Hacker News new | past | comments | ask | show | jobs | submit login

It's pretty bad that I have to enter my HN password.



When I was running usethesource.com (a job board that allowed only people with a certain HN karma to post) I worked around this authentication issue by having people place a magic string in their HN profile.

So, you'd register as say jgrahamc on my site and then place 'magic string' in your HN profile and usethesource.com would know that it was really you.


Didn't realize it was brought down. Which means I hadn't checked in quite a while. Which kind of makes sense as to why it was brought down (and it's not hard to imagine why), but did you ever write up a post-mortem or such?

"usethesource site:jgc.org" on Google just gave me the original post.


The post-mortem would likely be: "I don't have time to invest the necessary effort to make the site popular."


Just saw this after posting my solution. This is a much nicer approach.


Agreed. I will try implementing this asap.


How do you prevent people from just copying someone else's magic string?


The magic string doesn't need to be private, each user gets a randomly generated string. Either they can place it into their own profile or not.


If you make the magic string an HMAC of the user's name and some secret, then they should be non-transferrable.


Requiring the user to HMAC to be able to post jobs is great and would help filter out recruiters that can't figure that stuff out.

Or better yet, how about a job board that requires the person submitting the job to solve programming puzzles common in technical interviews. Also permit people posting the jobs to link to open-source projects that their company publishes and contributes to. It would be great if people could filter the job board to only show jobs from companies that have completed a challenging puzzle and/or publish/contribute actively to an existing open source project with X number of forks and Y number of followers.

Searching companies by some sort of "github" rank based on the people on the company's organization page would be awesome too. i.e. between the 10 developers listed on a page, what is their average forks/dev and stars/dev?


It wouldn't work to make the user perform the HMAC, since it requires having the secret, and then the user could share the secret. You need the server to calculate

magic = HMAC(secret, username)

and then give 'magic' back to the user. And then the server can decide whether the (username, magic) pair is valid.


you could still require the user to HMAC too, just for filter's sake :-)

alternatively, make the 'submit job' feature only available as a (documented) HTTP POST operation without any matching HTML form.


Then the recruiting companies will just pay a dev to write a tool for them to bulk post job req's all day.


I think a better approach would be to have the user enter a token into their "about" section, then when the have the site could scrape their profile and then the token could be removed after.


WTF that's horrifying, this should be taken down it's a honey trap!


A better way to verify that I own the username is to make me put a token in the about of my profile.


I tried registering by using my HN username with a different, non-HN password. It seemed to work.


Yes, I do not feel comfortable giving this site my HN credentials.


How about making a thread that doesn't get upvoted so it's not on the front page, but that you can link to where users post an authentication code you provide. You then scrape that page and match the username to the auth code.


Or a comment in this thread. People could reply to one of the posts here as proof-of-username. No need to make a dedicated thread; all comments got their own static url.


The other option is simply not linking it with HN. Later on, I'm going to allow for filtering by karma if you're looking for potential employees.

Another thought I had was putting a token in your profile which I can scan for. What do you think?


ya, life could get pretty rough if you had to enter your HN username too


It is downright stupid. The author is an idiot for doing this. And I don't call people idiots lightly. Presumably PG will block this site from accessing HN shortly.


I think you mean't to say something like naive about alternative approaches right? Because calling someone an idiot will more than likely make pg block you.


Sometimes actions are not just naive, but plainly idiotic.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: