Take Care

You ever notice how much care people put into animals that have been treated poorly? We all have seen those before and after photos where some dog or cat who has been abused/abandoned/neglected is pictured on the left side and the same animal is pictured, a year later, fully healthy thanks to the love and care of its new owner.

An abused cat, before and after someone cared for it properly.

The new owner is super happy that they were able to rescue this poor animal and make it healthy again, and the new owner and the animal live happy lives together. Sure, they had to go through some trials and tribulations to get there (man, that cat hissed and scratched for months and the dog took forever to respond to affection), but we endure those because we know it’s worth it and the animal is just reacting in the way it has grown to.

This is really awesome for the animals, but makes me wonder why we don’t extend the same compassion to humans. Why don’t we recognize the broken humans, the ones who have been abused, the ones who have not been loved and cared for properly, and devote such attention to restoring them to their whole selves, to bringing them back to who they were meant to be before they were broken, before they were abused, before they were neglected, before they were uncared for. We don’t endure the scratches, the nips, the lack of affection in the same way we do for pets.

Instead, we write these people off as damaged goods. We run away from them as having “too much baggage”. After a couple verbal scratches, a few emotional nips, we are done. Instead of recognizing that the person could have gone through troubles and needs time to be restored to themselves, understanding that once they are restored, they’ll be worth it in the end, we find the nearest escape route, and we’re out. The person now has to deal with abandonment on top of the problems they already had, making them even more broken.

People are worth the time and energy too. I’m not saying we should all be fixing one another, but maybe recognize that the person who lashes out may be doing it because that’s all they know. The person who is cold is maybe that way because they’ve been deprived of affection. The person who runs is just repeating the abandoning behaviors they’ve been taught. Acknowledge that it will take some time for those negatives to be unlearned and be replaced with more positive behaviors.

We’re certainly more capable than our furry friends but the broken ones, we broken ones, though our wounds may be internal and the damage may not be so obvious, still need the same compassion, patience, and understanding. I promise we’re just as worth it as the little furries.

That Time I Got Amazon to Give Me Jeff Bezos’ Email Address

Up until a few days ago, if you had an Amazon wishlist, I could easily and reliably get the email address associated with your Amazon.com account. No social engineering of CSR’s required, just a couple clicks, wait a day, and your email address was mine. Here’s how it worked.

Amazon.com allows anyone to create a wishlist, they need only have an Amazon.com account.

Amazon allows anyone to keep track of Amazon wishlists via their Gift Organizer, they need only have an Amazon.com account.

I participated in a gift exchange that provided me with my giftee’s Amazon wishlist URL. I added that URL to my Gift Organizer, purchased a gift for my giftee, and promptly forgot about it.

On May 23 I got a birthday reminder for my giftee.

I’d received birthday reminders before so this wasn’t unexpected. What was unexepected was that the message began “Hi [GIFTEE’S FIRST NAME],”

Say wha?

Reading further, everything looked like a standard gift reminder until I got to the bottom of the email.

Please note that this message was sent to the following e-mail address:

Except nope. The gift reminder sure wasn’t sent to my giftee, it was sent to me, and it included her email address. I double checked to make sure I didn’t accidentally have her email address stored anywhere. I double checked to make sure I’d never emailed her. I definitely did not have her email address before and now Amazon had given it to me.

I emailed security@amazon.com with this information, along with a copy of the email and the email headers immediately. Email addresses are PII and Amazon giving me someones email address was not in the neighborhood of ok.

Then I tried to see if I could do it again.

I searched Amazon’s wishlist database for Jeff Bezos (which you can do for any name you please). Sure enough, Jeff Bezos’ wishlist popped up.

I added it to my gift organizer, told Amazon that Jeff’s birthday was on May 25, then set a reminder for 1 day before.

As expected, on May 24 I got a nice birthday reminder email claiming that it was sent to Jeff Bezos’ email address. (Note: It was his @amazon.com address, which I believe is moderately well known.)

I updated the email to security@ with my repro efforts, then got in touch with an actual person at Amazon to help make sure my messages didn’t get ignored. I mean, since I initially thought this might be user error, I figured Amazon’s security folks probably did too.

