Home Depot GitHub token exposed for a year, granted access to internal systems

Posted by kernelrocks 3 days ago

Comments

Comment by AdmiralAsshat 3 days ago

>When reached by TechCrunch on December 5, Home Depot spokesperson George Lane acknowledged receipt of our email but did not respond to follow-up emails asking for comment. The exposed token is no longer online, and the researcher said the token’s access was revoked soon after our outreach.

>We also asked Lane if Home Depot has the technical means, such as logs, to determine if anyone else used the token during the months it was left online to access any of Home Depot’s internal systems. We did not hear back.

As soon as they realized that the researcher had contacted "the media", they probably escalated internally to their legal team before anyone else, who told them to shut up.

The response, if one ever comes, will be a communication dense in lawyer-speak that admits no fault whatsoever.

Comment by Scoundreller 2 days ago

This is why I go straight to legal for some things. By letter (the kind with a stamp).

As it could be service or real legal stuff, it tends to get read by someone literate and able to take action.

Had to do that with a bank that refused to talk to me (I hit some kind of identify verification quagmire), but they quickly got someone able to call me and close it on the spot.

Comment by noitpmeder 2 days ago

I mean you can't fault them for that approach.

Obviously we would all like a full post mortem from the home dept side, but in today's litigious shareholder-value-driven world their response is the correct one.

Comment by dnw 2 days ago

Last week I accidentally exposed my OpenAI, Anthropic, and Gemini keys. They somehow ended up in Claude Code logs(!) Within seconds I got an email from Anthropic and they have already disabled my keys. Neither OpenAI nor Google alerted me in anyway. I was able to login to OpenAI and delete all the keys quickly.

Took me a good 10-15 minutes to _just_ _find_ where Gemini/AI Studio/Vortex projects keys _might_ be! I had to "import project" before I could find where the key is. Google knew key was exposed but the key seemed to be still active with a "!" next to it!

With a lot of vibe coding happening, key hygiene becomes crucial on both issuer and user ends.

Comment by ChrisMarshallNY 2 days ago

> With a lot of vibe coding happening

I shudder to think of the implications.

Consider all the security disasters we already get from brogramming, and multiply that, times 100.

Comment by throwawaysleep 2 days ago

Security simply doesn’t seem like it matters much based on the mild consequences.

Comment by rainonmoon 2 days ago

Try working at a company of any remote public significance and see if your view changes.

Comment by Nextgrid 2 days ago

There's a lot of performative "security" in such companies. You need to employ the right people (you need a "CISO", ideally someone who's never actually used a terminal in their life), you need to pay money for the right vendors, adopt the right buzzwords and so on. The amounts of money being spent on performative security are insane, all done by people who can't even "hack" a base64-"encrypted" password.

All while there's no budget for those that actually develop and operate the software (so you get insecure software), those that nevertheless do their best are slowed down by all the security theater, and customer service is outsourced to third-world boiler rooms so exploiting vulnerabilities doesn't even matter when a $100 bribe will get you in.

It's "the emperor has no clothes" all the way down: because any root-cause analysis of a breach (including by regulators) will also be done by those without clothes, it "works" as far as the market and share price is concerned.

Source: been inside those "companies of public significance" or interacted with them as part of my work.

Comment by throwawaysleep 2 days ago

Equifax? Capital One? 23andMe? My basis for this is that you can leak everyone’s bank data and barely have it show up in your stock price chart, especially long term.

Comment by rainonmoon 2 days ago

Stock price is an extremely narrow view of the total consequences of lax cybersecurity but that aside, the notion that security doesn’t matter because those companies got hacked is ridiculous. The reason there isn’t an Equifax every minute is because an enormous amount of effort and talent goes into ensuring that’s the case. If your attitude is we should vibe code our way past the need for security, you aren’t responsible enough to hold a single user’s data.

Comment by ChrisMarshallNY 2 days ago

I feel as if security is a much bigger concern than it ever was.

The main issue seems to be, that our artifacts are now so insanely complex, that there’s too many holes, and modern hackers are quite different from the old skiddies.

In some ways, it’s possible that AI could be a huge boon for security, but I’m worried, because its training data is brogrammer crap.

Comment by Nextgrid 2 days ago

Security has become a big talking point, and industry vultures have zeroed in on that and will happily sell dubious solutions that claim to improve security. There is unbelievable money sloshing around in those circles, even now during the supposed tech downturn ("security" seems to be immune to this).

Actual security on the other hand has decreased. I think one of the worst things to happen to the industry is "zero trust", meaning now any exposed token or lapse in security is exploitable by the whole world instead of having to go through a first layer of VPN (no matter how weak it is, it's better than not having it).

> quite different from the old skiddies

Disagreed - if you look at the worst breaches ("Lapsus$", Equifax, etc), it was always down to something stupid - social engineering the vendor that conned them into handing them the keys to the kingdom, a known vulnerable version in a Java web framework, yet another NPM package being compromised and that they immediately updated to since the expensive, enterprise-grade Dependabot knockoff told them to, and so on.

