Keep on keepin’ on

This is a (very) sad followup to No No Honey, That’s a fon-don’t →

That post was written on the 16th of July. To date, a tech evidently did come out to my house to do something about the door on the TNI box on my house. Here is what they did:

This is not a proper repair

Yep. That’s it, they tie-strapped it. Now, had I gotten a call saying something like:

Hey Mr. Welch, this is CenturyLink, we don’t have any boxes on the truck, so I tie-strapped it on temporarily, and I’ll be back out in <time frame> to properly fix it, I just didn’t want to leave it hanging.

I’d have been fine with that. That’s totally okay, totally acceptable.

That is not what happened. No call, and ticket closed. Oh honey, no. That’s not going to fly. So I just called. For a fourth attempt at fixing this. Highlights of the call:

  1. I get snipped at about using a speakerphone
  2. I have to explain what a TNI is. That’s on the outside of the box, btw.
  3. We go on a journey of imagination wherein I picture the current setup of my DSL modem because he’s worried my signal strength isn’t what it should be. (Not like a bad cover could cause that)
  4. He wants to set up a time to fix my bandwidth. I tell him how about we fix the problem that’s been extant since the 8th of July: the broken external box. If they manage to get this fixed on the *fourth* attempt, then MAYBE we can talk about my bandwidth.
  5. I finally get him to agree. In theory, someone will be out tomorrow.

For friends of mine, no, I did not lose my shit about 1). Thought about it, but I want this fixed, I don’t want to have to deal with hurt feelings too. I am however reconsidering my “Anyone but Comcast” stance. Because at this point, I’m unsure I could get worse customer service sans tasing.

OH…right, the return label finally showed up. About a week after I capitulated, printed out my own and shipped it. I do have the receipt for that, because we know they’re going to claim I didn’t send the old DSL modem back.


No No Honey, That’s a fon-don’t

Recently, I had a lightning strike hit close to my house. Like about 10′ in the air and 10′ off my deck. Didn’t hit the ground, but blew the cover off the DSL TNI box. (The box where your DSL/phone lines go into your house.) Ripped the cover off, I found it about 10′ away. The surge through my phone line took out the DSL modem, my Orbi Router, the PS4 that was connected to the Orbi router via Ethernet, the TV that was connected to the PS4 via HDMI…I didn’t even know that last one was possible.

Weird too. The Orbi will happily turn on and talk to the other satellites, but the Ethernet board is dead, so you can’t talk to the outside world worth a crap. The TV turns on and you can select whatever input you want, but the HDMI boards are evidently fried. The PS4 just won’t. It can’t even with this.

That happens. I mean, I live in Florida, lightning is real, and there’s not a lot of surge suppressors for HDMI or Ethernet. (although if anyone knows of one, that’s not stupid expensive, let me know!)

But this post is about how CenturyLink (very poorly) handled this situation. Now, in Tallahassee, or Tally, there’s two options: Xfinity/Comcast and CenturyLink. So Dumb and Dumber in terms of customer service. Tally does not have a large permanent population, so the ROI on things that people in proper urban areas get, like fiber to their house? That’s infinity. Since 2008, my bandwidth has gone from 10Mbps down to 25Mbps down with CenturyLink. So my grandchildren, if they live in my house, will be dead before they see a gig. Comcast/Xfinity aren’t even options, so don’t ask.

There’s never going to be municipal broadband, because while neither company will spend a damned dime on meaningful infrastructure upgrades, (why should they, it’s not like they have any competition, and at this point, they make money from the churn) they have spent millions ensuring that no town in Florida, no matter how small, will legally be able to do municipal broadband as long as they “promise” they have upgrades in the works.

It’s like me promising you a ride in my Lambo tomorrow. Tomorrow will never come.

So economically, they’re in a good place. Industry with a natural high cost of entry? Check. Town so small that no one is going to build anything better? Check. State that would rather set itself on fire than cross its plutocratic overlords? Oh honey, it’s Florida. Our idea of advanced K-12 education is the stingray shuffle.


Using my phone as a hotspot, I get on da intertubes and do the CenturyLink service chat. They’ll get me a new modem. 2-3 business days, (this is on a Saturday), and I pay $16 for shipping. That irks me, but whatever. Then I ask for a tech to come out and just check the lines. I mean, I know they took a surge. There’s no doubt, I have the charred ethernet cable that was plugged into the PS4 as proof.


Dat is burnt

So they won’t send a tech until after I get the new cable modem, at least not via chat. Um…no. So I call their support number. After a few minutes spent blowing off their phone tree by hitting “0” over and over, I get a human and of course, it’s the standard nonsense, they’ll show up “sometime” between 8am and noon on Tuesday.

