It's unfortunately not easy to do with Chrome either (with or without extensions). I wound up downgrading to Firefox 3 from beta 4 to get back to the more mature plug-ins that make this light work.
Fun challenge. It took me about 10-15 minutes using curl.
I think it's the right level of difficulty: Difficult enough that you're able to weed out a lot of really low quality applicants, but not so difficult that you run the risk of excluding high quality applicants.
Honestly they should not have made this announcement public, it should be a private message to anyone submitting an application, otherwise random people pick up the challenge and post the answers online.
Waaay too easy...honestly, I'm not tooting my own horn.
But I guess it would keep the lazy applicant from applying.
EDIT: on second thought, maybe it is the right level. They aren't likely looking for $100k+ hacker geniuses, just guys who can think outside the box and know how to do basic digging and prevent your typical hack.
I retract my statement. Clever application process.
The first step being actually accessing the back-end? That took me about 30 seconds, but I got bored as soon as I got there, mostly because I'm just taking a break from working on a personal project.
I actually applied with SeatGeek awhile back, and I guess my resume was tossed in the fluff pile. I sort of wish they'd had this at the time, since I'm sure I could figure it out based on the other replies in this thread. But fuck it, I've gotten a job since then with what seems like a pretty cool company, so I can't complain. :)
Took me about that long for the first step, then did a facepalm once I realized the solution. Was way overthinking that one, but it's like you either know it or you don't -- if you know it you'll figure it out eventually.
Regarding whether or not it's too easy...that's something we wondered about. We decided we wanted a relatively straightforward initial screen rather than an complex brainteaser.
So I would by no means liken this to the Greplin Challenge, but we're trying to accomplish something different. We're hoping to eliminate the crappy applicants so we can spend more time on the good ones.
After I initially overreacted about it's simplicity, I saw the point more clearly. In fact, the more I think about it the more I loved it. (from your business's standpoint)
Whenever I've been apart of interviewing candidates, ≈70% of the time was wasted on applicants who fluffed their resumé, got an interview, and were obviously not what they claimed to be. This would probably significantly reduce that overhead and at the same time attract people who enjoy coding vs. do it just to pay the bills.
That was roughly our thought process (I'm another seatgeeker btw). We wanted to come up with something that would be pretty quick to solve if you know what you're doing, but at the same time, demonstrates that you've got a pretty good understanding of a bunch of the moving parts of web development.
I interviewed with a pretty big company awhile back, and they told me that 50% of the people they talked to couldn't pass a basic phone screen - the technical portion of which basically consisted of making sure I knew what the modulo operator was, what it did, and some practical applications thereof.
How were y'all's percentages in that regard? How many applicants flat-out couldn't write code to save their life?
I think that you may have erred on the side of too easy. I have very little web development experience, but I was able to solve it in a few minutes. I didn't even use any developer tools.
Not a web developer, but a scientist who plays around with it a little bit. Here is what I tried:
1) Viewed source. Didn't see any obvious comments.
2) Looked at .css files. Nothing obvious there, though there are styles for form/etc classes and elements that aren't used in the page.
3) Tried creating some forms with input and label elements in the markup in Firebug to see if CSS labeling on buttons showed anything. Just showed "Submit Query".
4) Looked at session headers in Firebug/Safari and saw something along the lines of
But no dice. Is this totally the wrong direction? Is this puzzle really that obvious to any real web developer worthy of the name, and if so where did you earn your spurs/what books/sites did you read?
Not totally -- you're looking at the right things. As people have been saying there are kind of two parts to it. The first part has a lot more to do with the page content than the technical specifics.
No worries, I'm certainly not "getting" the riddle myself. I tried md5sum'ing the response body and base64 encoding it and replacing the cookie's csrf.token value with that, which didn't work (I did notice, however, that the server is accepting whatever you put in the cookie without re/over writing it).
I tried POSTing and PUTing with data values like "csrf=valuefromcookie" and (this may seem stupid) "browser=seatgeek".
I hand crafted a request using cURL.
I also discovered their VHOST settings aren't quite right either because when you POST to https://apply.seatgeek.com it takes you straight to the homepage (instead of redirecting you to the http://apply.seatgeek.com page).
Either way, kudos to those that got it in 15 minutes - I wasted far too much time chasing my tail on this one.
Would be funny if somebody went overboard and actually rooted the box, deleted the other entries and changed the site so the problem couldn't be solved (or closed the competition).
Then I guess you'd have to give him the job by default :-)
Always has to be a "him" right? Myopic macho nonsense, just like this company that wants "hyper-motivated" applicants. Ridiculous, geek-macho, over-caffeinated boys who speak first and (maybe) think later.
That was fun. Personally I wouldn't make it any harder as it would already weed out a huge portion of the candidates I have interviewed in the past. I would perhaps add something that required a little JavaScript or something written though.