I'm sure APTs and actual hacking exists in the right circles, but it's not the majority of breaches. You don't need APT to breach most companies.

Comment by hulitu 13 hours ago

> the notion that security doesn’t matter because those companies got hacked is ridiculous

see Solar Winds, Microsoft etc.

Comment by ChrisMarshallNY 2 days ago

I don't know if 23andMe has done so well, but many of their problems stem from a bad business model, as opposed to that awful breach.

I agree that we need to have "toothier" breach consequences.

The problem is that there's so much money sloshing around, that we have regulatory capture.

Comment by duxup 2 days ago

>Took me a good 10-15 minutes to _just_ _find_ where Gemini/AI Studio/Vortex projects keys _might_ be

I feel like all this granular key management across everything, dev, life, I might be more insecure but god damn I don't feel like I know what is going on.

Comment by varenc 2 days ago

How did they get leak them? Just someone getting into your personal Claude Code logs? I'm surprised that if it was just that Google would even be aware they're leaked.

Comment by dnw 2 days ago

Claude was looking up env-vars during the coding session which ended up in ~/.claude/projects/ log. I wanted to make the [construction] logs public with the code. Didn't think that was a leak vector.

Comment by hippo22 1 day ago

How would Google or OpenAI have alerted you? Anthropic could alert you because they scraped their keys and detected on of their keys in the logs. If anything, it’s bad that Anthropic only notified you about their key, and not the other keys that have leaked.

Comment by dnw 22 hours ago

They all partner with Github to detect leaked credentials. In order to have API keys I need to have an account with each service with a valid email. So all three of them had the same information and channels available to reach me. It wouldn't have mattered how the keys got leaked, in the current setup Anthropic would have reached me first and deactivated my key.

Claude (or other LLMs, for that matter) wouldn't know they leaked the keys because I did, by trying to make the construction logs public. I just wasn't expecting the logs to have keys in them from my env vars.

Comment by fatata123 2 days ago

[dead]

Comment by lillecarl 2 days ago

I've accidentally pushed a personal PAT(ro) to both Github and gist because of poor hygiene in personal projects, both times Github dropped the PAT and notified me.

Comment by culi 2 days ago

Yeah I'm impressed they even managed to publish a personal token. My experience with GitHub's automated token recognition has also been positive (tho the tokens were never of any consequence)

Comment by tclancy 3 days ago

Man, a year to grab all the Home Depot 2x4s you want! Someone could have built a sphere with those.

Comment by lelandfe 2 days ago

I don't know how well lumber holds up to the bottom of the ocean

Comment by 725686 2 days ago

Pretty good actually. With the salt, lack of oxygen and pressure it can last quite a long time.

Comment by zdragnar 2 days ago

Presumably you'd want human habitable atmosphere on the inside of the sphere, which would radically change the equation against the use of wood unfortunately.

Comment by rl3 2 days ago

I disagree. Traditional underwater human habitats are overengineered and expensive.

By using plywood in conjunction with other off-the-shelf parts and materials, we can change this equation to deliver more value while dramatically reducing costs.

If, due to unforeseen circumstances the habitat occupant can no longer sustain life, they're automatically entombed inside a makeshift plywood coffin—no costly recovery operations required. Logitech wireless game controller sold separately.

Comment by Ekaros 2 days ago

Could we involve robotics, LLMs and maybe some camera based vision models to this process? Surely with AI we could make building those very fast. Especially with humanoid robots...

Comment by rl3 1 day ago

After the initial trial of humanoid robots resulted in too many fatalities owing to falls, it was decided to instead acquire industrial 6-DoF robotic armatures and place them atop treaded, omnidirectional-pivot cargo transport systems intended for warehouse use.

The LiDAR option on the armature was eschewed due to cost in favor of an in-house, camera-based vision model that has thus far reduced the number of safety incidents that later result in amputation (knock on plywood) while increasing manufacturing output.

Pressure vessel construction still remains a point of concern on account of recent trends which indicate a rise in errant armature misfires when gripping tools that facilitate the application of nails and staples to the plywood superstructure.

Comment by 2 days ago

Comment by throwaway81523 1 day ago

Damn, their web site is so awful. If the code for it is all in github and the token got loose, maybe the right attacker could have cleaned up the slow javascript bloat, made the search system a lot better, fixed the login bug that makes logging in fail more than half the time depending on your browser, streamlined the ordering system, etc. We missed our chance!

Comment by dbancajas 2 days ago

What's the biggest damage someone could have done with that info?

Comment by dnw 2 days ago

- Download all the source code and look for vulnerabilities at their leisure.

- Depending on whether they use GH for deployments they can also introduce features to production that can help them

Comment by gregclermont 2 days ago

As an example, there is a hacking group tracked as "Atlas Lion" that has been persistently targeting large retailers' internal systems to steal gift cards that they resell on gray markets for a profit.

I don't believe exploiting GitHub repos for initial access is part of their playbook, but there have been plenty of examples in recent years of attackers gaining access to internal infrastructure via secrets exposed in GitHub (whether in code or Actions workflows). Just this year, attackers got into Salesloft's GitHub, pivoted to their AWS environment, and stole OAuth tokens that gave them access to hundreds of Salesforce customers.