Goddamnit, that’s half a day of vacation time. That’s real money they are taking out of my pocket for this. That’s how I view it, I am not just paying my bill, I am paying for it with my bill and half a day’s worth of vacation time. This is getting expensive. But, I’ve no real choice, so I ask them to have the tech call before they show up, you know, courtesy. They say they will make sure of that.

We all know what happens.

It’s 1pm on Tuesday, so outside of the window, and I’m pissed, because no phone call. I call CL support (and yes, I am ranting about this on Twitter. It’s my thing) and they say they may not be there until 2pm. I remind them, forcefully, that they said between 8-12 and they say “well, that’s really a guideline, it’s more like anytime between 8am-2pm.”

“So the time you told me was a straight-up lie”


We reschedule. Same drill for Thursday. I take the whole day off. The opportunity cost for this has now tripled, and there is no chance in hell CenturyLink will discount my bill for my hourly rate. 1:30 pm, nothing. No call. I go online to check the status of my ticket, and there isn’t one. It’s been canceled.


Call them again. I am not happy. I demand to see a supervisor. Mind you, that modem that was supposed to take 2-3 business days I ordered Saturday? Still not here. So that’s nonsense too, because now we’re at 4 days.

“Gee, it’s going to take a while to get a supervisor.”

“That’s okay, I’ve fired up D&D online, Thursday is Raid Day, I have the time.” Over an hour, I sit there playing video games and waiting. Because babies, I play MMOs. I can grind. Finally get a supervisor on the line. They get an earful. An angry, yet polite earful. (No profanity, I don’t call anyone names.) While this has been going on, CenturyLink’s twitter support line has been getting a play by play. (Yes, I did enjoy the knowledge that I had, in some small way, messed up their call time averages. I am more than capable of being petty towards a multi-billion-dollar company when it requires no effort on my part. I am in fact driven by caffeine and spite.)

I don’t know who did what, but by five o’clock that night, I had the modem and had talked to a tech who said my lines were fine. Oh, they managed to mess up the new modem. No return label.


Fine. I know where the local office is, I’ll run it over on my lunch break. HAAAAaaaa…no I won’t. That office is closed, the other one close by isn’t open to the public. Go back to work in a foul mood, because CenturyLink has literally not done one thing correctly here. “Oh you can just print the…”

“No. I won’t do that. Send me one.”


“I have spent a day and a half of my vacation time because your tech arrival times are outright lies and no one working for a phone company is able to actually use one. I wasted  gas trying to return your modem to you today because evidently, having a local public-facing office isn’t something you do. I’m going to probably have to carefully check my next bill to make sure it’s actually properly prorated and you want me to waste time, paper, and toner to make up for your screwup?

No. I will absolutely not lift a finger a millimeter more than required by physics to assist you in any way, shape or form. You can just send me a return label.”

“Well that will take another 2-3 business days.”

“And? That’s hardly a threat. Had you done things properly in the first place, we wouldn’t be in this call at all. I have done nothing wrong, you have done nothing right. Send me the label.”

It’ll probably take a week for that to happen.


There is nothing about this that was necessary. CenturyLink could have had some simple steps in their support process that would have completely removed the frustrations they created, and I feel these apply to any support org:

  1. Don’t Lie. Don’t even come close. If you say someone will be there in a four-hour window, they better be there, especially when someone is taking time to wait. Don’t say “well, we say four hours, but we really mean six.” The first rule of lying well is never tell people you’re lying. It’s important.
  2. Communicate. Call. Call the customer as the tech is heading out to their office/home. If there is the slightest chance you’ll miss your window, call and let the customer know ASAP so it can be handled before they’ve had hours to go full Tsar Bomba on you. No one likes getting the full Tsar Bomba.
  3. Don’t be petty. Why am I returning this modem? It’s dead. Unless it’s for recycling, this is a dead-assed modem. Just let me throw it away, or better yet, the tech should have said “Hey, since you got the new one now, let’s make sure it’s working and I’ll just take the old one with me.” That would have worked splendidly. Also, really? Sixteen bucks for 2-3 day shipping? Come on man. That’s just petty.
  4. Make sure you do what you will say. If you say 2-3 business days, then by god, make it so. If you say there will be a return label in the box, then by god make it so. Don’t lie, and don’t be stupid about things.

None of this is not hard to do right. In fact, it’s almost harder to do wrong. I guarantee any time “wasted” on calling me to let me know the window wasn’t going to happen was blown to smithereens by my ass being on hold for an hour.

