>When reached by TechCrunch on December 5, Home Depot spokesperson George Lane acknowledged receipt of our email but did not respond to follow-up emails asking for comment. The exposed token is no longer online, and the researcher said the token’s access was revoked soon after our outreach.
>
>We also asked Lane if Home Depot has the technical means, such as logs, to determine if anyone else used the token during the months it was left online to access any of Home Depot’s internal systems. We did not hear back.
As soon as they realized that the researcher had contacted "the media", they probably escalated internally to their legal team before anyone else, who told them to shut up.
The response, if one ever comes, will be a communication dense in lawyer-speak that admits no fault whatsoever.
Obviously we would all like a full post mortem from the home dept side, but in today's litigious shareholder-value-driven world their response is the correct one.
Last week I accidentally exposed my OpenAI, Anthropic, and Gemini keys. They somehow ended up in Claude Code logs(!) Within seconds I got an email from Anthropic and they have already disabled my keys. Neither OpenAI nor Google alerted me in anyway. I was able to login to OpenAI and delete all the keys quickly.
Took me a good 10-15 minutes to _just_ _find_ where Gemini/AI Studio/Vortex projects keys _might_ be! I had to "import project" before I could find where the key is. Google knew key was exposed but the key seemed to be still active with a "!" next to it!
With a lot of vibe coding happening, key hygiene becomes crucial on both issuer and user ends.
How did they get leak them? Just someone getting into your personal Claude Code logs? I'm surprised that if it was just that Google would even be aware they're leaked.
I've accidentally pushed a personal PAT(ro) to both Github and gist because of poor hygiene in personal projects, both times Github dropped the PAT and notified me.
Yeah I'm impressed they even managed to publish a personal token. My experience with GitHub's automated token recognition has also been positive (tho the tokens were never of any consequence)
Presumably you'd want human habitable atmosphere on the inside of the sphere, which would radically change the equation against the use of wood unfortunately.
If there has been one thing proven over the past 5 years is that the Home Depot IT department is useless and cant be trusted with anything regarding security.
it's easy to scan for publicly known services, really difficult to understand if a random string that says key somewhere is actually a random internal api key
For things pushed to github, github has quite sophisticated secret scanning. They have a huge list of providers where they will automatically verify if a potential key is real and revoke it automatically [2], and a smaller list of generic patters they try to match if you enable the matching of "non-provider patterns".
This seems to be a case of someone accidentally publishing their github token somewhere else. I'm not sure how github would cheaply and easily prevent that. Though there are third party tools that scan your web presence for secrets, including trying wordlists of common files or directories
GitHub wants to sell a service. Keys are convenient. Better alternatives in authorization and authentication exist, and GitHub is very aware of them. They even offer and facilitate them. For example, see OIDC. But many users either want keys because they're used to them or GitHub is sure they do, so they continue to offer them to avoid friction. The alternatives require more parameters, thought, and coordination between services.
GitHub has deprecated classic tokens, but the new tokens are not backwards compatible. The deprecated tokens have also continued to be available for some time. Real security professionals will tell you flatly "tokens are bad", and they're right. They're leakable attack vectors. The tokens are the problem and discontinuation is the solution. Scanning is simply symptom treating, and given what I know about Microsoft culture, I doubt that's going to change soon or quickly.
GitHub already has a program to scan for keys, since publishing Discord tokens by mistake used to get the token immediately revoked and a DM from the system account saying why
I thought there were many first and third party services looking for this kind of thing (AWS, Github, GWS, crypto, etc tokens). Seems weird that a F500 company repo was not receiving the regular, let alone extra deep scanning which could have trivially found these.
There was a recent post from someone who made the realization that most of these scanning services only investigate the main branch. Extra gold in them hills if you also consider development branches.
They do scan but they miss a lot. The frequency decreased after Github started scanning all repositories but I still report leaked secrets to bug bounty programs pretty often.
Unfortunately Home Depot don't have a bug bounty program so I don't scan them.
I think there are crawlers that do that. Somehow I accidentally had a commit with an openai key in it, and when I published an open source repo with that commit within ~20 seconds I got an email from openai someone had retired my exposed key.
They at least scan GitHub for all kind of exposed tokens in public repositories, and even have partnerships with the companies where you can connect with those tokens (SaaS, PaaS...) to verify they're valid and even revoke them automatically if necessary.
They definitely do have automation to scan for this already. I've seen plenty of alerts (fortunately all false positives that triggered on example keys that weren't real). I don't know how comprehensive it is, but it does exist.
Given the absolute state of their website on mobile it's hardly surprising. It's faster to find an employee and ask them where an item is at instead of waiting for the search to finish, see that it the "current store" now points to a random location somewhere in a different state, pick the correct store and re-do the search
I had to check what the gold standard McMaster-Carr does: their torque wrench drive size widget is sorted 1/4", 3/8", 1/2", 3/4", 1", 1 1/2". Glorious. https://www.mcmaster.com/products/torque-wrenches/
I'd expect nothing less from them. The right thing to do here is to implement a sorting key for different categories here. Since McMaster-Carr seems to be going to a category when you search, they seem to have better control over the available filters.
I've found that on a site like Amazon or Walmart that'll let you do a more freeform sort, the filter options becomes absolutely god awful.
Well done by McMaster-Carr. I assume they control their inventory a bit more than a marketplace like Home Depot, Walmart, or Amazon, so that's also an advantage.