Comment by deadbabe 2 days ago

Wow, someone could have used the data from internal systems to do some serious insider trading

Comment by 8cvor6j844qw_d6 2 days ago

Any suggestions for secrets management to distribute API keys/DB secrets/etc.?

For a self-hosted use case.

Currently, manually SSH into VPs and updating env files but not sure if its best practice.

Comment by CGamesPlay 2 days ago

SOPS reduces the surface area you need to cover. You can use Age as a backend and then you only need a long lived private key on the server. https://github.com/getsops/sops

Comment by Nextgrid 2 days ago

The bad guys will steal that private key and decrypt the encrypted secrets the same way they can steal the unencrypted secrets directly.

Comment by CGamesPlay 1 day ago

If they are already in your server, what are you protecting then?

Comment by Nextgrid 2 days ago

If it's a single application exposed to the internet that is using those tokens then an env file is perfectly fine. If the application gets breached the secrets will be in memory anyway (as the app needs them to do its work), so they will get exposed no matter how they were sourced.

If your vendors support IP-based restrictions (few do, thanks to "zero trust" and other bullshit), a very strong defense would be to enable that and restrict use of those secrets to your server's IP, so that the tokens become useless to anyone else even if leaked.

Comment by SlightlyLeftPad 2 days ago

I’d use the native secrets of your VM platform or something like 1password with an functional API.

Comment by Nextgrid 2 days ago

Yes if you get the hypervisor to provide the secrets this in theory means the secrets will be safe at rest... but if the VM gets breached (which is the scenario we're assuming here, as his VM is the one handling untrusted traffic from the internet), the secrets still get out.

One option is to use separate "proxy" VMs that proxy traffic to the external services and applies the secret. The main application VM uses those proxy VMs to talk to the external services. This means a compromise of the application VM will not be able to exfiltrate any secrets - it will merely be able to make use of them (by talking to the proxy VMs) while the attacker still has access. Post-breach remediation becomes easier as not only do you not need to rotate the secret (as it wasn't stolen, merely misused) but your proxy VM can provide a tamper-proof audit log to tell which malicious activity has happened, if any.

Comment by ProAm 2 days ago

If there has been one thing proven over the past 5 years is that the Home Depot IT department is useless and cant be trusted with anything regarding security.

Comment by htrp 2 days ago

it's easy to scan for publicly known services, really difficult to understand if a random string that says key somewhere is actually a random internal api key

Comment by hurturue 2 days ago

which is why a lot of services now prefix they keys with a fixed string like pat_, sk_,

Comment by jgbuddy 3 days ago

"Open Source Home Depot" has a nice ring to it

Comment by rao-v 3 days ago

I’m surprised that GitHub, OpenAI etc. doesn’t have automation to scan the usual surfaces for hashes of their access tokens.

It seems like a cheap and simple thing to offer your customers a little extra safety.

Anybody interested in starting a platform agnostic service to do this?

Comment by PokestarFan 3 days ago

GitHub already has a program to scan for keys, since publishing Discord tokens by mistake used to get the token immediately revoked and a DM from the system account saying why

Comment by 3eb7988a1663 3 days ago

I thought there were many first and third party services looking for this kind of thing (AWS, Github, GWS, crypto, etc tokens). Seems weird that a F500 company repo was not receiving the regular, let alone extra deep scanning which could have trivially found these.

There was a recent post from someone who made the realization that most of these scanning services only investigate the main branch. Extra gold in them hills if you also consider development branches.

Comment by wongarsu 2 days ago

For things pushed to github, github has quite sophisticated secret scanning. They have a huge list of providers where they will automatically verify if a potential key is real and revoke it automatically [2], and a smaller list of generic patters they try to match if you enable the matching of "non-provider patterns".

This seems to be a case of someone accidentally publishing their github token somewhere else. I'm not sure how github would cheaply and easily prevent that. Though there are third party tools that scan your web presence for secrets, including trying wordlists of common files or directories

1: https://docs.github.com/en/code-security/secret-scanning/int...

2: https://docs.github.com/en/code-security/secret-scanning/int...

Comment by CSSer 2 days ago

GitHub wants to sell a service. Keys are convenient. Better alternatives in authorization and authentication exist, and GitHub is very aware of them. They even offer and facilitate them. For example, see OIDC. But many users either want keys because they're used to them or GitHub is sure they do, so they continue to offer them to avoid friction. The alternatives require more parameters, thought, and coordination between services.

GitHub has deprecated classic tokens, but the new tokens are not backwards compatible. The deprecated tokens have also continued to be available for some time. Real security professionals will tell you flatly "tokens are bad", and they're right. They're leakable attack vectors. The tokens are the problem and discontinuation is the solution. Scanning is simply symptom treating, and given what I know about Microsoft culture, I doubt that's going to change soon or quickly.

Comment by lkt 2 days ago

They do scan but they miss a lot. The frequency decreased after Github started scanning all repositories but I still report leaked secrets to bug bounty programs pretty often. Unfortunately Home Depot don't have a bug bounty program so I don't scan them.

