to services, secrets).
Your attempts to reconcile such a situation are nontrivial, and both inaction and action have a high likelihood of resulting in bad press (e.g. user confusion about fork, or heavy-handed enforcement). The harm will persist long after the original situation has been resolved or mitigated.
Surely. But a link in a comment to a supporter who helped finance the project is not really "behavior" is it? It is not part of the program that executes.
So it is not "undesired behavior" since it is not behavior at all.
But is it "undesired" in other ways?
If you put in a copyright notice into the source code, that is a kind of advertising for whoever's name is in it. Often comments contain links to the website of whoever maintains the source-code. Is that undesired? If not then what would be so undesirable about putting in a link to the website of whoever supported the project financially.
And if they paid for that, they would be supporting the project financially. And in the end isn't that what we want, financial support for Open Source projects?
The only question would be whether it should be used only for non-transferable "moral" authorship or transferable as the author chooses.
maybe I'm behind the times, but is 'hacker' now colloquial to mean 'anyone who codes'? Plenty of normal software engineers / devs, who are by no means 'hackers' (myself included) read the source code.
I agree that definition of "hacker" is somewhat vague but mostly people understand it the same way depending on context.
I assume that reason dedicated programmers are called hackers is that earlier the the word "hack" referred to writers.
What the hack, there's even a pub called "Old Hack"
x-hacker: If you're reading this, you should visit wpvip.com/careers and apply to join the fun, mention this header.
So Wordpress is advertising via end users of it's software.
Edit: Ahh, as mentioned in the article...
Well, maybe not super likely in absolute terms but still infinitely more likely than a random person reading a dev job board.
Honestly, prefixing silly, fun or extra headers with X- like in this scenario seems pretty harmless.
Now thats terabytes of data moving around :)
Some of them get pretty clever,
like a hidden element that says something funny
The funniest thing I saw, is I was looking at an API from a top-tier tech company and the person who wrote the software had message in it containing words of frustration. Like swear words.
But, the weirdest thing I usually see is how the flagship of some top tech company can't make their website responsive when all you have to do is change a few of lines of code.
Or when they upgrade their UI/UX and they just broke a lot of features.
_____ _ _ _____ _______ ____
/ ____| | | |/ ____|__ __/ __ \
| | __| | | | (___ | | | | | |
| | |_ | | | |\___ \ | | | | | |
| |__| | |__| |____) | | | | |__| |
\_____|\____/|_____/ |_| \____/
Hello from Gusto! Curious about how we work?
"Peek" through the "window" to find out.
Anyway, not fully caffeinated yet so I just scroll randomly (a standard `window` is enormous as it is, so there are surely needles in this haystack but I'm not getting methodical just yet).
I'm gonna stop right here because I don't really want to learn more, and I'll just continue my personal preference of never visiting Gusto unless my employer requires me to.
X-Clacks-Overhead "GNU Terry Pratchett"
NYTimes.com: All the code that's fit to printf()
We're hiring: https://nytimes.wd5.myworkdayjobs.com/Tech
If you're sniffing around this file, and you're not a robot, we're looking to meet curious folks such as yourself.
Think you have what it takes to join the best white-hat SEO growth hackers on the planet?
Run - don't crawl - to apply to join TripAdvisor's elite SEO team
Or visit https://careers.tripadvisor.com/search-results?keywords=seo
Before asking to curl it, maybe fixing those errors will leave a better sense of polishness
HTTP Headers are user-input for the recipient. I delivered a few security-related talks where my website sends XSS payloads in its HTTP headers. There are many "HTTP Headers checker" websites that fail to sanitize HTTP headers, and they make a good punchline for the talk about sanitizing user-input.
The same goes for DNS records too.
For example, I was setting up a sieve-based filter for Groupon emails and there was this x-recruiting header.
That was nice.
Seems slightly less effective nowadays what with the standard browsers tools available, ctrl + shift + K
Not that using telnet, curl or some such was much of a higher barrier, just you had to go out of your way to use them.
They don't have any at the moment but it was always fun to solve.
$ curl -s -o /dev/null -D - https://frenxi.com/http-headers-you-dont-expect/
HTTP/1.1 200 OK
Last-Modified: Fri, 15 May 2020 01:35:43 GMT
Via: 1.1 ddaf46a95abcfc80e8eae76235e2127c.cloudfront.net (CloudFront), 1.1 37d64bca4c93552139fb3a85c9c4a119.cloudfront.net (CloudFront)
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-XSS-Protection: 1; mode=block
X-hack: Like HTTP headers? Check this blog post https://frenxi.com/http-headers-you-dont-expect/
Date: Fri, 15 May 2020 04:48:24 GMT
Cache-Control: public, must-revalidate, max-age=0
X-Cache: RefreshHit from cloudfront
curl -I https://frenxi.com/http-headers-you-dont-expect/
curl -IXGET https://frenxi.com/http-headers-you-dont-expect/
curl -D- https://example.com/