Monica

Some updates on Glassdoor's privacy violations:

Use https://help.glassdoor.com/s/privacyrequest?language=en_US to request deletion of your data. Deactivating your account doesn't delete data. This might not either (no way to verify), but it's the strongest request you can make.

Media coverage: Ars Technica: Users ditch Glassdoor, stunned by site adding real names without consent, Wired: Glassdoor wants to know your real name. The Ars story is more detailed.

It seems that Glassdoor updated its terms of use on February 17, 2024. I did not receive email notification (my last TOS update from them was December 2022). Some salient bits from the current version:

We may update your Profile with information we obtain from third parties. We may also use personal data you provide to us via your resume(s) or our other services. You can read more about how we collect and process your data in our Privacy Policy.

I never provided a resume. I never typed my name into their site, nor did I use a social-media or Google identity. I created the account with an email address (~10 years ago). That part about "obtain from third parties" means they can try to match you up with LinkedIn, use your email headers if you should ever send them email, try to reconcile your account with Indeed if you're there (the same company owns both Glassdoor and Indeed), and whatever else they come up with.

Also, sometimes the information they add is incorrect. From Ars Technica:

As Monica's blog spread widely online, another Glassdoor user, Josh Simmons, commented to confirm that Glassdoor had "already auto-populated details" on his account, too. But instead of correcting Simmons' information, Glassdoor seemed to be adding mistakes to his profile.

Simmons, who requested to use his real name and share his employer information, is a managing director of Matrix.org Foundation. He discovered that Glassdoor had not only messed up his employer's name but also claimed that he was based in London, while he is actually located in California.

"It was bizarre, because I had never provided that information, and it was a somewhat incoherent mix of details," Simmons told Ars.

Back to the terms of use:

We may attempt to verify your employment history or status through various methods, including third party integrations or services. We may also utilize signals we receive from your current or former employer. Glassdoor is not responsible to you or any third party if we are unable to or inaccurately verify your employment history or status.

I don't know what "we may utilize signals we receive from your employer" means, but it sure sounds like "we might ask your employer if you work there", because your employer knowing you've posted Glassdoor reviews to prompt that question would be a "you" problem, not a "Glassdoor" problem.

(This information is repeated in the privacy policy.)

In order to provide you with access to features across our services, we may create and link different services’ accounts for you.

This is the part about them automatically creating a Fishbowl (social media) account on your behalf, without you explicitly doing anything and apparently without direct notification.

A portion of your Profile on our community and conversation services (e.g., Fishbowl and community and conversation features across our services) is always public. Therefore, your profile picture, company name, title, and other general information (but not including your semi-/anonymous Content submissions) will be visible to the public and available via search.. Content submitted with semi-/anonymous identifiers such as your company name or job title is not associated with the publicly-visible portion of your Profile.

So they added my name to my Glassdoor profile without consent, then propagated that to Fishbowl, and the Fishbowl profile was public?!

Glassdoor responded to Ars:

"We vigorously defend our users’ right to anonymous free speech and will appear in court to oppose and defeat requests for user information," Glassdoor's spokesperson said. "In fact, courts have almost always ruled in favor of Glassdoor and its users when we’ve fought to protect their anonymity. With the addition of Fishbowl’s community features to Glassdoor, our commitment to user privacy remains ironclad, and we will continue to defend our users from employers who seek to unmask their identity."

They "vigorously defend" privacy, yet they collect and store information that violates privacy. Also, note that what they're saying is that they'll defend outside requests for data ("almost" always successfully), but they say nothing about their own proactive use of that data -- like selling it to employers.

That data-deletion link once again: https://help.glassdoor.com/s/privacyrequest?language=en_US.

I've been using pobox.com since (checks...) 1996, when I needed to change email addresses and wanted to avert the hassle of getting updates pushed out the next time I had to do that. Pobox does two things: it gives me an email address that I can redirect wherever I want, and it gives me URL forwarding: a Pobox account comes with the ability to redirect http://www.pobox.com/~your-name to wherever you want.

I got email from Pobox today announcing that URL redirection will be discontinued in a couple months:

[...] Pobox alias URLs once served the same purpose as Pobox email aliases: you could get one URL and have it follow you as your web page moved. Over time, though, personal domains have taken over this use case, and Pobox’s URL redirection service is almost entirely unused. Upcoming changes to our web interface make this feature much harder to continue offering, and we have decided to retire it.