Comment by esafak 3 days ago

Where was this token found, in an open source repo? There are numerous ways to scan commits, for free even in open source repos: https://docs.github.com/en/code-security/secret-scanning/int...

Comment by tecleandor 3 days ago

They at least scan GitHub for all kind of exposed tokens in public repositories, and even have partnerships with the companies where you can connect with those tokens (SaaS, PaaS...) to verify they're valid and even revoke them automatically if necessary.

Comment by dudeWithAMood 3 days ago

I think there are crawlers that do that. Somehow I accidentally had a commit with an openai key in it, and when I published an open source repo with that commit within ~20 seconds I got an email from openai someone had retired my exposed key.

Comment by ralph84 2 days ago

The article doesn’t say where the Home Depot token was published. Almost certainly not on GitHub or it would have been invalidated. But AFAIK GitHub doesn’t crawl other sites looking for GitHub tokens. I suppose Microsoft could provide GitHub a feed of GitHub tokens found by their Bing crawlers.

Comment by freedomben 3 days ago

They definitely do have automation to scan for this already. I've seen plenty of alerts (fortunately all false positives that triggered on example keys that weren't real). I don't know how comprehensive it is, but it does exist.

Comment by nunez 2 days ago

GitHub does! They tell you when you pushed something dangerous almost right away.

GitHub Advanced Security blocks the push, I believe.

Comment by 3 days ago

Comment by VTimofeenko 3 days ago

Given the absolute state of their website on mobile it's hardly surprising. It's faster to find an employee and ask them where an item is at instead of waiting for the search to finish, see that it the "current store" now points to a random location somewhere in a different state, pick the correct store and re-do the search

Comment by craftkiller 3 days ago

If you go to the home depot page for torque wrenches and click the filter for drive size, you get this list:

  1/2 in
  1/4 in
  1 in
  3/8 in
  3/4 in
  Specialty

Here is the same list in decimal to make the insanity plainly obvious:

What sadistic lunatic made that sort order?! It's not based on size and it's not alphabetic.

Comment by tomjakubowski 3 days ago

I had to check what the gold standard McMaster-Carr does: their torque wrench drive size widget is sorted 1/4", 3/8", 1/2", 3/4", 1", 1 1/2". Glorious. https://www.mcmaster.com/products/torque-wrenches/

Comment by jjice 3 days ago

I'd expect nothing less from them. The right thing to do here is to implement a sorting key for different categories here. Since McMaster-Carr seems to be going to a category when you search, they seem to have better control over the available filters.

I've found that on a site like Amazon or Walmart that'll let you do a more freeform sort, the filter options becomes absolutely god awful.

Well done by McMaster-Carr. I assume they control their inventory a bit more than a marketplace like Home Depot, Walmart, or Amazon, so that's also an advantage.

Comment by pacoWebConsult 3 days ago

The schemas for Amazon and Walmart's product information are absolutely bonkers and constantly missing features that they demand be provided.

Here's the XML Schema Definition for "Product" on Amazon [1]

This is joined on each of the linked category schemas included at the type, of which each has unique properties that ultimately drive the metadata on a particular listing for the SKU. Its wrought with inconsistency, duplicated fields, and oftentimes not up-to-date with required information.

Ultimately, this product catalog information gets provided to Amazon, Walmart, Target, and any other large 3rd party marketplace site as a feed file from a vendor to drive what product they can then list pricing and inventory against (through similar feeds).

You are right that the control McMaster-Carr has on their catalog is the strategic and technological advantage.

[1]: https://images-na.ssl-images-amazon.com/images/G/01/rainier/...

Comment by wholinator2 3 days ago

Very interesting how nearly half the list is (assumedly) every single chemical listed under California Prop 65. Do they really need to specify exactly which chemical it is? I've seen thousands of prop 65 warnings in my life but I've literally never seen it tell me what chemical its warning me about. I just commented to a friends a couple weeks ago i wished they'd tell me what so i could look it up myself!

Comment by 2 days ago

Comment by rockostrich 3 days ago

McMaster-Carr's website is actually pretty impressive given how unassuming it is. It does a ton of pre-loading on hover and caching to make it feel like you're just navigating a static site. I didn't even realize that the page had a loading state until I enabled throttling from my network tab and immediately clicked on a link as soon as I hovered over it.

Comment by dboreham 3 days ago

Even more impressive is that it's something like 20 years old, and was basically the way it is now 20 years ago.

Comment by niij 2 days ago

See https://news.ycombinator.com/item?id=32976978

Comment by progbits 3 days ago

Mouser et al also do it right for mixed unit lists, eg. component dimensions are shown in their specified units but sorted as: 11mm, 12mm, 0.5in, 13mm, ...

Comment by hinkley 3 days ago

Is it weird that I kinda want to work there?

Comment by accidc 3 days ago

No. You are likely and automatically extrapolating the attention to detail seen in the outcome into believing that it is a reflection of the attention , thought and method of their internal workings.

Which is a good indicator, but you can’t be sure of. Additionally you may imagine liking it but not enjoy it in life, even if true.

Comment by bluedino 3 days ago

Now look up impact wrenches.

  1/2 in
  1 in
  1/4 in
  3/8 in
  3/4 in
  7/16 in

Comment by rpcope1 3 days ago

> 7/16 in

I had a major WTF moment there, until I realized that's probably for a hex driver (and thus something totally different than what I think of when someone says "impact wrench").

Comment by SoftTalker 3 days ago

It's probably a default ordering or an ordering by an unshown database ID value. It's a small enough set that it doesn't really matter for practical purposes, but I guess it does betray a lack of attention to detail.

Comment by wiredfool 3 days ago

It’s simple alphabetic.

Comment by neogodless 3 days ago

Is "slash" (/) before or after "space" ( ) ... or both... before and after it?

Is 8 before or after 4 in the alphabet?

Comment by bena 3 days ago

No, there's no reasonable ordering going on.

If it were ordered by ordinal values, "/" is 47 and " " is 32, so "1 in" would come before "1/2 in".

It's not alphabetized by letter word. Because while "Eight" comes before "Four", "Specialty" would come before "Three".

No matter which way you attempt to order it, something is out of order.

Softtalker probably got it right. This is some default or id sort.

Comment by VTimofeenko 3 days ago

Before. _E_ight vs _F_our.

Comment by superturkey650 3 days ago

But _T_wo is also before _F_our

Comment by VTimofeenko 3 days ago

The sorting briefly switches to reverse order there, so no contradiction.

Comment by antonvs 3 days ago

3/8 doesn’t come before 3/4 alphabetically.

Comment by gtowey 2 days ago

SELECT ... ORDER BY RAND()

Comment by nunez 2 days ago

This is sorted mostly alphabetically with an allowance for people being bad with fractions. That's my guess.

Comment by sowbug 3 days ago

Or when the site tells you your store doesn't have a part in stock, but neglects to tell you that they do have 350 of the identical part, different brand, in stock. Because who would ever buy a 1/2-inch close Halex rigid conduit close nipple in-store right now when they could wait a few days for a 1/2-inch close Commercial Electric rigid conduit nipple?

Comment by porphyra 3 days ago

I feel like the home depot website is fine. It's a lot better than most other shops, I've had a good experience finding the aisle and location of items, and it's generally accurate with the amount in stock at each location. If you didn't enable precise location or have bad cell signal then that is hardly the fault of the website.

Comment by VTimofeenko 3 days ago

I will not argue with the stock part. When the search _does_ finish, stock info is usually correct IME.

What grinds my gears is the speed of this search, regardless of the phone reception. Even on the desktop it feels like they have a bunch of interns running a sneakernet. Or the website is laden with pointless javascript that slows everything down before the search is actually performed.

I go to the same Home Depot every time. (Well I don't if I can help it, but that's beside the point). There is no reason they cannot store the preferred store in the localStorage or cookies or wherever else. Other stores have figured this out.

Comment by danudey 3 days ago

> Other stores have figured this out.

Not CostCo though! I open their page and immediately 'Can Costco.ca use your location?" I say yes and then it asks me what province I'm in. I tell it, and then it defaults me to a store 30 minutes' drive from here and not the one five minutes away. Every. Time.

Comment by bombcar 2 days ago

Costco’s website is worse than useless. It doesn’t tell you anything useful beyond the hours.

I have to believe it’s intentional.

Comment by patagurbon 3 days ago

Their internal setup was also an absolute mess as of 4 years ago. A horrific hybrid of extremely legacy systems and new systems created around COVID which are both nicer and also deeply lacking in features we needed as floor workers.

I understand that upgrading and migrating to new systems takes time but this process never seemed like it involved anyone on the ground.

Comment by garyfirestorm 3 days ago

its generally in HD stores you never have cell signal or wifi

Comment by freedomben 3 days ago

This is definitely true and makes the experience shittier than it otherwise would be, but even with a great signal/connection it frequently loads so slowly that I've long run out of patience.

Comment by LTL_FTC 3 days ago

I have gotten in the habit of looking up what isle and bay the thing I need is before I get there, and then I screenshot it because too many times the page has needed to reload and start over

Comment by brewtide 3 days ago

I bought a water heater that had a large (1k!) instant rebate that you had to scan, sign up on website and show the emailed coupon to the person during cashing out. Took me 25 minutes wandering around the store to get enough reception to actually do this process. Made me chuckle, thinking how having it online only but before point of sale in the store was such a terrible, terrible idea.

Comment by PaulDavisThe1st 2 days ago

Never noticed this. The SAF store has guest wifi and my mint/t-mobile 5G service inside is full strength.

Comment by 3 days ago

Comment by rigrassm 3 days ago

Nah, I use both the website and their shitty web wrapper app on a regular basis and it's been a dumpster fire for at least the last 2-3 years. 3-5 years ago when they first rebuilt everything it was much more pleasant but at this point it's clear no one is maintaining it and have just let it bloat and rot

Comment by kevin_thibedeau 2 days ago

Home Depot reuses SKUs for different product models. It's a gamble if you'll actually get what you ordered

Comment by kldavis4 3 days ago

also, when I'm in my local store it seems like cell connection goes to shit for some reason and then I have to jump on their in store wifi in order to search their website

Comment by danudey 3 days ago

> when I'm in my local store it seems like cell connection goes to shit for some reason

It's a giant steel and concrete box, that's probably the reason.