Even when you don’t have competition, don’t be jerks. Because my dudes, you think I have any loyalty to CenturyLink at this point? If I could get better service from the Manson Family Internet, I’d switch so fast there’d be a flame trail, and I guarantee I’m not alone.

Really, at this point, CenturyLink should just stop pretending. Because what they have now is an insult to the people who do support well.



Is This Satire? Does It Matter?

A few days ago, Shekar Kirani posted a Twitter thread about “10x Engineers”, you know, the magical creatures that can do anything. My first thought was a) this is a myth and b) this is a person who will damage a company far more than they help it. But there’s more to it. (For what it’s worth, this is not satire. Kirani appears to truly believe 10x engineers are necessary for a startup. Kirani clearly has more tolerance for spoilt children than I do.)

So let’s look at what he says. Note, for this post, we are talking about Kirani’s version of a 10x coder, which is not a person to hire at all. The truth is a bit more expansive and less awful:

1. 10x engineers hate meetings. They think it is a waste of time and obvious things are being discussed. They attend meetings because the manager has called for a “Staff meeting” to discuss the features and status.

This is often the case, but it is not always the case. Many meetings are “unnecessary”, but then, people are also awful at communicating things unless made to. If people communicated better, more completely, and more regularly, many meetings would be even more unnecessary. But they don’t, and so we have meetings. But the subtext of this is that to a 10x engineer, no one “less smart” than they are may make requirements of their time. This isn’t about the usefulness of the meeting. This is about a “manager” (and you can hear the disgust Kirani has for that position, even though that’s what Kirani is) daring to think they have the right to make the 10x engineer do something other than what they want. Another subtext to this is: If you’re a manager, you’re clearly too stupid to do “real” work.

This is the same reaction a small child has when they have to do something they don’t want to do. Given the “10x engineers” I’ve known, the way both act out that resentment will be surprisingly similar, other than the small child can more easily be made to be reasonable. Or at all.

2. Timings in the office for 10x engineers is highly irregular. They tend to work when very few folks are around. If there is a crowd or all-hands meeting, they are not visible. Most of them are late-night coders and come late to the office.

Sorry your highness, but when you choose to work for someone who is not you, you sometimes have to do things you don’t like. Yes, there is a remarkable similarity between 1 and 2. Almost as if, once again, the 10x engineer isn’t subject to the same rules as everyone else. Now, I have no problem with flexible work hours. As someone who dearly misses working midshifts, and would love to be back on a midnight – 8am schedule, I get it. But, even when I worked mids, there were things I had to do at work during the day. Didn’t like it, because it was usually in the middle of my sleep schedule, but I did it. I didn’t expect the entire company to wrap itself around my needs. Doing that, regardless of talent level, is the sign of a self-centered jerk.

Do not employ self-centered jerks. They are never worth the pain they will cause.

3. 10x engineers laptop screen background color is typically black (they always change defaults). Their keyboard keys such as i, f, x are usually worn out than of a, s, and e (email senders).

This is utter elitist nonsense. Kirani should have not gone to 11 with this, because this item is just stupid. And ableist. It also assumes that all “real” 10x engineers do everything in vim or perhaps emacs. Honestly, I can’t tell, because you have to be some kind of real dip to actually believe this level of tripe, and “tripe” gentle reader, is the kindest word I have for it.

4. 10x engineers know every line of the code that has gone into production. If a QA or support folks alert an issue, they know precisely where the fault (or bug) is and can fix the same in hours vs days

Haaaah…no. In fact, once the code base gets to a certain size, this is not the case. They may be faster at it, but that’s not the same thing. Also, Kirani’s 10x engineer has to fix it, because Dog knows, if you try to let anyone access their code, they will have a fit. Especially someone not as smart as them by their standards. 10x engineers, again, tend to be rather spoiled. In Kirani’s world, no one else is capable of fixing a bug, because his 10x engineer is the only one who knows where anything is.

This is a real danger: the reality of the 10x engineer being the only one who knows the code (Kirani actually uses this as a point in their favor later on) because they won’t document. So they can never take a vacation, not that they would, and if they leave, you are screwed, because again, no one else has a clue about the code, it is written for one person’s eyes. I’m also going to bet in Kirani’s world, anyone doing anything not related to engineering or making money is a waste of carbon only suitable for a soylent green vat.

A 10x engineer will kill your company with this kind of thing. They’ll kill it via burnout, via leaving, via not being able to juggle the plates anymore, but following Kirani’s advice will kill your company dead.

(I am also amused that Kirani even allows for bugs given points 6 & 7, which would seem to make bugs impossible by a 10x engineer. Which goes to show you that Kirani literally has no gods-damned clue about his own thesis.)