The schemas for Amazon and Walmart's product information are absolutely bonkers and constantly missing features that they demand be provided.
Here's the XML Schema Definition for "Product" on Amazon [1]
This is joined on each of the linked category schemas included at the type, of which each has unique properties that ultimately drive the metadata on a particular listing for the SKU. Its wrought with inconsistency, duplicated fields, and oftentimes not up-to-date with required information.
Ultimately, this product catalog information gets provided to Amazon, Walmart, Target, and any other large 3rd party marketplace site as a feed file from a vendor to drive what product they can then list pricing and inventory against (through similar feeds).
You are right that the control McMaster-Carr has on their catalog is the strategic and technological advantage.
Very interesting how nearly half the list is (assumedly) every single chemical listed under California Prop 65. Do they really need to specify exactly which chemical it is? I've seen thousands of prop 65 warnings in my life but I've literally never seen it tell me what chemical its warning me about. I just commented to a friends a couple weeks ago i wished they'd tell me what so i could look it up myself!
McMaster-Carr's website is actually pretty impressive given how unassuming it is. It does a ton of pre-loading on hover and caching to make it feel like you're just navigating a static site. I didn't even realize that the page had a loading state until I enabled throttling from my network tab and immediately clicked on a link as soon as I hovered over it.
Mouser et al also do it right for mixed unit lists, eg. component dimensions are shown in their specified units but sorted as: 11mm, 12mm, 0.5in, 13mm, ...
No. You are likely and automatically extrapolating the attention to detail seen in the outcome into believing that it is a reflection of the attention , thought and method of their internal workings.
Which is a good indicator, but you can’t be sure of. Additionally you may imagine liking it but not enjoy it in life, even if true.
I had a major WTF moment there, until I realized that's probably for a hex driver (and thus something totally different than what I think of when someone says "impact wrench").
It's probably a default ordering or an ordering by an unshown database ID value. It's a small enough set that it doesn't really matter for practical purposes, but I guess it does betray a lack of attention to detail.
Or when the site tells you your store doesn't have a part in stock, but neglects to tell you that they do have 350 of the identical part, different brand, in stock. Because who would ever buy a 1/2-inch close Halex rigid conduit close nipple in-store right now when they could wait a few days for a 1/2-inch close Commercial Electric rigid conduit nipple?
I feel like the home depot website is fine. It's a lot better than most other shops, I've had a good experience finding the aisle and location of items, and it's generally accurate with the amount in stock at each location. If you didn't enable precise location or have bad cell signal then that is hardly the fault of the website.
I will not argue with the stock part. When the search _does_ finish, stock info is usually correct IME.
What grinds my gears is the speed of this search, regardless of the phone reception. Even on the desktop it feels like they have a bunch of interns running a sneakernet. Or the website is laden with pointless javascript that slows everything down before the search is actually performed.
I go to the same Home Depot every time. (Well I don't if I can help it, but that's beside the point). There is no reason they cannot store the preferred store in the localStorage or cookies or wherever else. Other stores have figured this out.
Not CostCo though! I open their page and immediately 'Can Costco.ca use your location?" I say yes and then it asks me what province I'm in. I tell it, and then it defaults me to a store 30 minutes' drive from here and not the one five minutes away. Every. Time.
Their internal setup was also an absolute mess as of 4 years ago. A horrific hybrid of extremely legacy systems and new systems created around COVID which are both nicer and also deeply lacking in features we needed as floor workers.
I understand that upgrading and migrating to new systems takes time but this process never seemed like it involved anyone on the ground.
This is definitely true and makes the experience shittier than it otherwise would be, but even with a great signal/connection it frequently loads so slowly that I've long run out of patience.
I have gotten in the habit of looking up what isle and bay the thing I need is before I get there, and then I screenshot it because too many times the page has needed to reload and start over
I bought a water heater that had a large (1k!) instant rebate that you had to scan, sign up on website and show the emailed coupon to the person during cashing out. Took me 25 minutes wandering around the store to get enough reception to actually do this process. Made me chuckle, thinking how having it online only but before point of sale in the store was such a terrible, terrible idea.
Nah, I use both the website and their shitty web wrapper app on a regular basis and it's been a dumpster fire for at least the last 2-3 years. 3-5 years ago when they first rebuilt everything it was much more pleasant but at this point it's clear no one is maintaining it and have just let it bloat and rot
Indeed, Home Depot's software is generally so bad. I remember around 2017/2018 time frame when they started showing up to big tech conferences (especially K8s and React.js conferences) really trying to modernize. I spent a few minutes talking to the people manning the booth (which were surprisingly high ranking in the company, at least by title), and came away thinking "I'm glad you're making an effort, but y'all really have no idea what you're doing." The left hand and the right hand had completely different ideas/priorities about how to accomplish their goals. I didn't want to make any judgments on a simple conversation at a conference, but at this point I think time has shown that it was pretty representative of how they were approaching it internally, and unsurprisingly it did not work out super well.
Now that said, I don't want to minimize the difficulty in modernizing software at a corp like HD. It's wildly more difficult than most people can appreciate. I've consulted for companies trying to do it, and there are lots of challenges with legacy systems, migrations, and plenty of non-technical challenges as well.
Shout out to Wal-mart for genuinely kicking ass at this though. I'm quickly becoming an Onn fanboy. Genearlly speaking, great products at great prices, from their USB cables up to their smart speakers and more. You can really tell from the product design and implementation that they are letting the nerds geek out and have fun! That in turn enables me to do the same :-)
I'll bet money any new React/K8s/${WEBSCALE} stuff they're building is still just a wrapper over the same old inventory management they've been using for years...probably something like JDEdwards on AS/400.
You would lose that bet. Walmart has invested a LOT in modernizing stuff over the last 10 years. You cannot deliver groceries in less than an hour using the old inventory. It's not perfect, but what it's been done given the scale , it's nothing short of a miracle.
Source: I have been working there for 10 years.
It's sadly all too common. I worked at a Fortune50 retailer with a massive IT org. Was on a call one day with one of our most Senior Ent Arch who was excitedly telling me about how "these Java scripts" were the hot new thing and we were building "modern web 3.0 pages" with them. He did not understand the difference between Java and JavaScript or a blockchain branding exercise and SPAs.
I think they made some splashy hires at the time, and they contributed to the Google SRE workbook. Same as Walmart. They definitely tried. Corporate inertia is a killer.
also, when I'm in my local store it seems like cell connection goes to shit for some reason and then I have to jump on their in store wifi in order to search their website
Their in-store WiFi is a repeater more or less. It's one of those bullshit forced auto-join networks that you can't opt out of (at least on iOS). Because that's not a massive vector for phishing or anything.
Yes, although I've had terrible experience with their wifi. I'm sure it depends on the store, but coverage is usually terrible and highly spotty, so if you're walking around or standing in the wrong area, it stops working.
At one point I also had to disable wireguard because I think it was triggering some sort of anti-abuse thing they had. It wasn't even using an exit node, just bridging me to my home network so I could access self-hosted services. I get the desire for anti-abuse, but that felt pretty draconian and I don't expect the average person to consider they might have to disable a VPN to get it to work, especially nowadays when many average people do have VPNs running.
This is a network carrier setting, the issue is that T-Mobile (and maybe others) pushes a profile that does this as part of their network configuration.
I went to Wi-Fi settings, "Edit" in top right, scroll to bottom "Managed" section, and was able to turn off "Auto-Join" for the "t-mobile" managed network just fine. I did this many months ago, I think because I was infuriated at the idea of auto-connecting to a Wi-Fi network I did not opt in to, but regardless, the checkbox has remained off through a few OS updates since (on 26.1 now with a T-Mo prepaid eSIM).
There's no "Managed" section showing up on my phone and the last time I set that network to not auto-join it still did. Lesson learned, I just turn off WiFi and Bluetooth before heading out to Home Depot.
I was livid when I discovered that my carrier had implemented that with no opt out. I worked around it by implementing shortcuts that disable my iPhone's WiFi when I leave my house until I've returned or reached one of the handful of other places I use it. It's ridiculous that something like that is necessary, though.
It varies a lot by store. I’ve been to HDs where they’re all useless, and others where there’s a good number of knowledgeable DIYers working there.
I think a lot of people just expect too much from a big box store employee making $17/hr… You go to HD because you have an easy job and you’re as cheap as their MBAs. If you need help, go to a supply house or an Ace Hardware or something.
Fully this. Every Ace or Do It Best I've been to in Washington has had at least one Rugged Grandpa ™ on staff who could have given me a PhD-level essay on whatever I asked them about; at Home Depot I'm lucky if the folks there have any idea what an impact-rated bit is or why I specifically need one and NO please stop trying to sell me this other crap if you're sold out of the impact bits, they are NOT the same!
(It gets worse the further from the power tools section you get, I find. I had to explain the difference between a three-prong and four-prong 240V plug once at HD and promptly told my friend to stop asking the staff for "help" finding things.)
The store I worked at for a while had a surprising number of real bearded experts, alongside at least a few younger folks who really understood the internal systems. It was great, but clearly was eroding as the experts retired and young folks with no experience were hired to replace them.
I asked an employee for something by part number and described it. The answer he gave was "why the hell would you want that anyways? I've worked here 13 years and never seen one". I found it on a shelf a few levels up and used a grounding rod from the electrical section to spear it and bring it down to ground level
Its hard to locate anything in their stores these days and its even harder to find any staff. So what I do is order for pickup and let them do the work.
I think the same people/platform made the Best Buy mobile website, they look very similar. Just absolutely atrocious design. It's slow, the UI elements bounce all over the place, it forgets your selections, and godspeed if for whatever reason you need to refresh the page because something chose not to render. That's outside of the store on a good connection. Doing this IN the store is a whole new level of hair pulling frustration.
Also I once asked an employee for help locating an item and they told me to pull up the app. I was like "you pull up the app", and we sat there for 5 minutes waiting for things to load until he decided he'll just help me locate the item lol
I'm just happy that Best Buy recently added the ability to filter out items they cannot actually sell me. The amount of searches I would do where I had to scroll through page after page of 'not available online' 'not available in store' items in order to find a search result they actually had was ridiculous.
Now Home Depot for some reason just doesn't load on mobile (white screen) unless I disable content filtering in the browser. Classy.
Yeah, I'm not sure why so many people seem pro-theft for a lack of a better term. I don't believe they are but there's so much resistance to locking up high value items especially if they're valuable ones.
Maybe you're not familiar with Flock Safety, but my comment is not about locking up high value items. It's more about my location information being shipped to weird police circles by big box stores.