I wonder how many applications you get from people that don't actually want the job.
I quite enjoyed this :-) Reminds me of an online game that I played through years ago which I'm having trouble digging references to now; hack your way through successive levels, starting with really trivial things like default passwords and working your way up through all the exploitation techniques through to the more interesting ones (buffer overflows, off by 1 errors etc).
I was well hooked on the writings of Aleph1, Mudge and Rain Forest Puppy at the time, and this game was an excellent tool for teaching developers about vulnerabilities and thus how to defend against them. I know that the game spawned a plethora of copy-cats later on of varying qualitites - does anybody happen to know the one I'm referring to?
Thanks for the link, had not seen Uplink before. It's not what I was trying to remember though. I'm basically talking about a website. On the first screen it has a username and a password box. The password check is hardcoded into the JS on the page and viewsource gives it to you. Completing it gets you to the next stage. The next stage has no such info, but the password is easily guessable. The one after can be beaten by a cookie modification, the one after that involves injecting some variables into a server-side script etc etc... At each stage it links you to articles which may be relevant tothe task at hand; It's like a step-by-step training to hacking websites, graded nicely in difficulty from the trivial up to some reasonably difficult techniques at the higher stages.
Answering my own question here, but curiosity got the better of me so I trawled through my mail archives and found the site. It was http://quiz.ngsec.com/ and it's unfortunately offline now. Shame.
Great idea! I thought I had it figured out last night but the blank screen I got when submitting kept bothering me. This morning I double checked the requirements and saw if I got a blank screen I had not done it right.
I went back and got it figured out - I think the barrier to entry for this is just right.
42 comments
[ 2.8 ms ] story [ 83.0 ms ] threadI submitted this as my resume: http://www.russellheimlich.com/blog/wp-content/uploads/2007/...
Edit: Removed potential spoilers.
I think it's the right level of difficulty: Difficult enough that you're able to weed out a lot of really low quality applicants, but not so difficult that you run the risk of excluding high quality applicants.
But I guess it would keep the lazy applicant from applying.
EDIT: on second thought, maybe it is the right level. They aren't likely looking for $100k+ hacker geniuses, just guys who can think outside the box and know how to do basic digging and prevent your typical hack.
I retract my statement. Clever application process.
I actually applied with SeatGeek awhile back, and I guess my resume was tossed in the fluff pile. I sort of wish they'd had this at the time, since I'm sure I could figure it out based on the other replies in this thread. But fuck it, I've gotten a job since then with what seems like a pretty cool company, so I can't complain. :)
So I would by no means liken this to the Greplin Challenge, but we're trying to accomplish something different. We're hoping to eliminate the crappy applicants so we can spend more time on the good ones.
Whenever I've been apart of interviewing candidates, ≈70% of the time was wasted on applicants who fluffed their resumé, got an interview, and were obviously not what they claimed to be. This would probably significantly reduce that overhead and at the same time attract people who enjoy coding vs. do it just to pay the bills.
How were y'all's percentages in that regard? How many applicants flat-out couldn't write code to save their life?
1) Viewed source. Didn't see any obvious comments.
2) Looked at .css files. Nothing obvious there, though there are styles for form/etc classes and elements that aren't used in the page.
3) Tried creating some forms with input and label elements in the markup in Firebug to see if CSS labeling on buttons showed anything. Just showed "Submit Query".
4) Looked at session headers in Firebug/Safari and saw something along the lines of
5) Noticed 'csrf.token' and googled to figure out it was a cross site request forgery prevention token, which seems sort of related.Tried to mess around with this in Python and sort of got somewhere with this
Then tried re-encoding: and then doing an HTTP POST with curl But no dice. Is this totally the wrong direction? Is this puzzle really that obvious to any real web developer worthy of the name, and if so where did you earn your spurs/what books/sites did you read?I tried POSTing and PUTing with data values like "csrf=valuefromcookie" and (this may seem stupid) "browser=seatgeek".
I hand crafted a request using cURL.
I also discovered their VHOST settings aren't quite right either because when you POST to https://apply.seatgeek.com it takes you straight to the homepage (instead of redirecting you to the http://apply.seatgeek.com page).
Either way, kudos to those that got it in 15 minutes - I wasted far too much time chasing my tail on this one.
What's more annoying is I did do it correctly the first time - I just misspelled it! :-/
Then I guess you'd have to give him the job by default :-)
I wonder how many applications you get from people that don't actually want the job.
I was well hooked on the writings of Aleph1, Mudge and Rain Forest Puppy at the time, and this game was an excellent tool for teaching developers about vulnerabilities and thus how to defend against them. I know that the game spawned a plethora of copy-cats later on of varying qualitites - does anybody happen to know the one I'm referring to?
I was completely addicted to that game in college. The also apparently have a version on steam now.
I went back and got it figured out - I think the barrier to entry for this is just right.