5. Most of the 10x engineers are full-stack engineers. For them code is code, they don’t care whether it is front-end, back-end, API, database, serverless, etc. I have rarely seen them doing UI work.

We can tell. So can everyone trying to use their code, because it’s a gods-damned awful mess of arcane procedures that only make sense to one person, because there’s only one person who counts. God help the poor bastards who have to try to fit that code into a usable UI, because the 10x programmer won’t.

This also tells you where Kirani’s head is at. No, not up his nethers. Okay, not just up his nethers. Kirani is still living in the glory days of the 90s when a UI was something people too stupid to do real engineering bolted onto code once it was done. I’ve used interfaces like that. They’re awful.

6. 10x engineers can convert “thought” into “code” in their mind and write it in an iterative fashion. Given a product feature, they can write that entire feature in one or two sittings of 4 to 6 hours with a caffeinated drink without distraction.

The problem with this of course is when that feature has to be used or coded by someone who isn’t the 10x coder, because at no point will that thought be written down, and the source code will rarely be written to be readable by anyone else. So basically, what you will have is code that no one can ever touch or modify. 10x coders will slow your company down with this kind of thing, because it is the opposite of teamwork.

It also means that even if you hire another one of Kirani’s 10x manticores, (I refuse to call them unicorns. Unicorns are beautiful. Manticores are just assholes who destroy everything they touch. Rather like Kirani’s 10x engineer), they will be of little to no use to you, because manticores can’t work together. They treat everyone else poorly, especially that manticore over there who thinks they know anything when clearly they don’t. I mean, they use 4 spaces as an indent instead of one. Only a fool does that.

7. 10x engineers rarely look at help documentation of classes or methods. They know it in memory and can recall from memory. They write code at the same ease as writing English. No breaks, no pauce, just type.

Normally, I am forgiving of typos, but this one (“pauce”) is so perfectly illustrative of the problem with “just type it all from memory”. I mean, that’s not even a homophone issue. I guess manticores aren’t that good at English either. As well, the 10x coder will know some of the classes and methods in memory, but all of them? Nope. And the arrogance that makes them think they don’t need to look things up will fundamentally limit them to only being able to use the things they have in memory. This is ultimately limiting as hell, because new features? What are those? New methodologies? Who has time for that, I am birthing code from my thoughts as Zeus did birth Athena herself.

8. 10x engineers are always learning new frameworks, languages ahead of everyone in the company. They are not afraid of anything new. If there is something new (e.g. blockchain) they gobble up, setup, experiment before anyone is getting started.

Wait, I thought you said they had everything already memorized? There is an unavoidable problem with Kirani’s thesis. Points 7 & 8 just happen to illustrate it in sequence. As well, Kirani’s Manticore leads you into the infinite stench of the Bog Of Never-Released-Product because “wait, we have to move everything to this NEW framework…” That’s not to say you never look at anything new, but again, Kirani’s Manticore has no time to actually get something done. Besides, once they memorize this new framework (see number 7), they’ll be able to do the entire conversion in their head, (see number 6) and it will take them almost zero time (number 7 again.)

Begin to see the pattern?

9. 10x engineers are poor mentors as they can’t teach others on what to do OR parcel the work. They always think “It takes too long to teach or discuss with others, I would rather do it myself.” They are also poor interviewers.

They are literally incapable of helping anyone else improve their skills, delegating tasks, managing workloads, or helping anyone but themselves including the rest of the company…HIRE THEM NOW! HIRE THEM ALL! Honestly, if I ran a company, every time one of Kirani’s Manticores applied, I would work day and night to get them hired…

…by my competition. Because man, I’d be a market leader in about a year without even trying hard. Seriously, why would anyone want this kind of person working for them. Let us unpack what Kirani is recommending here. He’s saying you should hire someone who:

  • Can’t communicate what they know in a useful fashion
  • Doesn’t want to communicate what they know in a useful fashion even if they could
  • Will relentlessly micromanage and resist any attempt to remove things from their plate
  • Can’t assist the company in evaluating new hires

Kirani’s Manticore is literally only capable of working by, and for themselves. Well, not the latter. Turns out working for yourself involves a lot of communication and meetings. So really, they’re only capable of working for someone else, but never in a way that requires any form of normal human interaction.

This is an asshole. Kirani’s Manticore is in fact, an asshole.

Two more points, almost done.

10. 10x engineers don’t hack things. They write quality code and know exactly how the code has to evolve, and have a mental model of overall code structure. They write at most one design document, and the rest is in the code.