I soon got a response from “John” via security@amazon.com. The message read as follows:

Hi Erica,

We have received the report you sent about the security issues in amazon.com . We take all reports of security issues seriously and thank you for sending it to us. We have assigned case number JB002660070 to your issue and have commenced our investigation. Once the investigation is complete we will take the appropriate action. For future reference, you may pass these types of reports directly to us at security@amazon.com.

We will send you status updates every seven days as the investigation progresses, but if you would like to check the status of the investigation between regularly scheduled updates, please send us an e-mail including the case number above.

Thank you for your report. We look forward to working with you.

Kind Regards,


4 days later I got the following email from John.

Hi Erica,

Thank you for contacting Amazon.com.

We have looked into the issue in Amazon.com, identifier JB002660070 and made the necessary adjustments. Please look at the item again. You should no longer see the reported behavior. If you do see anything out of the ordinary, please contact us.

Thanks for pointing this out to us.

Kind Regards,


I ran the test again and this time the birthday reminder did not include any PII.

To recap, I could easily gain the email address of any Amazon user with a wishlist by:

  1. Adding their wishlist to my gift organizer
  2. Setting their birthdate to two days in the future.
  3. Setting a “one day before” birthday reminder.
  4. Waiting one day for the reminder email.

As far as I can tell (based on previous birthday reminder emails I’ve received), this bug was introduced some time after April 6, 2014.

Good on Amazon for fixing it as soon as they ack’d my report.


My Hackbright Experience

In hindsight, I don’t think I was the right sort of lady for Hackbright. That’s clear to me now. If I’d known what I know now when I applied, I probably wouldn’t have applied at all. I’m getting ahead of myself.

A bit about me: I’ve been poking at code all my life. Started with QBasic, went on to Hypercard (not necessarily code, but some similar concepts), then BASIC in high school, then C+ during my freshman year of college. My college experience was such a nightmare that I stopped, completely and switched majors. I paused that for a little while and went ahead learned the basics (and then some) in IT and loved that career. I’d always wanted to do more with code, though, and about 6 years after starting my career, decided that I wanted to learn again. I should have stopped working right then and gone back to school. I was only 27 and had I done that, I’d have been finished in 2 years and I’d be a software engineer by now. Again, hindsight.

For years I’ve tried to learn how to code in whatever free time I could find. I could get the basics. Lists, dictionaries, string manipulation, how to use operators, those sorts of things were easy to pick up on. Everything else, though, especially OOP, was like Greek. I just couldn’t grasp it from reading countless books and even more blog posts.

Fast forward to my learning about Hackbright, an “Engineering Fellowship” for women. This, THIS, was what I was looking for. I was finally going to go learn how to code. I was going to deepen my understanding of Python, I was going to learn Javascript, message queues, batch processing, distributed processing, data structures, algorithms, all kinds of magical and wonderful things that I’d never been exposed to before.

What Will I Learn?

What Will I Learn?

The promise of Hackbright

The promise of Hackbright.

Then we’ll go to places and learn about how they do engineering? In 10 weeks? Absolutely, sign me up, I’d pay $12,000 for this. Worth it, easily. You have no idea how excited I was about ALL of this. Turns out, no, pretty much most of that didn’t happen. This is the blog post I wish someone had written before I signed my contract. Though I didn’t cover everything I wanted to, this will likely be the last thing I have to say about Hackbright publicly (though am happy to answer questions privately). Apologies for its length.

I applied to Hackbright in October, did my first interview (the culture fit interview) in late October, and my second interview (the “how do you think” interview) on November 11. From that point until I got accepted in December, radio silence. Now I know that interviews and admissions for the next class are scheduled at the same time the current class is doing projects, so the instructors, who are also in charge of admissions, are super busy. I did not know that information at that point and assumed the silence meant I didn’t get in and I’d soon be getting a nice letter in the mail thanking me for my interest. I’ve always been motivated by people telling me I can’t do something (there’s a cheat code for anyone who really wants me to do anything) and I took that “rejection” as Hackbright telling me I wasn’t good enough, that I couldn’t do it. So I went out and did it.

I started writing WhenSeason during that silence. By the time I got my acceptance on December 9, I pretty much had a working site. I could run queries against my Riak database, I just needed to make it look pretty. What I didn’t know when I finally got accepted and had 10 days to accept and pay my $5,000 deposit (seriously, 10 days for an unexpected $5,000 expense is insane), was that what I’d just done was the final bit of what students do at Hackbright. Save sessions and substitute Riak for SQLlite and I’d pretty much done exactly what many Hackbright students do for their final projects. I created and launched a website using Python, Flask, JS, HTML, CSS, and a database on my own. In fact, after learning of this, two instructors said to me, verbatim “Why are you even here?”