Comment by paleotrope 3 days ago

They probably don't have any repeaters. All those metal shelves are going to interfere with the signal. I have the same experience.

Comment by inferiorhuman 3 days ago

Their in-store WiFi is a repeater more or less. It's one of those bullshit forced auto-join networks that you can't opt out of (at least on iOS). Because that's not a massive vector for phishing or anything.

Comment by freedomben 3 days ago

Yes, although I've had terrible experience with their wifi. I'm sure it depends on the store, but coverage is usually terrible and highly spotty, so if you're walking around or standing in the wrong area, it stops working.

At one point I also had to disable wireguard because I think it was triggering some sort of anti-abuse thing they had. It wasn't even using an exit node, just bridging me to my home network so I could access self-hosted services. I get the desire for anti-abuse, but that felt pretty draconian and I don't expect the average person to consider they might have to disable a VPN to get it to work, especially nowadays when many average people do have VPNs running.

Comment by mirashii 3 days ago

This is a network carrier setting, the issue is that T-Mobile (and maybe others) pushes a profile that does this as part of their network configuration.

Comment by inferiorhuman 3 days ago

Right, so you can't opt-out of it.

Comment by klardotsh 2 days ago

I went to Wi-Fi settings, "Edit" in top right, scroll to bottom "Managed" section, and was able to turn off "Auto-Join" for the "t-mobile" managed network just fine. I did this many months ago, I think because I was infuriated at the idea of auto-connecting to a Wi-Fi network I did not opt in to, but regardless, the checkbox has remained off through a few OS updates since (on 26.1 now with a T-Mo prepaid eSIM).

Comment by inferiorhuman 2 days ago

There's no "Managed" section showing up on my phone and the last time I set that network to not auto-join it still did. Lesson learned, I just turn off WiFi and Bluetooth before heading out to Home Depot.

Comment by yelling_cat 2 days ago

I was livid when I discovered that my carrier had implemented that with no opt out. I worked around it by implementing shortcuts that disable my iPhone's WiFi when I leave my house until I've returned or reached one of the handful of other places I use it. It's ridiculous that something like that is necessary, though.

Comment by fn-mote 3 days ago

Always wondered if this was a deliberate strategy to enable more tracking… but it sounds way beyond the ability of their corporate planning.

Comment by freedomben 3 days ago

Indeed, Home Depot's software is generally so bad. I remember around 2017/2018 time frame when they started showing up to big tech conferences (especially K8s and React.js conferences) really trying to modernize. I spent a few minutes talking to the people manning the booth (which were surprisingly high ranking in the company, at least by title), and came away thinking "I'm glad you're making an effort, but y'all really have no idea what you're doing." The left hand and the right hand had completely different ideas/priorities about how to accomplish their goals. I didn't want to make any judgments on a simple conversation at a conference, but at this point I think time has shown that it was pretty representative of how they were approaching it internally, and unsurprisingly it did not work out super well.

Now that said, I don't want to minimize the difficulty in modernizing software at a corp like HD. It's wildly more difficult than most people can appreciate. I've consulted for companies trying to do it, and there are lots of challenges with legacy systems, migrations, and plenty of non-technical challenges as well.

Shout out to Wal-mart for genuinely kicking ass at this though. I'm quickly becoming an Onn fanboy. Genearlly speaking, great products at great prices, from their USB cables up to their smart speakers and more. You can really tell from the product design and implementation that they are letting the nerds geek out and have fun! That in turn enables me to do the same :-)

Comment by rpcope1 3 days ago

I'll bet money any new React/K8s/${WEBSCALE} stuff they're building is still just a wrapper over the same old inventory management they've been using for years...probably something like JDEdwards on AS/400.

Comment by grosales 3 days ago

You would lose that bet. Walmart has invested a LOT in modernizing stuff over the last 10 years. You cannot deliver groceries in less than an hour using the old inventory. It's not perfect, but what it's been done given the scale , it's nothing short of a miracle. Source: I have been working there for 10 years.

Comment by rpcope1 20 hours ago

I was talking HD. Walmart has a rep for being a decent tech shop and given how well all their stuff seems to work, I would not be remotely surprised if they weren't on the leading edge of good software.

Comment by eep_social 2 days ago

surely gp was referring to HD ;)

Comment by ajcp 2 days ago

It's sadly all too common. I worked at a Fortune50 retailer with a massive IT org. Was on a call one day with one of our most Senior Ent Arch who was excitedly telling me about how "these Java scripts" were the hot new thing and we were building "modern web 3.0 pages" with them. He did not understand the difference between Java and JavaScript or a blockchain branding exercise and SPAs.