Undocumented code, (no, the source is not, in and of itself, documentation. That Kirani believes this shows how far up his own nethers his head dwells) is a hack. It is the worst kind of hack, because it lets you fall in to the “if it ain’t broke, don’t fix it” trap. That’s a trap because it leads you into corners you don’t know you’re in until you try to grow the product or the company, and you discover this code that is only readable, fixable, maintainable by one person cannot actually be grown or even updated. But that’s okay, Kirani’s Manticore was going to rewrite the entire thing from scratch anyway. This time, they’ll incorporate your useless new features that don’t really matter, but you’re the boss and the customers want it.

(I am being kind using neutral pronouns. Kirani’s Manticore is always male. I’ve never in my life seen a woman be this much of an asshole. I’m not saying it’s impossible or can’t/hasn’t happened, I’ve just not seen it and new reader, I Am Not New.)

Also, Kirani’s definition of Quality is shall we say…at odds with any useful definition.

11. 10x engineers rarely job hunt or move out of the company. They move out because you make their life miserable with the process, meetings, training, and other non-value-added activities. If you come across them, hold on to them. Celebrate them.

Kirani literally called training a non-value-added activity. Which is directly at odds with item 8. It is also at odds with literally everything useful about keeping good people. Training is one of the key things you can do to retain them. Here is my advice, take it or not: If you find you have accidentally hired Kirani’s Manticore, fire them. Fire them before they drive everyone else out of your company, and/or make you the target of a hostile work environment claim. Because Kirani’s Manticore is an asshole, and nothing, I mean nothing is worth that.

Shekar Kirani is the kind of person who thinks Uber would have been a paradise had they fired all the non-bros who were bringing everyone down.

Oh, minor addendum. If you really want to know where Kirani’s head is at, read this tweet. The pertinent part:

Find the best in each & get the best out of them. That’s what good managers do.

That’s VC for “use them and dump them.” So yeah. Shekar Kirani. Don’t listen to him.


Not all…

So first, watch this, and then the followup video a ways down the stream. First, this dude has issues. I think that’s obvious, he has issues, and he’s not handling them well. Which in the US, is, sadly, unsurprising. As a country we suck at brain health. (note: while mental health is the preferred term, I have some issues with it because it implies mental health is some non-physical thing. It’s not. Mental health is brain health, and I think that if we start thinking about it that way more, we might stop with the idea that you can just “fix” brain health issues by “not feeling sad.”)

Set aside the massive amount of schadenfreude one feels when Angry Mite gets taken down (tip: you never know when the person you dare to attack you knows how to do it properly. That’s a proper takedown and control right there) and listen to this guy. He has clearly had some less-than-happy encounters on dating sites. Now, clearly, this is not just about his height. Even when he’s not raving in a bagel shop, I’m guessing he’s not the easiest person in the world to deal with.

Funny how all the “If you can’t handle me at my worst, you don’t deserve me at my best” memes seem so inappropriate here. Yeah, I hate those.

But I am also not going to dismiss the idea that he has been treated poorly for being short. Because people suck, and say things, even without intending to be mean that are. Lord knows I’ve done it, every one has. Intent only exists in our heads, everyone else is stuck with our words and actions. If said words and actions don’t match the intent, well, one’s intent stops mattering. What’s the saying? Intent is not magic. As well, online encounters can tend towards snark. I mean, there’s entire web sites devoted to “witty” shut downs of people on dating sites. Quite often, those guys deserve it. Quite often, the women deserve it too. People can, and regularly do, suck.

But it is also obvious that this guy is now in a state where as far as he’s concerned, it’s all women. They’re all treating him like crap because he’s short. Every look, every action that can be interpreted as bad towards him is. That’s not something you just wake up doing. He’s probably gotten a lot of that, to the point where he assumes it’s constant, even when it’s not.

This is where “not all…” comes in. Now, there’s basically two ways to use that concept, and they are directly opposed to each other. The first one is the one we see the most, because it’s the public version. “Not all…men/women/christians/cops/muslims/etc.” We see that one a lot, especially women. There’s a common variant: “A few bad apples…” It’s the same thing though: just because some members of a group do a bad thing, that doesn’t mean all members of a group do that bad thing.” Well, that’s both accurate and profoundly ignorant. It ignores the second part of the variant: “…spoil the barrel.”

It does not take 100% of a given member of a group doing bad things to make you sick and tired of that group. Look at the spate of “<blank> while black” videos over the last few years. Now, remember that for every one of those we see, there’s a lot we don’t. It would be a unique occurrence for something like that to be 100% documented. If you’re black, hispanic, a member of the many indigenous tribes in the US, or any person of color in this country, I’m going to go out on a limb, by which I mean I won’t leave my chair, and bet you’ve had something similar to what we see in the videos happen to you. Multiple times.