I came up with the $5,000 and signed the contract. Still super excited. I was a little miffed at having to come up with that money that quickly, but again, I thought it was worth it. I paid my money and didn’t hear from Hackbright again until January 8, when our class mailing list got set up. My class is full of really great women, and the introduction/getting to know you thread was just really great. I was excited to be going to learn how to be a Software Engineer with all these amazing women from really diverse backgrounds.

In a separate thread, we were told of the pre-work that was expected of us.

Zed Shaw’s “Learn Python the Hard Way” (referred to as LPTHW from here on out) and Allen B. Downey’s “Think Python” were both referenced as pre-work. I (and others) assumed that meant that we should come to class knowing the concepts in those books. I was relieved that I knew most of the stuff already because I didn’t want to be behind others in class. Imagine my surprise when class began and we just…went over all the things that were already in LPTHW.

I’d like to make clear here that I’m not exaggerating, so have a look at some bits of the curriculum (I’ve forked it to preserve the state it was in while we were attending) https://github.com/EricaJoy/Hackbright-Curriculum and note that up until Exercise 7, our exercises included going through and completing the relevant bits of LPTHW. After Exercise 7 we went on to things like sessions, using SQL databases, and some light Javascript.


Hackbright by the Numbers

Number of Students: 28 (We started with 29 but one quit because it wasn’t what she thought it was going to be and got some of her money back.)

Start date: 3 Feb 2014
Graduation date: 11 Apr 2014 (Several people had to have their last day on this date as Hackbright advertised a 10 week program and that is what those planned for. We did not learn of the change to a 12 week program until we received our contracts.)
End date: 25 Apr 2014
Cost: $15,000 USD (Advertised as $12,000, we did not learn of the price increase until we got our contracts.)

Number of Instructors: 4 (NickA[0], NickA[1], Liz, Cynthia)
Number of “Helpers”: 2 (Kate and Sean)
Number of weeks of Instruction: 5
Number of weeks of Projects: 4
Number of Career Days: 1
Number of Weeks of Interview Prep: 2
Number of days of Instruction: 20
Number of hours of Instruction: 80
Number of hours of Exercises: 100
Number of hours working on Projects: 80
Number of hours spent on Field Trips: 15.5 (not including travel time)

Structure of the instructional portion of Hackbright:

Arrive: 10am
Lecture: 10am to ~11am
Exercises: ~11am to 1pm
Lunch: 1pm to 2pm
Lecture/Q&A/Tech Talks: 2pm to 3pm
Exercises: 3pm to 6pm

Repeat for 5 weeks, 4 days a week. 1 day of the 5 day week is reserved for Study Hall or Field Trips.

Number of people that returned to their previous jobs: 4
Number of people hired into new full time jobs so far (that I know of): 2
Number of people offered temp contracts: 2


Instead of going on about everything in narrative form, I’ll share with you some brief summaries of various segments of my Hackbright experience.


On Lectures

Lectures were presented by one of 4 instructors (NickA[0], NickA[1], Liz, Cynthia). Some of these instructors were very new to teaching and it showed. Lectures were unstructured, jumped around quite a bit, and tended to leave many students confused. Requests for structure were either ignored or mocked. Occasionally students would ask instructors to slow down a bit or repeat what they last said so the student could make a note. “You don’t need to write this down,” was a frequent refrain. Not understanding that everyone learns differently (including the need to take detailed notes) is another way in which the teaching newness showed. Every now and then Christian came down to give a lecture that usually involved some level of distraction (he once spent a lecture eating from several different bags of candy for no discernible reason). These were interesting and engaging if not always full of useful information.


On Exercises and Pair Programming

We were meant to pair up with a new partner every day during exercises. I think this was a huge mistake. Two super green programmers coding together is like the blind leading the blind. Add in everyone’s flavor of personality, plus varying levels of frustration (many people felt like they were behind throughout the program) and things…weren’t awesome. Introducing Pair Programming later in the program (for larger project based exercises) might have been a better move. Pairing to go through LPTHW was just not great.