Your account’s URL is one of the few that has seen traffic in the last six months. Maybe that’s a fluke, and you’ve stopped using this URL, and it redirects to some long-abandoned page you owned in the 1990s. On the other hand, you might still be using this URL. If that’s the case, you should begin updating links to your Pobox URL and instead link directly to the target resource, or some other redirection service. [...]

As it happens, I am using that URL, and updating links kind of depends on knowing where the links are. (I mean, updating my own links is easy, but that's not why one uses redirection.) I use the domain I acquired in 2017 for all new stuff, and I've been migrating old stuff intermittently. But I didn't finish and cut over, because there are links to my old SCA stuff (in particular) all over the place out there, and I couldn't figure out how to cleanly make all the URLs work -- Pobox gives me one top-level redirect, but if I can't exactly preserve the structure under that, I'm into the realm of individual redirects and that's a big hassle.

Well ok, then -- Pobox is forcing my hand (and I don't really blame them if usage is that low), so I'll just rip that band-aid off and not worry about making the soon-to-be-dead URLs work on the new site. I also hit the Wayback Machine and archive.today with some pages I know are linked, and I asked Pobox if they could give me referrer logs so I can see if there's anyone I ought to notify. Beyond that, I'll just have to assume that search engines will eventually index the new locations and anyone who really cares will search.

Tonight I migrated my SCA pages, which are mainly the page (and many pictures) for the Pennsic house, since Greg Lindahl is already hosting most of my music (and Joy & Jealousy). I also had a bunch of stuff related to the Board crisis of 1994; rather than port all the individual pages, I archived it online and then dropped a ZIP file on my site. It was 30 years ago; I suspect very few people are interested, and those who are won't mind downloading the bundle.

My Pobox account next renews in 2029. I have email through my domain but, again, a lot of people use my Pobox address and updates are hard. But perhaps in the next five years I should attempt to put that change in place, because who knows if email forwarding will go the way of URL redirection by then?

My mother is not computer-savvy, and when she's ready I'll help her sort out my father's computer stuff and (I hope) break into his account so we can sort out whatever household stuff he was managing online (like bill payments). She has "an old password" written down; here's hoping that helps.

She mentioned, in passing, that she'll contact their cell carrier to drop his line -- no sense continuing to pay for a second phone, after all.

Do I need to prevent her from doing that until we determine whether he was using 2FA for anything? I haven't figured out the right search queries that will cut through what you should do in advance lest you lose your phone. Like, I don't know where or if he was using 2FA, so I can't just go in and set alternate recovery addresses or something. The point is to be able to get into those accounts later, when my mom is ready. Does she need to keep paying for cell service so that phone number will be able to receive texts, or is there some other way to handle that? Should I go with her when she visits the cell provider (yes she was going to go to a store and do that in person)?

Anybody among my readers navigated this before?

Huh, this is interesting. There are many top-level domains these days; we're way past the days when the world consisted of .com, .edu, .org, and .gov. I hadn't realized that one of those TLDs is .zip.

Yeah, really. That seems like asking for trouble. People sometimes do legitimately download ZIP files from sites they trust, like GitHub. But maybe you're not really talking to GitHub...

This post does a good job of explaining how a stray @ in a URL might ruin your whole day:

Can you quickly tell which of the URLs below is legitimate and which one is a malicious phish that drops evil.exe?

https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip

https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip

[...] As you can see in the breakdown of a URL below, everything between the scheme https:// and the @ operator is treated as user info, and everything after the @ operator is immediately treated as a hostname. However modern browsers such as Chrome, Safari, and Edge don’t want users authenticating to websites accidentally with a single click, so they will ignore all the data in the user info section, and simply direct the user to the hostname portion of the URL.

For example, the URL https://google.com@bing.com, will actually take the user to bing.com.

I didn't know that part about user info. Combined with Unicode fakes of characters you expect in URLs, this can send you somewhere very different from where you thought you were going.

We all know not to trust links or attachments from unverified sources (right?). But stealth URLs add extra risk; you might eyeball the URL in that email and decide "yeah, I trust GitHub/Dreamwidth/Google/whatever". Be careful out there.

Edit: also .mov. This post does a good job of demonstrating how this can be exploited and catch even people who are careful (thanks gingicat).

I might just edit my hosts file to wholesale block these domains.

The replacement phone arrived Wednesday (faster than they said, good). I'd already done a manual backup on top of the automatic one, but migration from one phone to another of the exact same type and OS version is easier: connect them via a cable and wait. Basic data transfer happened within an hour, though it took a few hours for apps to get installed and Chrome was being especially finicky for some reason.