As a person, it does not take that happening a lot before you develop the (completely understandable) mindset that everyone in that group is just an asshole, or at least it is safer to treat them as assholes until proven otherwise. So when something like “how dare you be black and out where I can see you” happens, or the video of the woman showing just what it’s like to be her walking around the city, happens, and the first, or damned close to it response is some gorp going “Well, not all <whatever>…”, it’s infuriating right? Because it’s dismissive and self-centered. The person saying that does not care about what’s happening, they just want to make sure you know they’re blameless. That’s ultimately what it’s about. Guys saying “not all men” don’t give a fuck about all men. They want to make you acknowledge that it’s not them. Okay Skeezix, you’re awesome, it’s other men. Same thing with “not all white people” or “not all cops”, etc.

The people saying that don’t care about what’s happening, they just want to make sure you know it’s not them.

That’s the first version of “not all…”. It’s the external version, and the really crap one.

But there’s another version, and I think it might have helped this guy. It’s the internal version that focuses on blaming individuals, not groups. For example, in Jr. High and High School, the most consistently worst bullying I got was not from jocks, it was from nerds and women. (Please do not try to argue my life with me. You weren’t there.) The computer/D&D nerds and the popular girls were an endless source of torment for a rather formative part of my life. It’s why even now, I laugh at the idea that nerds/geeks are welcoming and open to all kinds of people. The personal and external data on this shows it to be fiction. People are factional regardless of group. Being an outcast does not remove the ability to turn other people into outcasts.

But, what I learned, helped unintentionally by my dad, (tl;dr, he felt racism et al was a sign you had too much free time, and that blaming all for the actions of one was kind of stupid) was to use “not all…” to remind myself that just because this person or those people are being shitty to me, not everyone in that group is crap. That I need to allow for non-awful behavior and be open to it. To not assume that every one in a given group is awful by default.

This is not easy to do. Some groups, y’all do not make it easy on folks. And when you have crap treatment be so constant that it feels like the norm, you’re going to fail at it. That’s understandable, but I would ask that you keep trying. Because honestly, it can help. It can help you not turn into that guy in the video. Note that I am not saying ignore all slights. Not even…slightly. If someone is awful to you and does nothing to earn forgiveness, there’s nothing wrong with cutting that person out of your life to the extent possible and never dealing with them again, whether it be purely on social media or solely in “real” life, or a mix.

You are not required to martyr yourself to a warped version of forgiveness to be a good person.

But, when someone who is part of a group is a shitty person, or even a lot of someones…remember that there are probably people who are part of that group who have no idea who these other people are, and who may only be a part of that group incidentally or accidentally, and…I’m not saying set aside your experiences, that is unreasonable and possibly dangerous. But allow for someone to not be awful. Be at least a little open to that possibility. That’s the point of the internal “not all…” in the end. To help you not be more miserable than necessary.

(Also, before the pedants arrive: This does not apply to all groups. Someone is a fucking Nazi or in the Klan? Yeah, then it is ALL of them. They ALL suck, and should be treated that way. But really, what’s the point of trying to bring up extremes as the norm? If that’s all you want to do, maybe I’m not the guy you should interact with.)

Everything is on fire

Just in case you’re not reading about the latest security implosion, (does that even mean anything any more? It’s not like it’s rare), Zoom, a GoToMeeting clone decided that “convenience” outweighed all concerns, including any form of common sense, professional ethics and sanity. Here’s the best, most detailed writeup from the guy who discovered it. It’s long, but read it anyway.

By “convenience” I mean, they didn’t want to do the “hard” UI/UX work to make their app actually easy to use. No, instead, they just made it effectively impossible to fully uninstall without some command-line time, and made it so it could stealth reinstall at any time if you clicked on a web link. If the person building the “meeting” decided your camera should be on when you “joined”, your camera was on. Brilliant. How convenient. Totally not creepy or bad at all.

I mean, they actually viewed having to click a button a worse sin than not giving you a choice. But, you could go into the Zoom client and in the settings turn the “your camera automatically comes on when you join a meeting” off. Because that’s what most non-tech people do, instantly traverse (regularly awful to use) app preferences on a newly installed application to set it up. Ow, my eye-rolling muscles just cramped. This is literally the worse sort of “opt-out as default” behavior, but hey, convenience. For Zoom that is.

