Experiments and leaking company secrets through your testing infrastructure

Since these comments imply that research firms already mine this, I think there&#x27;s a hilarious opportunity for rank-and-file engineers at these tech companies to vend fake features&#x2F;experiments (in which nobody receives the treatment), and watch hedge funds overstep then get the rug pulled out on them. At the least, the practice would cheapen the practice of data mining of the experiment names without having to implement any substantial fix.<p>Starting points could be, DRIVERLESS_DRONE_KILL_BOTS, or IR_CALL_DISPLAY_BANNER_RECORD_40_PCT_PROFIT_MARGIN.

Very cool! I find it fascinating to see what experiments other companies run, and especially what the winners were.<p>I&#x27;ve had a similar idea on my mind for a while now: Find sites using optimizely (eg with nerdydata), automatically screenshot the variations, and revisit to see what the chosen winner was.

These kinds of side channels often contain alternative data which is of very high interest to the financial industry. I don&#x27;t think most companies leaking this information are aware of it, but it&#x27;s very actively mined.

JFYI: iOS does not use openssl (however an app might choose to use it). I believe it uses a FIPS compliant custom TLS implementation in Security.framework. I believe ssl pinning is circumvented on iOS by leveraging the objective-c runtime to hook the callbacks that an app would use to inspect the remote peer certificate. More info: <a href="https:&#x2F;&#x2F;www.guardsquare.com&#x2F;en&#x2F;blog&#x2F;iOS-SSL-certificate-pinning-bypassing" rel="nofollow">https:&#x2F;&#x2F;www.guardsquare.com&#x2F;en&#x2F;blog&#x2F;iOS-SSL-certificate-pinn...</a>

Discord keeps it on the down low:<p><a href="https:&#x2F;&#x2F;discordapp.com&#x2F;api&#x2F;experiments" rel="nofollow">https:&#x2F;&#x2F;discordapp.com&#x2F;api&#x2F;experiments</a> produces<p><pre><code> {&quot;assignments&quot;: [[1927765909, 0, 0], [2969373038, 0, 1], [518926094, 1, 1], [3089664276, 0, 1], [3747495958, 1, 1], [600804427, 2, 1], [2078807847, 2, 1], [372914062, 0, 0], [4002407165, 0, 1], [2827351180, 2, 1], [183948708, 2, 1]], &quot;fingerprint&quot;: &quot;...&quot;} </code></pre> If you prettify their main JS bundle, you can figure out what these map to.

I always like these things. People have realized that absolute secrecy is very expensive, but doesn&#x27;t buy you much. So they give up and just let the information out.

There was once a bookmarklet to explore and preview Optimizely experiments: <a href="https:&#x2F;&#x2F;growthhackers.com&#x2F;questions&#x2F;show-gh-spy-on-optimizely-customers-experiments" rel="nofollow">https:&#x2F;&#x2F;growthhackers.com&#x2F;questions&#x2F;show-gh-spy-on-optimizel...</a>

I&#x27;m curious if this violates any laws. Perhaps the Computer Fraud and Abuse Act?