My settings were almost all there; I expected to have to do more manual configuration (including re-laying out the icons where I wanted them). Nope, that was all fine. I had to set up each individual app again, though; sometimes that was just a matter of logging in (for example, Tusky or Authy), but sometimes it required redoing everything (email client for my non-Gmail accounts). Chrome had a weird bug where tabs didn't work (!) but the update ("new version available", it kept saying) would hang; after a few reboots it sorted itself out.

There was a feeling of trepidation as I kept asking myself "are you sure you have everything you need?" before doing the factory reset on the old phone, but I finally did that today. It started doing the flashing-display thing during the reset, so I just left it for a while. The documentation says a factory reset can take an hour, so after a couple hours I power-cycled to see where it was.

I was greeted by the "new phone" setup screen, so that worked.

And then it started flashing again. Ha.

Yes, support person, I was right: that's a hardware problem. After another power-cycle (so I could see what I was doing) I shut it down and boxed it up, and tomorrow I will take it to FedEx.

The replacement they sent me was marked as "refurbished", but they are holding the price of a new phone against my credit card, which feels wrong. It's only a problem if the package doesn't arrive in time (which is why I will hand it to a human at FedEx and get a proper receipt), but it's still sleazy. And yes, if they were to charge the card they would add shipping charges, so it's not to offset that.

I've never had to make a warranty claim on a phone before, so I don't know how my experience with Google compares to what I would have had with other vendors. It's something I should try to find out before I buy my next phone, which I hope will be several years from now.

The Supreme Court will soon hear a case that -- according to most articles I've read -- could upend "Section 230", the law that protects Internet platforms from consequences of user-contributed content. For example, if you post something on Facebook and there's some legal problem with you, that falls on you, as the author, and not on Facebook, who merely hosted it. This law was written in the days of CompuServe and AOL, when message boards and the like were the dominant Internet discourse. While there's a significant difference between these platforms and the phone company -- that is, platforms can alter or delete content -- this still feels like basically the "common carrier" argument. This makes sense to me: you're responsible for your words; the place you happened to post it in public isn't.

osewalrus has written a lot about Section 230 over the years -- he explains this stuff better and way more authoritatively than I do. (Errors are mine, credit is his, opinions are mine.)

When platforms moderate content things get more complicated, and I'm seeing a lot of framing of the current case that's rooted in this difference. From what I understand, that aspect is irrelevant, and unless the Supreme Court is going to be an activist court that legislates, hosting user-contributed content shouldn't be in danger. But we live in the highly-polarized US of 2023 with politically-motivated judges, so this isn't at all a safe bet.

The reason none of that should matter is that the case the court is hearing, Gonzales vs. Google, isn't about content per se. It's about the recommendation algorithm, Google's choice to promote objectionable content. This is not passive hosting. That should matter.

The key part of Section 230 says:

No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider. (47 U.S.C. § 230(c)(1)).

The court can rule against Google without affecting this clause at all. The decision shouldn't be about whether Google is the "publisher" or "speaker". Rather, in this case Google is the advertiser, and Section 230 doesn't appear to cover promotion at all.

I'm not a lawyer, and I'm not especially knowledgeable about Section 230. I'm a regular person on the Internet with concerns about the proper placement of accountability. Google, Twitter, Facebook, and others choose to promote user-contributed content, while platforms like Dreamwidth, Mastodon, and many forums merely present content in the order in which it arrives. That should matter. Will it? No idea.

Moderation is orthogonal. Platform owners should be able to remove content they do not want to host, just like the owner of a physical bulletin board can. In a just world, they would share culpability only if objectionable content was brought to their attention and they did not act. At that point they've said it's ok, as opposed to saying nothing at all because nobody can read everything on a platform of even moderate size. This is how I understand the "safe harbor" provision of the Digital Millennium Copyright Act to work, and the same principle should apply. In a just world, as I said, which isn't the world we live in. (I, or rather my job title, am a registered agent for DMCA claims, and I have to respond to claims I receive.)

I really hope that the court, even a US court in 2023, focuses on the key points and doesn't use this case to muck with things not related to the case at hand.

I needed a new thumb drive, so I figured I'd just get one from Amazon along with some other stuff I needed. I found a reasonable-looking candidate but looked at the reviews, the first few of which were bad. How can a thumb drive be bad? The first review said it was unreliable (not described further); the second said it came with malware. I looked at a couple other options, and -- same sort of complaints.