So yeah, Zoom. Who, without warning, or explanation, installed a hidden webserver on your mac. Not “oops, we forget to tell you”, but actually hidden. (You don’t name the directory “.zoomus” if you aren’t trying to hide it. That’s the only reason to start a file/directory name with a period. Period.) What was the purpose of this webserver? Why to automatically reinstall the Zoom client if you clicked on the right kind of link. Of course, that only worked from a series of trusted domains. And it’s not like Zoom would accidentally almost let one of those domains go up for grabs…

Doing a whois lookup on all of the domains listed in the source code returned some interesting results. For example, the domain was scheduled to expire on May 1st, 2019. Had this domain registration been allowed to lapse, the takeover of this domain would have allowed an attacker to host an infected version of the Zoom installer from this site and infected users who had uninstalled Zoom from their computers. Essentially, this would have made this vulnerability a Remote Code Execution (RCE) vulnerability. I disclosed this bit of information to the Zoom team during my call with the Mozilla security team on April 26th, 2019. Within 5 hours of the end of that call that domain had been registered out to May 1st, 2024.


But it’s really easy to manually fix this. Delete the app, then just run these two terminal commands:

pkill "ZoomOpener"; rm -rf ~/.zoomus; touch ~/.zoomus && chmod 000 ~/.zoomus;
pkill "RingCentralOpener"; rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener && chmod 000 ~/.ringcentralopener;

and bob’s your uncle. For some value of “bob” and “uncle”. The sad thing is, Zoom didn’t even begin to think of the badness of this until they were getting beaten up over it. No, really, here:

Some choice quotes:

There are two matters also brought up in this inquiry that deserve to be addressed.

First, a local denial of service (DOS) vulnerability for Mac devices. In this vulnerability, a hacker could potentially target a Mac user who already has Zoom installed with an endless loop of meeting join requests, effectively causing the targeted machine to lock up. Again, we have no indication that this ever happened. We released a fix for this in May 2019, though we did not force our users to update because it is empirically a low-risk vulnerability.

Second, when Zoom is installed on a Mac device by the user, a limited-functionality web server that can only respond to requests from the local machine is also installed on the device to help launch Zoom meetings. This is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting. The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings. We are not alone among video conferencing providers in implementing this solution.

Oh. My. God. They are literally doing the “You can’t fuss at me for kicking a puppy because Billy punched a baby” thing. A software company pulling out little kid logic. Also, given the amount of security thought they put in their product, I don’t think I’m taking their definition of low risk seriously. Also, really, having to click a button is some kind of awful thing? Just how many Zoom meetings are people getting invited to where clicking a “you sure you want to do this” button is some kind of awful punishment?

Let me restate this: they stealth-installed a hidden webserver to circumvent built-in security in the name of “convenience”. The application defaults allow a remote meeting creator to turn your camera and mic on without warning. There are not enough letters in “bullshit” to describe the bullshit of this bullshit. And then, when they released a patch, they didn’t even try to push it out. A younger me would be screaming. Current me is just sighing, because current me sees this all the time.

Another one:

This week, a researcher published an article raising concerns about our video experience. His concern is that if an attacker is able to trick a target Zoom user into clicking a web link to the attacker’s Zoom meeting ID URL, the target user could unknowingly join the attacker’s Zoom meeting. If the user has not configured their Zoom client to disable video upon joining meetings, the attacker may be able to view the user’s video feed. Of note, we have no indication that this has ever happened.

Yeah skeezix, that’s how security researchers work. They tell you things before they get abused. That’s kind of the point. It’s why you should listen to them. (Not that security researchers are paragons of ethical behavior. But that’s a post for another time.)

And this one:

We do not currently have an easy way to help a user delete both the Zoom client and also the Zoom local web server app on Mac that launches our client.  The user needs to manually locate and delete those two apps for now. This was an honest oversight. As such, by this weekend we will introduce a new Uninstaller App for Mac to help the user easily delete both apps.

This was not an honest oversight, because the way to actually make uninstalling the entire app easy would have been to place everything in the application bundle, so when the human deleted the app, poof, all gone. This is not hidden master developer knowledge. It’s pretty common stuff and important for actual ease of use for the person who is using the app. Oh, and doing this means you don’t need an Uninstaller App that you have to install next to your app. Doing it the right way actually saves you work. Wow, imagine that.

This was a deliberate design decision whose point was to make it hard to fully uninstall the app. Don’t front my dude.


We appreciate the hard work of the security researcher in identifying security concerns on our platform. Initially, we did not see the web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process. But in hearing the outcry from some of our users and the security community in the past 24 hours, we have decided to make the updates to our service. In response to these concerns, here are details surrounding tonight’s planned Zoom patch and our scheduled July release this weekend:

If Zoom seriously did not see the potential problem in the web server, the defaults, or their application file layout scheme, then they are a company with all the security awareness of a brick, the people at Zoom making decisions are stupid to the point of appearing malicious, and you should most emphatically never use their software, because this will not be the last time stupidity at this level happens.

The fact it took a multi-day internet flogging to get them to see the light doesn’t make it any better.


That’s not the main point of this post. (If you are a new reader, I am a verbose kind of person. I wallow in it. You may wish to get used to that.)

The point is, this is why Apple is going crazy about UAC (and why they need to add more to it. Like network port usage.) Because in the Linux “it’s up to you to do everything” world, there’s no way in hell a non-technical user would be able to fix this. They’d not know what to look for, how to look for it and they certainly wouldn’t think to use:

pkill "ZoomOpener"; rm -rf ~/.zoomus; touch ~/.zoomus && chmod 000 ~/.zoomus;
pkill "RingCentralOpener"; rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener && chmod 000 ~/.ringcentralopener;

Which is actually a series of commands ganged together:

pkill "ZoomOpener"
rm -rf ~/.zoomus
touch ~/.zoomus
chmod 000 ~/.zoomus
pkill "RingCentralOpener"
rm -rf ~/.ringcentralopener
touch ~/.ringcentralopener
chmod 000 ~/.ringcentralopener

Honest to god, it’s a good thing Zoom’s devs were kind of incompetent in how they hid their stuff. If they’d really wanted to hide it well, non-technical users would be nuking and paving forever because they’d keep reinstalling the Zoom client and having this happen again. I mean, even half-assing it could cause this, but at least it’s vaguely easy to find it.

The idea that guarding against this kind of crap is all up to the user and things like advanced UAC and SIP and the new read-only system volume coming in Catalina are “bad” or limiting freedom is an idea that is elitist at its core. It says “if you just want to use a computer, bad things will happen to you and it will all be your fault.” Note that computers are the only place we say this. If you told people that they had to know everything about vehicle design to ride a bus or drive a car safely, and if they didn’t, then any defects in the vehicle that harmed them were their fault, not the manufacturer’s, those same techno-libertarians would shit themselves to lighten their weight load so they could get to protesting faster.

Even worse, ponder doing that for aviation. Don’t know the difference between a safe level of speed-tape on an engine and a “don’t get on that plane, you’re gonna die” level? Don’t know what speed-tape is? Sucks to be you.

No one would ever fly again, and they would be correct to never fly again. But when it’s a computer? Oh well, it’s the user’s job to be a sysadmin/senior dev. It’s certainly not anyone else’s job to protect the user from predatory crap like that.

Zoom is not unique here, not even close. I’ve been seeing this kind of crap happen for decades. And the response, when the dev is caught is the same as Zoom’s. I cannot, literally can. not. recall an instance where the dev didn’t try to justify it, to somehow try to blame the people who caught them. To pull the “well, it’s not a real problem” crap. To pull all the dodges that somehow absolve them of any real fault.

Apple may not always implement things the best way the first time around, but they are doing more to make things safe to use by default than literally anyone else. Every time I see someone gripe about their new UAC in a new macOS release, it’s never “there’s a better way.” It is always, always “I find this inconvenient.”

Yeah, well I find having to help family members accept that their stuff has been destroyed because a dev didn’t give a crap and hoping they have a backup to be inconvenient.

The kind of “we don’t want to do things that are inconvenient for us, screw the user” attitude, so extensively on display here for Zoom has to end. There is a limit, eventually, and I think even Apple is getting close to it, on how much the OS vendor can do to protect people from a dev determined to do this kind of shit. At some point, we, the user community, have to be more angry at the devs pulling this crap than at the OS vendor who “allows” it. When an app installs a rootkit, whether or not the OS should have allowed that is a secondary point. The fact the dev decided to take that action is the real offense.

If someone kicks in my door and robs my house, I may be mildly annoyed at the door manufacturer for making a weak door, but the real offender is the person who broke into my house. When devs shove bullshit adware frameworks into their apps, it is they who are the worst offenders, not Google/Microsoft/Apple for not preventing them. It is the asshole’s fault, first and foremost for being an asshole. Zoom, in this instance, is the asshole, and based on what I see coming from them, they don’t really think they screwed up, but they would very much like the flogging to stop.

This kind of shit is what drives the increased UAC you’re going to see more and more of. If that bothers you, then when you hear fellow devs talking about this kind of idiocy, call them out on it. Get them to stop being assholes.

Because again, if it’s a choice between just regular people not having to become sysadmins and devs just to use their computer and your convenience? I’ll set your convenience on fire, and make s’mores.




This again

My feelings about medium finally hit a point where it’s worth it to do this again. For anyone who read my old site, this is not going to be that.

I’m not sure what this will be to be honest.

For fans of “Monk and Paladin”, that will remain on Tumblr. It’s highly appropriate for Tumblr.