On Tech Talks

Around week 3 or 4, we began doing Tech Talks. “Give a 7-10 minute talk on something about tech. You don’t already have to be familiar with the subject, it could be something you want to learn more about. Make sure you clear it with an instructor first.” Here is where I experienced the first big disappointment in Hackbright. I wanted to learn more about AWS and deploying to EC2. I barely scratched the surface when I deployed WhenSeason and since the world pretty much runs on AWS and EC2 and I have a strong interest in what is generally now referred to as devops, I wanted to learn more. That topic was not approved. I remember being incredulous at first, disappointed second.

I ended up doing a half assed talk about zsh (which I like but really had no desire to learn more about), which still incurred some kvetching from the instructors. I remember specifically hearing an exasperated “I hope you’re ready to support 28 students running zsh.” That seemed to be a running theme at HB. If it wasn’t in their wheelhouse, instructors went out of their way to discourage it. I still find this deeply disappointing, as a large part of my early education was a result of my being curious about something. I’d ask a teacher about it and if they didn’t know something, they’d go learn about it or encourage me to learn and come back and tell them about it. It was a win for me and a win for my teacher. I sincerely hope Hackbright instructors adopt this attitude toward subjects/topics they aren’t very familiar with.


On Field Trips

Trips to various Valley tech companies with varying levels of technical information vs. recruiting information presented. We were expected to find our own form of transportation to and from these trips. Full disclosure, I opted out of many of them because they largely served as recruiting trips vs. learn stuff trips. I have a job so I really wasn’t up for the recruiting song and dance, especially when the trips happened during project time. I couldn’t go to the one I really wanted to attend because I couldn’t find parking. So there’s that.


On Mentorship

Each Hackbright student was assigned 3-4 mentors. Each mentor was meant to serve a different purpose: one Jr. developer, one Sr. developer, and one upper level employee in the industry (Director level or higher). One of the 3 was meant to be “well-connected” in the tech world, such that the mentee would have a way to learn of and be suggested for jobs. Networking is huge in this space, so this is smart and makes a lot of sense for someone who may not have those connections already. The mentors are all supposed to have been “go-to” resources during project time, to help get past hurdles. Unfortunately, my project was off the beaten path and none of my mentors had experience with the technologies (AWS, Riak, Elasticsearch) I was using.

Mentors met mentees at a mixer meant to mitigate mingling. One of my mentors didn’t attend this. I never did meet that mentor, as I being told to “schedule a time” with a link to a calendar didn’t really work for this type of setup (Note: From what I understand, mentors were meant to be a real to near real-time resource).

There were and are some really great mentors who volunteer a large portion of their time (mentorship is not a paid gig) to help Hackbright students succeed. Those people are amazing and deserve all manner of accolades. Hackbright would undoubtedly fail without them (this is not an exaggeration).


On Project Time

Project time is when HB students are meant to spread their wings and fly. My experience was more akin to getting kicked out of the nest and hurrying up to figure out how to fly before I hit the ground. Again, not exaggeration. Aside from Liz, not one instructor took the slightest interest in what I was doing for my project. At times I watched as the instructors worked the room, visiting students, asking how their projects were going. Not once did they ask me. Not once did they even visit the little corner where I sat. I suspect at this writing (the week before career day), none of them could even tell you where I am in my project, how functional it is, or what it looks like. Mind you, our instructors are meant to be acting as our project managers, so this is something they should know.

Having written a really basic website before entering Hackbright, I decided I’d do something a bit more difficult for my project. I mention the difficulty level because I got really stuck during the first two weeks of project time. We had house (everyone was assigned to a different Harry Potter house) stand ups every morning, where at the end, our scrummasters would report our progress back to the instructors. I consistently reported being at the same place (parsing GEDCOM to JSON) and I never heard a peep from the instructors. When I really needed their help, even if help came in the form of “you’ll get it right” encouragement, I got none. I might sound a little bitter about this, but I’ve never been one to not wear my heart on my sleeve.

Update: Hackbright is now over and I was drafting this around mid project time. Shortly after I made this draft, NickA[1] (I think, I get them mixed up) asked me about my project and generally began to give a shit about me. I appreciated that. Still do. I never did finish my project. I got stuck again trying to use technologies that were foreign to most people at Hackbright. If it isn’t some flavor of Flask or Django + SQL being deployed to Heroku, they want no parts of it and don’t want you to have any parts of it either. Now that Hackbright is over, I’m completely re-writing my project, slowly. Frankly I wish I’d done a simple web app and left my difficult passion project for later, as the experience soured me a bit on something I really love and am passionate about.


On Career Day

Career Day is when Hackbright students are meant to show off their projects to a bunch of companies in hopes that the companies will want to bring them in for interviews. It’s something akin to speed dating for jobs. Companies scheduled to attend ranged from giants (Google, Facebook, Twitter) to tiny startups (Pop17, We Heart It). Twitter didn’t show up but the rest did. Two of our classmates could not participate because their employer (Intuit) was sponsoring their attendance and Hackbright in general to some extent. One student did not get much help* doing what turned out to be a Very Hard Project and chose to opt out vs. show something she didn’t feel was complete.

My project was not done, so I showed off a parser. Woo. None of the companies seemed impressed by this, save Stripe (which is an awesome place where I bombed a first round interview). As far as I know, there has been one hire made by a company in attendance at Career Day.

*I later learned that several students didn’t feel they got much help and instead felt as though the instructors has picked their winners and focused on those students. I find this deeply disappointing.


On Interview Prep

Interview prep happened after career day, during the two extra weeks HB tacked on to the formerly 10 week program. This is where Hackbright glosses over some of the most important ideas in computer science, like algorithms, data structures, and learning how to measure time and space complexity (Big-O). I mostly opted out of this, for better or worse because I just could not even with Hackbright anymore. I connected to the live stream a few times and didn’t find the quick and dirty looks at these concepts very helpful. I’m still working on learning these on my own (volunteers welcome!).

So why wasn’t I the right lady for all this? Well I came in knowing a little something about how to code, as such, I didn’t learn a bunch. I came in wanting only to learn more about software development and get better at coding. I didn’t really need to be introduced around the Valley, as I’ve worked in the industry for a while and have a reasonable network of contacts. I wasn’t interested in spending time talking to the recruiting departments of companies, as I still have a job. Really, I just wanted to learn all that I could about programming while Hackbright’s goal seemed more in line with teaching me how to talk the talk before I could necessarily walk the walk. The curriculum spent a lot of time on basic string and dictionary manipulation, how to write functions, and how to use open source tools (Flask/Postgres/SQLite) to build a website. Little time was spent on important things like time/space complexity, algorithms, and data structures. Those were glossed over later in “interview prep.” If what I attended was Hackbright 101, I perhaps would have been more challenged in Hackbright 201, where the time spent on basics is just a quick 1-2 day refresher and the rest of the time is spent on more challenging things.

Added to the above, there is some level conformity demanded by the instructors there (never question, never challenge, never “negative”), and if you choose not to conform, you are punished for it by the instructors ignoring you. This is not speculation, this was confirmed by one of the instructors. I am not a conformist, I will always ask questions, I will challenge things that don’t make sense, and I will call out things I think are broken/wrong (which is frequently perceived as being “negative”), so I got ignored (see: Project Time). Being too engaged will also get you ignored. I recall once raising my hand to answer a question and being blatantly ignored. When I asked the instructor why I was ignored, it was because they “wanted to give someone else a chance to answer”, when everyone else was just staring blankly. I felt like Tracy Flick.

The above said, I do believe there are some who would really benefit from what Hackbright has to offer. For those with no prior exposure to Silicon Valley or the tech industry in the Valley and little exposure to software development, Hackbright would be a great experience. They’ll meet a bunch of people that are involved in some way in the “tech scene” in the Valley and get some knowledge that can be a good springboard to being a full fledged Software Engineer. Despite what our Hackbright business cards say, no, I don’t think we’re fully formed Software Engineers just yet. I think that anyone who intends to attend Hackbright should understand that once you finish your final project, you will have only just taken the first small step to being a Software Engineer. I am personally glad to have taken that step, though I am not sure I needed to pay Hackbright to do it.

I should note that I am and have been very supportive of Hackbright’s mission, as I think it’s important to change the ratio in the tech industry. While I agree with the mission, I am not impressed by the implementation. I hope they can work out the implementation issues to successfully equip future classes with the skills and tools they need to succeed as software engineers. For a business whose sole mission is to change the ratio in the tech industry, this is too important to get wrong.