Comment by nunez 2 days ago

I think they made some splashy hires at the time, and they contributed to the Google SRE workbook. Same as Walmart. They definitely tried. Corporate inertia is a killer.

Comment by TallGuyShort 3 days ago

I've never had an employee know what a tool is, much less where to find it. All they're doing is doing this process on a slower, ruggedized phone.

I literally watched someone Google "masonry bit" right in front of me.

Comment by sh34r 2 days ago

It varies a lot by store. I’ve been to HDs where they’re all useless, and others where there’s a good number of knowledgeable DIYers working there.

I think a lot of people just expect too much from a big box store employee making $17/hr… You go to HD because you have an easy job and you’re as cheap as their MBAs. If you need help, go to a supply house or an Ace Hardware or something.

Comment by klardotsh 2 days ago

Fully this. Every Ace or Do It Best I've been to in Washington has had at least one Rugged Grandpa ™ on staff who could have given me a PhD-level essay on whatever I asked them about; at Home Depot I'm lucky if the folks there have any idea what an impact-rated bit is or why I specifically need one and NO please stop trying to sell me this other crap if you're sold out of the impact bits, they are NOT the same!

(It gets worse the further from the power tools section you get, I find. I had to explain the difference between a three-prong and four-prong 240V plug once at HD and promptly told my friend to stop asking the staff for "help" finding things.)

Comment by quickthrowman 2 days ago

> It gets worse the further from the power tools section you get, I find. I had to explain the difference between a three-prong and four-prong 240V plug once at HD and promptly told my friend to stop asking the staff for "help" finding things.

The best feature of Home Depot is order pickup. No need to explain to someone that some appliances use both 120V for control power and 240V power for the motor or heating element; or that you’re installing a receptacle to backfeed a 120/240V panel with a 120/240V generator and therefore you need a 4-wire NEMA 14 series receptacle with a neutral conductor, you just buy one and pick it up from a locker. It’s made buying things from Home Depot tolerable for me, I’m used to buying material from supply houses where the folks are knowledgeable, I know that’s not the case at HD so I don’t even bother asking.

Comment by niij 2 days ago

I am buying an impact driver for someone for christmas. Any recommendations on a fastner/drill bit set?

Comment by klardotsh 6 hours ago

I use the Milwaukee Shockwave bit sets almost exclusively, they’ve never let me down.

Comment by patagurbon 3 days ago

The store I worked at for a while had a surprising number of real bearded experts, alongside at least a few younger folks who really understood the internal systems. It was great, but clearly was eroding as the experts retired and young folks with no experience were hired to replace them.

Comment by sidewndr46 2 days ago

I asked an employee for something by part number and described it. The answer he gave was "why the hell would you want that anyways? I've worked here 13 years and never seen one". I found it on a shelf a few levels up and used a grounding rod from the electrical section to spear it and bring it down to ground level

Comment by darrylb42 3 days ago

Though they should be on in store wifi. The big steel box store is a faraday cage that doesn't let the internet in.

Comment by RankingMember 3 days ago

Thanks for reminding me to uninstall that godawful app, which is like their website, but somehow even slower/clunkier.

Comment by hinkley 3 days ago

> the "current store" now points to a random location somewhere in a different state

I thought that was just me. It gets the first, maybe the second digit of the zip code right and that's about it.

Comment by MSFT_Edging 3 days ago

Jokes on you, all the employees do is use their mobile site as well.

Comment by jgbuddy 3 days ago

MSFT Edging

Comment by rurp 3 days ago

I literally couldn't load their website with my previous Pixel phone. The performance was so terrible it would grind to a halt and freeze or crash.

Comment by Rebelgecko 3 days ago

Someone made their own version of the HD app that works much better:

https://www.reddit.com/r/Tools/comments/1opufvq/a_lightweigh...

Comment by pkaye 3 days ago

Its hard to locate anything in their stores these days and its even harder to find any staff. So what I do is order for pickup and let them do the work.

Comment by srathi 2 days ago

Not as bad as Costco. Their app and website are still stuck in 90s.

Comment by denysvitali 3 days ago

Someone should use their GH token to fix their website

Comment by y-c-o-m-b 3 days ago

I think the same people/platform made the Best Buy mobile website, they look very similar. Just absolutely atrocious design. It's slow, the UI elements bounce all over the place, it forgets your selections, and godspeed if for whatever reason you need to refresh the page because something chose not to render. That's outside of the store on a good connection. Doing this IN the store is a whole new level of hair pulling frustration.

Also I once asked an employee for help locating an item and they told me to pull up the app. I was like "you pull up the app", and we sat there for 5 minutes waiting for things to load until he decided he'll just help me locate the item lol

Comment by danudey 3 days ago

I'm just happy that Best Buy recently added the ability to filter out items they cannot actually sell me. The amount of searches I would do where I had to scroll through page after page of 'not available online' 'not available in store' items in order to find a search result they actually had was ridiculous.

Now Home Depot for some reason just doesn't load on mobile (white screen) unless I disable content filtering in the browser. Classy.

Comment by datavirtue 2 days ago

Exactly, their site and apps are trash.

