1. It looks like you don't actually need peoples' HN password. Which people shouldn't be giving out. Update your website's copy!
2. This looks very similar to the Stackoverflow Careers' admin panel. Which is dandy. I'm interested to see how this goes.
3. Searching by geography would be useful, I think.
4. Could you elaborate on who you are, what your motivation is for building this, etc? (Do you plan on charging at some point?)
5. This is important because there is always an element of trust when using an employment service. By using a job posting service, you get insight into our openings, the types of people applying, our communications, and whether we are choosing to hire them.
Especially because your service has such robust communication/messaging facilities, I would be really interested to know what has brought this about before using it to recruit for my company. (We're hiring by the way!)
Good stuff! Looks slick, seems easy to use, and if you're able to keep it high-quality (how would one do that?) then I'm all ears.
1) I was thinking of changing the verification process by allowing users to place a special token in their profile, which I can just scan for (within a small time window). Thoughts?
2) I took ideas from stack overflow and 37signal's job boards.
3) In the works! :)
4) I work at Xilinx as my day job, but I have a passion for startups and spend quite a bit of time on HN (as a lurker though). I noticed there are 'who's hiring' posts every month, which are usually quite popular. I figured a dedicated website would suit the community well.
If I ever start charging, it would only be after I implement more features, make the site more useful, and depending on what feedback I get. Also if I do charge, whatever the cost might be, it would help filter out a lot of junk posts.
5) This is absolutely key. I hope to earn this trust. :)
I see one posting in England, but damned if I can see how to add another! I'm assuming location has to match the auto-complete whitelist, and the only London(s) that show up are not the one I need.
When I was running usethesource.com (a job board that allowed only people with a certain HN karma to post) I worked around this authentication issue by having people place a magic string in their HN profile.
So, you'd register as say jgrahamc on my site and then place 'magic string' in your HN profile and usethesource.com would know that it was really you.
Didn't realize it was brought down. Which means I hadn't checked in quite a while. Which kind of makes sense as to why it was brought down (and it's not hard to imagine why), but did you ever write up a post-mortem or such?
"usethesource site:jgc.org" on Google just gave me the original post.
Requiring the user to HMAC to be able to post jobs is great and would help filter out recruiters that can't figure that stuff out.
Or better yet, how about a job board that requires the person submitting the job to solve programming puzzles common in technical interviews. Also permit people posting the jobs to link to open-source projects that their company publishes and contributes to. It would be great if people could filter the job board to only show jobs from companies that have completed a challenging puzzle and/or publish/contribute actively to an existing open source project with X number of forks and Y number of followers.
Searching companies by some sort of "github" rank based on the people on the company's organization page would be awesome too. i.e. between the 10 developers listed on a page, what is their average forks/dev and stars/dev?
It wouldn't work to make the user perform the HMAC, since it requires having the secret, and then the user could share the secret. You need the server to calculate
magic = HMAC(secret, username)
and then give 'magic' back to the user. And then the server can decide whether the (username, magic) pair is valid.
I think a better approach would be to have the user enter a token into their "about" section, then when the have the site could scrape their profile and then the token could be removed after.
How about making a thread that doesn't get upvoted so it's not on the front page, but that you can link to where users post an authentication code you provide. You then scrape that page and match the username to the auth code.
Or a comment in this thread. People could reply to one of the posts here as proof-of-username. No need to make a dedicated thread; all comments got their own static url.
It is downright stupid. The author is an idiot for doing this. And I don't call people idiots lightly. Presumably PG will block this site from accessing HN shortly.
I think you mean't to say something like naive about alternative approaches right? Because calling someone an idiot will more than likely make pg block you.
You asked for my HN password. I entered "no fucking way". The page is still loading, but if it's not gonna pass (I ticked the box 'use a different password') I won't be registering on your website.
Edit: Okay even if I wanted to give you my HN password (which I have absolutely no intention of doing), I can't register: "Sorry please try again later. Failed to connect to news.ycombinator.com."
If you want to check for an HN user, simply ask them to paste a token in their profile description. And they can remove the token after you did the verification. Basic authentication mechanism.
Asking for people password is crazy. Even if you are using https and doing the best security practices.
No you don't need to do that. Just stop asking for a user's password. This way you're doing the exact opposite of what you should be doing: this is filtering the smart people out. Only naive users enter their password on a website that has just been created, exists for like five minutes, has a handful of jobs on it, and happened to make it to the HN homepage claiming to be a job site. I'd almost create a similar site, then post all password in a heavily hashed form so that users can check and confirm it's valid while not actually revealing their password.
How should I authenticate then? I could always let the user put a token in their profile, which I can scan for, but I can't do that either because the IP is blocked and I can't scrape the profile.
You could have people reply to a post somewhere (like in this thread, or one post in this thread). You can make a cronjob that checks every 10-30 seconds, which won't get you banned and is a reasonable time to wait for verification.
Profiles is another option but this requires more traffic and you probably need to authenticate to view profiles (which is not a problem, but there are probably more restrictions on accounts to keep bots out).
It's not even about trusting your website with my HN password, it's about the way it's asked. If people do this, they might do the exact same on any scam website. This kind of behavior shouldn't be encouraged. Even e-mail isn't considered safe to transmit password on, and that's supposed to be private.
I forgot I had this site opened in a tab amongst 12-16 tabs. With the tab that small, I thought I had a site open in the background about handjobs until I clicked it and realized it was the HN job board.
So, a generic bootstrap theme that looks broken in parts, is not laid out efficiently at all when you click a job, and requires me to put in my HN login information ? I'll pass.
One minor error though: you misspelled "Hadoop" as "Haddop" on the listing gleaned from our "Who Is Hiring" posting even though the original doesn't have the mistake. Are you generating these automatically or manually?
You may want to check out my program to search (and optionally) apply to all the jobs listed on HN. the difference is you searched jobs in the "Jobs" column, but I search on Who's hiring post. This is the url:
The whole HN password thing is sketchy, but I'm not super tied to my account so I went ahead and tried to register. It's telling me that my HN account doesn't exist, though. What's up with that??
I am a lazy ass. A few months back I wrote a crawler that goes thru all posts by "whoIsHiring" and dump in Db to collect stats like location, Skills etc. It is a Python script and DB has records of 2012
seriously, I can't have an exclamation point (!) in my password? what the heck are you doing with passwords that you need to prohibit basic punctuation?
He's not using Strict Transport Security. The cookies that I can see don't have the secure flag set. I can't see a session cookie as I will not sign up to this service until he fixes the login. But I'm going to assume he hasn't set the secure flag on that either.
Which all boils down to the following: An active MITM can trivially steal your session cookie and take over your account.
I try to downvote fewer people (it's so demotivating to stay active in the community when you get downvoted for being disagreed with), but this is just entirely non-constructive. If you had given any reasons for your opinion, I wouldn't have.
1. It looks like you don't actually need peoples' HN password. Which people shouldn't be giving out. Update your website's copy!
2. This looks very similar to the Stackoverflow Careers' admin panel. Which is dandy. I'm interested to see how this goes.
3. Searching by geography would be useful, I think.
4. Could you elaborate on who you are, what your motivation is for building this, etc? (Do you plan on charging at some point?)
5. This is important because there is always an element of trust when using an employment service. By using a job posting service, you get insight into our openings, the types of people applying, our communications, and whether we are choosing to hire them.
Especially because your service has such robust communication/messaging facilities, I would be really interested to know what has brought this about before using it to recruit for my company. (We're hiring by the way!)
Good stuff! Looks slick, seems easy to use, and if you're able to keep it high-quality (how would one do that?) then I'm all ears.