Hmm, I said. These are all third-party sellers (different ones, in the few product pages I looked at). Amazon isn't vetting them and never gets its own hands on the products. They're just an aggregator. I would buy a thumb drive from Amazon, but their credibility does not extend to other sellers they happen to host -- I shouldn't trust a thumb drive being sold by "Joe's Anonymous Store" any more than I should trust one I find lying around waiting to spread the malware within. Even if Amazon eventually boots sellers with lots of complaints, that doesn't help me, now.

I had an errand to run today anyway and figured I'd pick one up in person at Best Buy. That's how I found out my local Best Buy isn't there any more. Oops.

I've bought electronics online from NewEgg before and that's always been fine, so I headed there next -- where I saw that the products I was looking at were listed as third-party sellers. I didn't know NewEgg did third-party sellers. I wouldn't have thought to look if not for those Amazon reviews.

I finally ordered from Best Buy online; I figure it's probably really them, and if there's a problem I can, if necessary, go to a (less-local) brick-and-mortar store to deal with it.

I have a problem with my (older) Android phone and am not sure how to debug it.

Four times in the last six months, I have used the navigation in Google Maps while in a car (audio, not looking at the screen). Every time the trip has ended the same way: the app informs me that I have reached my destination, I reach for the phone to exit, and the phone crashes. On restarting, it tells me I have 1% battery and crashes again. (Phone was not low at the start of the trip.) Now here's the interesting part: when I plug it in to charge, it reports something in the range of 30-40%. So, something is confusing the phone about its battery state, because no way does my phone charge that quickly (especially on a car charger).

Here's tonight's case: I was at something over 60% when I turned on nav for a 15-minute trip. Crashed on arrival, plugged in (in the car) and turned on, it said 32%, I unplugged, and it crashed again (back to 1%). I left it off while I completed my errand, but plugged it in to charge on the drive home. At home, it was 40% and, this time, did not crash when I unplugged it from the charger.

To determine whether the problem is specific to Google Maps, I installed another navigation app (Waze). When the installation finished I opened the app...and the phone crashed. When I connected it to the charger, it said it was at 31%. I let it charge for a bit (I turned it on while it was connected to the charger), and disconnected it around 50% with no issues.

Here's all that in pictorial form:

Also, the power manager reports no fast-drain apps. iDrive, a backup app, was a fast-drain app and is the singular entry in the history, but I've nerfed it and it hasn't popped up recently. Could its mere presence be a problem?

Now, I'm pretty sure the battery isn't actually being drained to practically nothing, because it wouldn't bounce back that quickly. And apparently it's not just Google Maps or GPS, because Waze didn't even finish opening before that crash. But something, either Android or something in hardware or firmware, sure thinks there's a problem that calls for shutting down.

How do I find it?

I have not had crashes with other apps -- though I also don't stream videos or play games on my phone, so I'm not taxing it. I have noticed the pattern of "steps" you can see in the picture here -- battery will drop noticably, then stay level for a while, then do it again. I don't know what's causing that or if it's related.

The phone is old -- ZTE Axon 7, bought in 2017, running Android 7.1.1 and apparently not eligibile for newer -- but it otherwise works, has the (rare) aspect ratio I crave, and already has all my stuff on it. I'd like to keep using it for a while (and let the 5G world sort itself out in the meantime).

We all got through the anticlimactic Y2K bug 22 years ago, and the next digital calendar crisis isn't expected until 2038 (Unix epoch), but... apparently Microsoft Exchange has a Y2k22 bug, which prevents email from being delivered until sysadmins apply a manual fix. Just what they wanted to hear on a holiday weekend.

Apparently Exchange is using a funny string representation of dates and then trying to convert that string to a numeric format, and with the bump in year it now doesn't fit into a long. Really, I'm not making this up. Why they don't use standard date formatting, I don't know. I don't know much about how Exchange is put together.

This linked Reddit post, which has had several updates, includes this:

Interestingly, this fix includes a change to the format of the problematic update version number; the version number now starts with “21” again, to stay within the limits of the ‘long’ data type, for example: “2112330001”. So, Happy December 33, 2021!

Last week I was at corporate HQ, where the rest of my group is, for a few days. Everything about the trip in on Monday was a model of efficiency -- the plane got in early, getting off the plane was faster than usual, Uber came right away, traffic was light -- so I got to the office about half an hour earlier than any of us expected me to.

Given that, I was a little surprised to be greeted with "oh thank heavens you're here!".

The previous weekend there'd been a catastrophic power failure and many of our servers came tumbling down. (I didn't hear the gory details. We have what I understand to be the usual precautions, and yet...) The small team responsible for that infrastructure was understandably frazzled. My teammates were happy to see me because the (internal) documentation servers are not managed by that team but by us. But their main custodian, G, was on vacation, and another person who knows relevant stuff, J, was on vacation, and that left me. I know some of the systems well but not others -- which put me ahead of anybody not on vacation. Okay.

Our doc infrastructure team has two newer members, an experienced writer who joined the company last fall and a recent grad who joined the company last month and the infrastructure team a couple weeks ago. The former has been focusing on git as my backup, and the latter is solidly in learning mode.

So first we did the usual dance of "this is not the right dock for my laptop / these are not the right monitor cables / why TF can't Windows see both of these monitors? / network, we have network right?". Once I could actually use my laptop, I settled down to investigate -- with the two newer team members watching everything I did and taking notes. It was kind of like pair programming, I think.

I think one of the most important technical skills one should have is debugging or diagnostic skills, so this is what I set out to teach my coworkers -- not explicitly, but by narrating the whys of what I was doing, I realized that this is what I was doing. There was plenty of backtracking, but they learned why I did the things I did even if they didn't turn out to be the right things. Like when I used ssh to connect to the server, got wonky display stuff, and realized I was talking to a Windows machine -- oops! And, err, our Windows server has sshd running on it? Today I learned. (Switched to remote desktop after that.)

The web server isn't responding -- well, is it running? The process list shows httpd; ok, where on this machine is the web server running? On Linux you can easily get the path for a process; on Windows I saw no way to do it, so off to Google and the right search terms, which took me to an answer on Stack Overflow (naturally), so that got me to the right directory and thus the server logs. At one point somebody said I must know a lot about web servers, but actually I don't -- not modern ones, anyway. But I know how to look for stuff, including response codes in the server logs. (Which told us that the server thought it was serving content just fine, even though the browser was getting errors -- even a local browser.)

There was a lot of this sort of digging. The web server was particularly mysterious because, it turned out, it was serving some content just fine but not most of it, and a chunk of our investigation revolved around unsuccessfully trying to find differences among those cases. We noted and otherwise ignored, for now, that builds were running slowly -- running is better than not running and, well, priorities. Eventually we split up and my teammates did some exploration and experiments on their own, coming to me with questions when needed. They had good instincts, yay.

We were not able to solve the problem with the web server that day. We were able to characterize some of it, but we bumped into the wall of specific missing knowledge. I wrote up what we knew and where we were blocked for the infrastructure list, and we decided that we could live with internal builds being down for a few days, we were not going to bother G on vacation, and we've identified some areas where we need to improve our internal documentation. (We do have internal documentation and we were consulting it. But there are some gaps, we learned. That happens.)

We had a team outing planned for Wednesday that G was going to be able to join us for, and everybody agreed not to say anything about this to him because we didn't want to ruin his vacation. But Tuesday night he checked email to confirm plans for the outing, saw the email thread on the infrastructure list, and fixed it.

He'll be back tomorrow and then I can ask him WTF is nginx. (I mean ok, I googled, but I have no real idea how it fits into anything on this server.)

My (Android) phone alerts me when traffic is bad near me. This can be handy at the end of the day because I work downtown. Except... it's telling me about traffic on roads I don't use to get home. Sure, there's spillover so it's not unhelpful, but it'd be great if I could tell it -- maybe by gesturing on a map -- what paths I care about, so it could tell me about those ones.

Does anybody reading this know of an app that does that, or a way to get Google Maps to do it? It needs to be fire and forget; I don't want to have to open the map app to look for red lines on it.

It feels like all the information is already there, if only my phone were making use of it.

(This would also let me know before I leave in the morning if traffic is still bad at the other end. At that time I don't really need extra information about traffic near my house; I need it 3-5 miles away.)

I once heard a quip that went something like this:

"I used vi for a couple years."
"Yeah, I couldn't figure out how to exit, either."

I admit that the first time I was unwittingly thrown into the vi editor (predecessor to vim), I had to kill the process from another terminal (yes, terminal). So I was amused to see this blog post today: Stack Overflow: Helping One Million Developers Exit Vim.

In the last year, How to exit the Vim editor has made up about .005% of question traffic: that is, one out of every 20,000 visits to Stack Overflow questions. That means during peak traffic hours on weekdays, there are about 80 people per hour that need help getting out of Vim.

The point of the post isn't actually to bash vim, though it humorously acknowledges the widespread problem (and c'mon, you have to do it a little). Mostly they analyze data about who is presumably getting stuck in vim, complete with charts and stuff. Enjoy.