Although, plenty of people are pro-theft from the corporations sucking our towns and local economies dry and paying so little that their employees have to rely on foodstamps.
Yeah I think it'll be location dependent. FWIW I've got both by me and they're equally terrible as far as the availability and knowledge of their employees. Lowes edges out Home Depot a tiny bit for me simply because I've never been accosted by a sanctioned in-store roaming sales person for solar or siding at Lowes (yet!).
I get hit up for gutter guards every trip at my Lowe’s. I have a stationary woman hawking Generac and HVAC installs at my Home Depot.
I’d agree though, it’s department dependent. The electrical at my HD is an unorganized mess, but their plumbing section is world-class. Lowe’s is oddly flip-flopped. To Lowe’s great credit, their staff has those little tablets with inventory locations on them including all the top-shelf and end cap locations the website doesn’t show. Those usually save my trip, HD doesn’t seem to have an equivalent.
I've found it to be very datetime dependent. I walking the aisles on a late Sunday night recently and the only time I saw an employee was at the self checkout before I left.
That was true for a long time, but before that, Home Depot's customer service was terrific too. I think that's a cost that gets cut by a focus on shareholder value. Local hardware stores are still going to be better, with the caveat it may take a decade before they smile when you walk in.
I used to frequent a wonderful Ace Hardware with some regularity.
The old lady that always seemed to be behind the register eventually started greeting me by name when I walked in. (I don't recall ever giving her my name; maybe she remembered seeing on a credit card or something.)
After the pleasantries (which didn't seem fake at all), one of the greybeards present would appoint themselves as my personal shopper. I'd go down my list of demands that was only vaguely sorted by department: "One M8x1.25x80mm all-thread stainless Philips screw, a 16x20 furnace filter, a box of #8x3/4 sheet metal screws, and uh... what do you have for can openers?"
And then we'd make a lap or two of the store to get these things, and I'd pay and GTFO.
Purely anecdotal as well but it really feels like a quantity over quality thing between the two. It takes significantly longer to find someone in orange, but they’re as helpful as I can reasonably expect. Whereas Lowe’s employees tend to be both useless and annoying.
Opposite data point, where I live, there's lots of people working the floor. I'm usually asked if I need help at least once when I'm there. Maybe it depends on the store or whatever the umbrella org is.
>When reached by TechCrunch on December 5, Home Depot spokesperson George Lane acknowledged receipt of our email but did not respond to follow-up emails asking for comment. The exposed token is no longer online, and the researcher said the token’s access was revoked soon after our outreach.
>
>We also asked Lane if Home Depot has the technical means, such as logs, to determine if anyone else used the token during the months it was left online to access any of Home Depot’s internal systems. We did not hear back.
As soon as they realized that the researcher had contacted "the media", they probably escalated internally to their legal team before anyone else, who told them to shut up.
The response, if one ever comes, will be a communication dense in lawyer-speak that admits no fault whatsoever.
I mean you can't fault them for that approach.
Obviously we would all like a full post mortem from the home dept side, but in today's litigious shareholder-value-driven world their response is the correct one.
Last week I accidentally exposed my OpenAI, Anthropic, and Gemini keys. They somehow ended up in Claude Code logs(!) Within seconds I got an email from Anthropic and they have already disabled my keys. Neither OpenAI nor Google alerted me in anyway. I was able to login to OpenAI and delete all the keys quickly.
Took me a good 10-15 minutes to _just_ _find_ where Gemini/AI Studio/Vortex projects keys _might_ be! I had to "import project" before I could find where the key is. Google knew key was exposed but the key seemed to be still active with a "!" next to it!
With a lot of vibe coding happening, key hygiene becomes crucial on both issuer and user ends.
How did they get leak them? Just someone getting into your personal Claude Code logs? I'm surprised that if it was just that Google would even be aware they're leaked.
> With a lot of vibe coding happening
I shudder to think of the implications.
Consider all the security disasters we already get from brogramming, and multiply that, times 100.
I've accidentally pushed a personal PAT(ro) to both Github and gist because of poor hygiene in personal projects, both times Github dropped the PAT and notified me.
Yeah I'm impressed they even managed to publish a personal token. My experience with GitHub's automated token recognition has also been positive (tho the tokens were never of any consequence)
Any suggestions for secrets management to distribute API keys/DB secrets/etc.?
For a self-hosted use case.
Currently, manually SSH into VPs and updating env files but not sure if its best practice.
I’d use the native secrets of your VM platform or something like 1password with an functional API.
Man, a year to grab all the Home Depot 2x4s you want! Someone could have built a sphere with those.
I don't know how well lumber holds up to the bottom of the ocean
Pretty good actually. With the salt, lack of oxygen and pressure it can last quite a long time.
Presumably you'd want human habitable atmosphere on the inside of the sphere, which would radically change the equation against the use of wood unfortunately.
What's the biggest damage someone could have done with that info?
- Download all the source code and look for vulnerabilities at their leisure.
- Depending on whether they use GH for deployments they can also introduce features to production that can help them
If there has been one thing proven over the past 5 years is that the Home Depot IT department is useless and cant be trusted with anything regarding security.
it's easy to scan for publicly known services, really difficult to understand if a random string that says key somewhere is actually a random internal api key
which is why a lot of services now prefix they keys with a fixed string like pat_, sk_,
"Open Source Home Depot" has a nice ring to it
Wow, someone could have used the data from internal systems to do some serious insider trading
I’m surprised that GitHub, OpenAI etc. doesn’t have automation to scan the usual surfaces for hashes of their access tokens.
It seems like a cheap and simple thing to offer your customers a little extra safety.
Anybody interested in starting a platform agnostic service to do this?
For things pushed to github, github has quite sophisticated secret scanning. They have a huge list of providers where they will automatically verify if a potential key is real and revoke it automatically [2], and a smaller list of generic patters they try to match if you enable the matching of "non-provider patterns".
This seems to be a case of someone accidentally publishing their github token somewhere else. I'm not sure how github would cheaply and easily prevent that. Though there are third party tools that scan your web presence for secrets, including trying wordlists of common files or directories
1: https://docs.github.com/en/code-security/secret-scanning/int...
2: https://docs.github.com/en/code-security/secret-scanning/int...
GitHub wants to sell a service. Keys are convenient. Better alternatives in authorization and authentication exist, and GitHub is very aware of them. They even offer and facilitate them. For example, see OIDC. But many users either want keys because they're used to them or GitHub is sure they do, so they continue to offer them to avoid friction. The alternatives require more parameters, thought, and coordination between services.
GitHub has deprecated classic tokens, but the new tokens are not backwards compatible. The deprecated tokens have also continued to be available for some time. Real security professionals will tell you flatly "tokens are bad", and they're right. They're leakable attack vectors. The tokens are the problem and discontinuation is the solution. Scanning is simply symptom treating, and given what I know about Microsoft culture, I doubt that's going to change soon or quickly.
GitHub already has a program to scan for keys, since publishing Discord tokens by mistake used to get the token immediately revoked and a DM from the system account saying why
I thought there were many first and third party services looking for this kind of thing (AWS, Github, GWS, crypto, etc tokens). Seems weird that a F500 company repo was not receiving the regular, let alone extra deep scanning which could have trivially found these.
There was a recent post from someone who made the realization that most of these scanning services only investigate the main branch. Extra gold in them hills if you also consider development branches.
They do scan but they miss a lot. The frequency decreased after Github started scanning all repositories but I still report leaked secrets to bug bounty programs pretty often. Unfortunately Home Depot don't have a bug bounty program so I don't scan them.
Where was this token found, in an open source repo? There are numerous ways to scan commits, for free even in open source repos: https://docs.github.com/en/code-security/secret-scanning/int...
I think there are crawlers that do that. Somehow I accidentally had a commit with an openai key in it, and when I published an open source repo with that commit within ~20 seconds I got an email from openai someone had retired my exposed key.
GitHub does! They tell you when you pushed something dangerous almost right away.
GitHub Advanced Security blocks the push, I believe.
They at least scan GitHub for all kind of exposed tokens in public repositories, and even have partnerships with the companies where you can connect with those tokens (SaaS, PaaS...) to verify they're valid and even revoke them automatically if necessary.
They definitely do have automation to scan for this already. I've seen plenty of alerts (fortunately all false positives that triggered on example keys that weren't real). I don't know how comprehensive it is, but it does exist.
jesus christ
Given the absolute state of their website on mobile it's hardly surprising. It's faster to find an employee and ask them where an item is at instead of waiting for the search to finish, see that it the "current store" now points to a random location somewhere in a different state, pick the correct store and re-do the search
If you go to the home depot page for torque wrenches and click the filter for drive size, you get this list:
Here is the same list in decimal to make the insanity plainly obvious: What sadistic lunatic made that sort order?! It's not based on size and it's not alphabetic.I had to check what the gold standard McMaster-Carr does: their torque wrench drive size widget is sorted 1/4", 3/8", 1/2", 3/4", 1", 1 1/2". Glorious. https://www.mcmaster.com/products/torque-wrenches/
I'd expect nothing less from them. The right thing to do here is to implement a sorting key for different categories here. Since McMaster-Carr seems to be going to a category when you search, they seem to have better control over the available filters.
I've found that on a site like Amazon or Walmart that'll let you do a more freeform sort, the filter options becomes absolutely god awful.
Well done by McMaster-Carr. I assume they control their inventory a bit more than a marketplace like Home Depot, Walmart, or Amazon, so that's also an advantage.
The schemas for Amazon and Walmart's product information are absolutely bonkers and constantly missing features that they demand be provided.
Here's the XML Schema Definition for "Product" on Amazon [1]
This is joined on each of the linked category schemas included at the type, of which each has unique properties that ultimately drive the metadata on a particular listing for the SKU. Its wrought with inconsistency, duplicated fields, and oftentimes not up-to-date with required information.
Ultimately, this product catalog information gets provided to Amazon, Walmart, Target, and any other large 3rd party marketplace site as a feed file from a vendor to drive what product they can then list pricing and inventory against (through similar feeds).
You are right that the control McMaster-Carr has on their catalog is the strategic and technological advantage.
[1]: https://images-na.ssl-images-amazon.com/images/G/01/rainier/...
Very interesting how nearly half the list is (assumedly) every single chemical listed under California Prop 65. Do they really need to specify exactly which chemical it is? I've seen thousands of prop 65 warnings in my life but I've literally never seen it tell me what chemical its warning me about. I just commented to a friends a couple weeks ago i wished they'd tell me what so i could look it up myself!
McMaster-Carr's website is actually pretty impressive given how unassuming it is. It does a ton of pre-loading on hover and caching to make it feel like you're just navigating a static site. I didn't even realize that the page had a loading state until I enabled throttling from my network tab and immediately clicked on a link as soon as I hovered over it.
Even more impressive is that it's something like 20 years old, and was basically the way it is now 20 years ago.
Mouser et al also do it right for mixed unit lists, eg. component dimensions are shown in their specified units but sorted as: 11mm, 12mm, 0.5in, 13mm, ...
Is it weird that I kinda want to work there?
No. You are likely and automatically extrapolating the attention to detail seen in the outcome into believing that it is a reflection of the attention , thought and method of their internal workings.
Which is a good indicator, but you can’t be sure of. Additionally you may imagine liking it but not enjoy it in life, even if true.
Now look up impact wrenches.
> 7/16 in
I had a major WTF moment there, until I realized that's probably for a hex driver (and thus something totally different than what I think of when someone says "impact wrench").
It's probably a default ordering or an ordering by an unshown database ID value. It's a small enough set that it doesn't really matter for practical purposes, but I guess it does betray a lack of attention to detail.
It’s simple alphabetic.
Is "slash" (/) before or after "space" ( ) ... or both... before and after it?
Is 8 before or after 4 in the alphabet?
No, there's no reasonable ordering going on.
If it were ordered by ordinal values, "/" is 47 and " " is 32, so "1 in" would come before "1/2 in".
It's not alphabetized by letter word. Because while "Eight" comes before "Four", "Specialty" would come before "Three".
No matter which way you attempt to order it, something is out of order.
Softtalker probably got it right. This is some default or id sort.
Before. _E_ight vs _F_our.
But _T_wo is also before _F_our
The sorting briefly switches to reverse order there, so no contradiction.
3/8 doesn’t come before 3/4 alphabetically.
This is sorted mostly alphabetically with an allowance for people being bad with fractions. That's my guess.
SELECT ... ORDER BY RAND()
Or when the site tells you your store doesn't have a part in stock, but neglects to tell you that they do have 350 of the identical part, different brand, in stock. Because who would ever buy a 1/2-inch close Halex rigid conduit close nipple in-store right now when they could wait a few days for a 1/2-inch close Commercial Electric rigid conduit nipple?
I feel like the home depot website is fine. It's a lot better than most other shops, I've had a good experience finding the aisle and location of items, and it's generally accurate with the amount in stock at each location. If you didn't enable precise location or have bad cell signal then that is hardly the fault of the website.
I will not argue with the stock part. When the search _does_ finish, stock info is usually correct IME.
What grinds my gears is the speed of this search, regardless of the phone reception. Even on the desktop it feels like they have a bunch of interns running a sneakernet. Or the website is laden with pointless javascript that slows everything down before the search is actually performed.
I go to the same Home Depot every time. (Well I don't if I can help it, but that's beside the point). There is no reason they cannot store the preferred store in the localStorage or cookies or wherever else. Other stores have figured this out.
> Other stores have figured this out.
Not CostCo though! I open their page and immediately 'Can Costco.ca use your location?" I say yes and then it asks me what province I'm in. I tell it, and then it defaults me to a store 30 minutes' drive from here and not the one five minutes away. Every. Time.
Costco’s website is worse than useless. It doesn’t tell you anything useful beyond the hours.
I have to believe it’s intentional.
Their internal setup was also an absolute mess as of 4 years ago. A horrific hybrid of extremely legacy systems and new systems created around COVID which are both nicer and also deeply lacking in features we needed as floor workers.
I understand that upgrading and migrating to new systems takes time but this process never seemed like it involved anyone on the ground.
its generally in HD stores you never have cell signal or wifi
Never noticed this. The SAF store has guest wifi and my mint/t-mobile 5G service inside is full strength.
This is definitely true and makes the experience shittier than it otherwise would be, but even with a great signal/connection it frequently loads so slowly that I've long run out of patience.
I have gotten in the habit of looking up what isle and bay the thing I need is before I get there, and then I screenshot it because too many times the page has needed to reload and start over
I bought a water heater that had a large (1k!) instant rebate that you had to scan, sign up on website and show the emailed coupon to the person during cashing out. Took me 25 minutes wandering around the store to get enough reception to actually do this process. Made me chuckle, thinking how having it online only but before point of sale in the store was such a terrible, terrible idea.
Nah, I use both the website and their shitty web wrapper app on a regular basis and it's been a dumpster fire for at least the last 2-3 years. 3-5 years ago when they first rebuilt everything it was much more pleasant but at this point it's clear no one is maintaining it and have just let it bloat and rot
Indeed, Home Depot's software is generally so bad. I remember around 2017/2018 time frame when they started showing up to big tech conferences (especially K8s and React.js conferences) really trying to modernize. I spent a few minutes talking to the people manning the booth (which were surprisingly high ranking in the company, at least by title), and came away thinking "I'm glad you're making an effort, but y'all really have no idea what you're doing." The left hand and the right hand had completely different ideas/priorities about how to accomplish their goals. I didn't want to make any judgments on a simple conversation at a conference, but at this point I think time has shown that it was pretty representative of how they were approaching it internally, and unsurprisingly it did not work out super well.
Now that said, I don't want to minimize the difficulty in modernizing software at a corp like HD. It's wildly more difficult than most people can appreciate. I've consulted for companies trying to do it, and there are lots of challenges with legacy systems, migrations, and plenty of non-technical challenges as well.
Shout out to Wal-mart for genuinely kicking ass at this though. I'm quickly becoming an Onn fanboy. Genearlly speaking, great products at great prices, from their USB cables up to their smart speakers and more. You can really tell from the product design and implementation that they are letting the nerds geek out and have fun! That in turn enables me to do the same :-)
I'll bet money any new React/K8s/${WEBSCALE} stuff they're building is still just a wrapper over the same old inventory management they've been using for years...probably something like JDEdwards on AS/400.
You would lose that bet. Walmart has invested a LOT in modernizing stuff over the last 10 years. You cannot deliver groceries in less than an hour using the old inventory. It's not perfect, but what it's been done given the scale , it's nothing short of a miracle. Source: I have been working there for 10 years.
It's sadly all too common. I worked at a Fortune50 retailer with a massive IT org. Was on a call one day with one of our most Senior Ent Arch who was excitedly telling me about how "these Java scripts" were the hot new thing and we were building "modern web 3.0 pages" with them. He did not understand the difference between Java and JavaScript or a blockchain branding exercise and SPAs.
I think they made some splashy hires at the time, and they contributed to the Google SRE workbook. Same as Walmart. They definitely tried. Corporate inertia is a killer.
+1
also, when I'm in my local store it seems like cell connection goes to shit for some reason and then I have to jump on their in store wifi in order to search their website
> when I'm in my local store it seems like cell connection goes to shit for some reason
It's a giant steel and concrete box, that's probably the reason.
They probably don't have any repeaters. All those metal shelves are going to interfere with the signal. I have the same experience.
Their in-store WiFi is a repeater more or less. It's one of those bullshit forced auto-join networks that you can't opt out of (at least on iOS). Because that's not a massive vector for phishing or anything.
Yes, although I've had terrible experience with their wifi. I'm sure it depends on the store, but coverage is usually terrible and highly spotty, so if you're walking around or standing in the wrong area, it stops working.
At one point I also had to disable wireguard because I think it was triggering some sort of anti-abuse thing they had. It wasn't even using an exit node, just bridging me to my home network so I could access self-hosted services. I get the desire for anti-abuse, but that felt pretty draconian and I don't expect the average person to consider they might have to disable a VPN to get it to work, especially nowadays when many average people do have VPNs running.
This is a network carrier setting, the issue is that T-Mobile (and maybe others) pushes a profile that does this as part of their network configuration.
Right, so you can't opt-out of it.
I went to Wi-Fi settings, "Edit" in top right, scroll to bottom "Managed" section, and was able to turn off "Auto-Join" for the "t-mobile" managed network just fine. I did this many months ago, I think because I was infuriated at the idea of auto-connecting to a Wi-Fi network I did not opt in to, but regardless, the checkbox has remained off through a few OS updates since (on 26.1 now with a T-Mo prepaid eSIM).
There's no "Managed" section showing up on my phone and the last time I set that network to not auto-join it still did. Lesson learned, I just turn off WiFi and Bluetooth before heading out to Home Depot.
I was livid when I discovered that my carrier had implemented that with no opt out. I worked around it by implementing shortcuts that disable my iPhone's WiFi when I leave my house until I've returned or reached one of the handful of other places I use it. It's ridiculous that something like that is necessary, though.
Always wondered if this was a deliberate strategy to enable more tracking… but it sounds way beyond the ability of their corporate planning.
I've never had an employee know what a tool is, much less where to find it. All they're doing is doing this process on a slower, ruggedized phone.
I literally watched someone Google "masonry bit" right in front of me.
It varies a lot by store. I’ve been to HDs where they’re all useless, and others where there’s a good number of knowledgeable DIYers working there.
I think a lot of people just expect too much from a big box store employee making $17/hr… You go to HD because you have an easy job and you’re as cheap as their MBAs. If you need help, go to a supply house or an Ace Hardware or something.
Fully this. Every Ace or Do It Best I've been to in Washington has had at least one Rugged Grandpa ™ on staff who could have given me a PhD-level essay on whatever I asked them about; at Home Depot I'm lucky if the folks there have any idea what an impact-rated bit is or why I specifically need one and NO please stop trying to sell me this other crap if you're sold out of the impact bits, they are NOT the same!
(It gets worse the further from the power tools section you get, I find. I had to explain the difference between a three-prong and four-prong 240V plug once at HD and promptly told my friend to stop asking the staff for "help" finding things.)
The store I worked at for a while had a surprising number of real bearded experts, alongside at least a few younger folks who really understood the internal systems. It was great, but clearly was eroding as the experts retired and young folks with no experience were hired to replace them.
I asked an employee for something by part number and described it. The answer he gave was "why the hell would you want that anyways? I've worked here 13 years and never seen one". I found it on a shelf a few levels up and used a grounding rod from the electrical section to spear it and bring it down to ground level
Though they should be on in store wifi. The big steel box store is a faraday cage that doesn't let the internet in.
Thanks for reminding me to uninstall that godawful app, which is like their website, but somehow even slower/clunkier.
> the "current store" now points to a random location somewhere in a different state
I thought that was just me. It gets the first, maybe the second digit of the zip code right and that's about it.
Jokes on you, all the employees do is use their mobile site as well.
MSFT Edging
I literally couldn't load their website with my previous Pixel phone. The performance was so terrible it would grind to a halt and freeze or crash.
Someone made their own version of the HD app that works much better:
https://www.reddit.com/r/Tools/comments/1opufvq/a_lightweigh...
Not as bad as Costco. Their app and website are still stuck in 90s.
Its hard to locate anything in their stores these days and its even harder to find any staff. So what I do is order for pickup and let them do the work.
Someone should use their GH token to fix their website
I think the same people/platform made the Best Buy mobile website, they look very similar. Just absolutely atrocious design. It's slow, the UI elements bounce all over the place, it forgets your selections, and godspeed if for whatever reason you need to refresh the page because something chose not to render. That's outside of the store on a good connection. Doing this IN the store is a whole new level of hair pulling frustration.
Also I once asked an employee for help locating an item and they told me to pull up the app. I was like "you pull up the app", and we sat there for 5 minutes waiting for things to load until he decided he'll just help me locate the item lol
I'm just happy that Best Buy recently added the ability to filter out items they cannot actually sell me. The amount of searches I would do where I had to scroll through page after page of 'not available online' 'not available in store' items in order to find a search result they actually had was ridiculous.
Now Home Depot for some reason just doesn't load on mobile (white screen) unless I disable content filtering in the browser. Classy.
Exactly, their site and apps are trash.
Wow, the non-response/communication at any time by Home Depot to all parties involved in trying to help them, is staggering.
Too busy going all-in on Flock cameras. This was the nail in the coffin for me.
[0] https://deflock.me/map#map=17/33.639428/-111.976540
Not entirely unsurprising due to the theft issues they face
Yeah, I'm not sure why so many people seem pro-theft for a lack of a better term. I don't believe they are but there's so much resistance to locking up high value items especially if they're valuable ones.
Maybe you're not familiar with Flock Safety, but my comment is not about locking up high value items. It's more about my location information being shipped to weird police circles by big box stores.
[0] deflock.me
[1] https://www.youtube.com/watch?v=uB0gr7Fh6lY
People are anti-surveillance, not pro-theft.
Although, plenty of people are pro-theft from the corporations sucking our towns and local economies dry and paying so little that their employees have to rely on foodstamps.
Home Depot making money doesn't make my town rich, the smaller shops making money do. The big corps just suck suck suck.
Perhaps just anti-shitty UX.
https://dan.bulwinkle.net/blog/trader-joes-does-not-have-sur...
Seems that all the big box stores are doing that. Lowes does it here for sure.
If you’ve ever tried to find an employee in one of their stores, this won’t be very surprising.
Go in knowing exactly what you want and you’ll be asked by no less than 3 employees if you need help finding anything.
Purely anecdotal, but I found Lowe's generally had much better customer service. But maybe it's just where I live
Yeah I think it'll be location dependent. FWIW I've got both by me and they're equally terrible as far as the availability and knowledge of their employees. Lowes edges out Home Depot a tiny bit for me simply because I've never been accosted by a sanctioned in-store roaming sales person for solar or siding at Lowes (yet!).
I get hit up for gutter guards every trip at my Lowe’s. I have a stationary woman hawking Generac and HVAC installs at my Home Depot.
I’d agree though, it’s department dependent. The electrical at my HD is an unorganized mess, but their plumbing section is world-class. Lowe’s is oddly flip-flopped. To Lowe’s great credit, their staff has those little tablets with inventory locations on them including all the top-shelf and end cap locations the website doesn’t show. Those usually save my trip, HD doesn’t seem to have an equivalent.
HD has it, but it lies, and is horribly inaccurate.
> Yeah I think it'll be location dependent
I've found it to be very datetime dependent. I walking the aisles on a late Sunday night recently and the only time I saw an employee was at the self checkout before I left.
That was true for a long time, but before that, Home Depot's customer service was terrific too. I think that's a cost that gets cut by a focus on shareholder value. Local hardware stores are still going to be better, with the caveat it may take a decade before they smile when you walk in.
> with the caveat it may take a decade before they smile when you walk in.
That’s damn good customer service right there, if you ask me. The fake-chipper act makes me want to dive into a wood chipper…
I used to frequent a wonderful Ace Hardware with some regularity.
The old lady that always seemed to be behind the register eventually started greeting me by name when I walked in. (I don't recall ever giving her my name; maybe she remembered seeing on a credit card or something.)
After the pleasantries (which didn't seem fake at all), one of the greybeards present would appoint themselves as my personal shopper. I'd go down my list of demands that was only vaguely sorted by department: "One M8x1.25x80mm all-thread stainless Philips screw, a 16x20 furnace filter, a box of #8x3/4 sheet metal screws, and uh... what do you have for can openers?"
And then we'd make a lap or two of the store to get these things, and I'd pay and GTFO.
It was great.
Very location dependent. Within the same metro area in one place we lived Lowes was better; in another less than 20 miles away, HD is.
But for actual help and humanity (if you can afford the price and the more limited selection), Ace is consistently better near where I am.
Purely anecdotal as well but it really feels like a quantity over quality thing between the two. It takes significantly longer to find someone in orange, but they’re as helpful as I can reasonably expect. Whereas Lowe’s employees tend to be both useless and annoying.
Same here in Cincinnati. Lowe's is far better than Home Depot. Everyone at HD clearly hates their job. Probably not their fault.
Opposite data point, where I live, there's lots of people working the floor. I'm usually asked if I need help at least once when I'm there. Maybe it depends on the store or whatever the umbrella org is.
[flagged]
why?
Because they are the villain.