Comment by indigodaddy 3 days ago

Wow, the non-response/communication at any time by Home Depot to all parties involved in trying to help them, is staggering.

Comment by ultrarunner 3 days ago

Too busy going all-in on Flock cameras. This was the nail in the coffin for me.

[0] https://deflock.me/map#map=17/33.639428/-111.976540

Comment by cyral 3 days ago

Not entirely unsurprising due to the theft issues they face

Comment by xeromal 3 days ago

Yeah, I'm not sure why so many people seem pro-theft for a lack of a better term. I don't believe they are but there's so much resistance to locking up high value items especially if they're valuable ones.

Comment by ultrarunner 3 days ago

Maybe you're not familiar with Flock Safety, but my comment is not about locking up high value items. It's more about my location information being shipped to weird police circles by big box stores.

[0] deflock.me

[1] https://www.youtube.com/watch?v=uB0gr7Fh6lY

Comment by estimator7292 3 days ago

People are anti-surveillance, not pro-theft.

Although, plenty of people are pro-theft from the corporations sucking our towns and local economies dry and paying so little that their employees have to rely on foodstamps.

Comment by Computer0 3 days ago

Home Depot making money doesn't make my town rich, the smaller shops making money do. The big corps just suck suck suck.

Comment by pilingual 3 days ago

Perhaps just anti-shitty UX.

https://dan.bulwinkle.net/blog/trader-joes-does-not-have-sur...

Comment by SoftTalker 3 days ago

Seems that all the big box stores are doing that. Lowes does it here for sure.

Comment by el_benhameen 3 days ago

If you’ve ever tried to find an employee in one of their stores, this won’t be very surprising.

Comment by reactordev 3 days ago

Go in knowing exactly what you want and you’ll be asked by no less than 3 employees if you need help finding anything.

Comment by AznHisoka 3 days ago

Purely anecdotal, but I found Lowe's generally had much better customer service. But maybe it's just where I live

Comment by RankingMember 3 days ago

Yeah I think it'll be location dependent. FWIW I've got both by me and they're equally terrible as far as the availability and knowledge of their employees. Lowes edges out Home Depot a tiny bit for me simply because I've never been accosted by a sanctioned in-store roaming sales person for solar or siding at Lowes (yet!).

Comment by antonymoose 3 days ago

I get hit up for gutter guards every trip at my Lowe’s. I have a stationary woman hawking Generac and HVAC installs at my Home Depot.

I’d agree though, it’s department dependent. The electrical at my HD is an unorganized mess, but their plumbing section is world-class. Lowe’s is oddly flip-flopped. To Lowe’s great credit, their staff has those little tablets with inventory locations on them including all the top-shelf and end cap locations the website doesn’t show. Those usually save my trip, HD doesn’t seem to have an equivalent.

Comment by bombcar 2 days ago

HD has it, but it lies, and is horribly inaccurate.

Comment by wnevets 3 days ago

> Yeah I think it'll be location dependent

I've found it to be very datetime dependent. I walking the aisles on a late Sunday night recently and the only time I saw an employee was at the self checkout before I left.

Comment by tclancy 3 days ago

That was true for a long time, but before that, Home Depot's customer service was terrific too. I think that's a cost that gets cut by a focus on shareholder value. Local hardware stores are still going to be better, with the caveat it may take a decade before they smile when you walk in.

Comment by sh34r 2 days ago

> with the caveat it may take a decade before they smile when you walk in.

That’s damn good customer service right there, if you ask me. The fake-chipper act makes me want to dive into a wood chipper…

Comment by ssl-3 2 days ago

I used to frequent a wonderful Ace Hardware with some regularity.

The old lady that always seemed to be behind the register eventually started greeting me by name when I walked in. (I don't recall ever giving her my name; maybe she remembered seeing on a credit card or something.)

After the pleasantries (which didn't seem fake at all), one of the greybeards present would appoint themselves as my personal shopper. I'd go down my list of demands that was only vaguely sorted by department: "One M8x1.25x80mm all-thread stainless Philips screw, a 16x20 furnace filter, a box of #8x3/4 sheet metal screws, and uh... what do you have for can openers?"

And then we'd make a lap or two of the store to get these things, and I'd pay and GTFO.

It was great.

Comment by sh34r 2 days ago

Purely anecdotal as well but it really feels like a quantity over quality thing between the two. It takes significantly longer to find someone in orange, but they’re as helpful as I can reasonably expect. Whereas Lowe’s employees tend to be both useless and annoying.

Comment by michaelcampbell 2 days ago

Very location dependent. Within the same metro area in one place we lived Lowes was better; in another less than 20 miles away, HD is.

But for actual help and humanity (if you can afford the price and the more limited selection), Ace is consistently better near where I am.

Comment by datavirtue 2 days ago

Same here in Cincinnati. Lowe's is far better than Home Depot. Everyone at HD clearly hates their job. Probably not their fault.

Comment by barbazoo 3 days ago

Opposite data point, where I live, there's lots of people working the floor. I'm usually asked if I need help at least once when I'm there. Maybe it depends on the store or whatever the umbrella org is.