Show HN: I made an HN job board (hnjobs.org)

149 points by monological ↗ HN
I noticed the who's hiring threads are very popular every month, so I decided to create a job board specifically for hacker news. You can tag jobs, search, view user's profiles and more.

Tell me what you guys thing! Any feedback is appreciated.

80 comments

[ 3.0 ms ] story [ 146 ms ] thread
One of my tags had a . in it (asp.net) and gave me a validation error when I tried to preview the post, cleared out all the other fields.
I've been trying to find an email to contact you or Leafly since I saw your job posting. Any help?
scott-at-leafly
It's pretty bad that I have to enter my HN password.
Yes, I do not feel comfortable giving this site my HN credentials.
WTF that's horrifying, this should be taken down it's a honey trap!
I think a better approach would be to have the user enter a token into their "about" section, then when the have the site could scrape their profile and then the token could be removed after.
A better way to verify that I own the username is to make me put a token in the about of my profile.
I tried registering by using my HN username with a different, non-HN password. It seemed to work.
When I was running usethesource.com (a job board that allowed only people with a certain HN karma to post) I worked around this authentication issue by having people place a magic string in their HN profile.

So, you'd register as say jgrahamc on my site and then place 'magic string' in your HN profile and usethesource.com would know that it was really you.

How do you prevent people from just copying someone else's magic string?
If you make the magic string an HMAC of the user's name and some secret, then they should be non-transferrable.
Requiring the user to HMAC to be able to post jobs is great and would help filter out recruiters that can't figure that stuff out.

Or better yet, how about a job board that requires the person submitting the job to solve programming puzzles common in technical interviews. Also permit people posting the jobs to link to open-source projects that their company publishes and contributes to. It would be great if people could filter the job board to only show jobs from companies that have completed a challenging puzzle and/or publish/contribute actively to an existing open source project with X number of forks and Y number of followers.

Searching companies by some sort of "github" rank based on the people on the company's organization page would be awesome too. i.e. between the 10 developers listed on a page, what is their average forks/dev and stars/dev?

It wouldn't work to make the user perform the HMAC, since it requires having the secret, and then the user could share the secret. You need the server to calculate

magic = HMAC(secret, username)

and then give 'magic' back to the user. And then the server can decide whether the (username, magic) pair is valid.

you could still require the user to HMAC too, just for filter's sake :-)

alternatively, make the 'submit job' feature only available as a (documented) HTTP POST operation without any matching HTML form.

Then the recruiting companies will just pay a dev to write a tool for them to bulk post job req's all day.
The magic string doesn't need to be private, each user gets a randomly generated string. Either they can place it into their own profile or not.
Didn't realize it was brought down. Which means I hadn't checked in quite a while. Which kind of makes sense as to why it was brought down (and it's not hard to imagine why), but did you ever write up a post-mortem or such?

"usethesource site:jgc.org" on Google just gave me the original post.

The post-mortem would likely be: "I don't have time to invest the necessary effort to make the site popular."
Just saw this after posting my solution. This is a much nicer approach.
Agreed. I will try implementing this asap.
It is downright stupid. The author is an idiot for doing this. And I don't call people idiots lightly. Presumably PG will block this site from accessing HN shortly.
I think you mean't to say something like naive about alternative approaches right? Because calling someone an idiot will more than likely make pg block you.
Sometimes actions are not just naive, but plainly idiotic.
ya, life could get pretty rough if you had to enter your HN username too
How about making a thread that doesn't get upvoted so it's not on the front page, but that you can link to where users post an authentication code you provide. You then scrape that page and match the username to the auth code.
Or a comment in this thread. People could reply to one of the posts here as proof-of-username. No need to make a dedicated thread; all comments got their own static url.
The other option is simply not linking it with HN. Later on, I'm going to allow for filtering by karma if you're looking for potential employees.

Another thought I had was putting a token in your profile which I can scan for. What do you think?

open source this! what are you using?
It doesn't do geographic searches well.

"San Francisco" results in just 1 match, whereas there are 5 on the front page alone.

(comment deleted)
This is neat! A few questions and comments:

1. It looks like you don't actually need peoples' HN password. Which people shouldn't be giving out. Update your website's copy!

2. This looks very similar to the Stackoverflow Careers' admin panel. Which is dandy. I'm interested to see how this goes.

3. Searching by geography would be useful, I think.

4. Could you elaborate on who you are, what your motivation is for building this, etc? (Do you plan on charging at some point?)

5. This is important because there is always an element of trust when using an employment service. By using a job posting service, you get insight into our openings, the types of people applying, our communications, and whether we are choosing to hire them.

Especially because your service has such robust communication/messaging facilities, I would be really interested to know what has brought this about before using it to recruit for my company. (We're hiring by the way!)

Good stuff! Looks slick, seems easy to use, and if you're able to keep it high-quality (how would one do that?) then I'm all ears.

I'm not the OP, but I wanted to write and thank you for taking the time to leave that great feedback!
Thank you!

1) I was thinking of changing the verification process by allowing users to place a special token in their profile, which I can just scan for (within a small time window). Thoughts?

2) I took ideas from stack overflow and 37signal's job boards.

3) In the works! :)

4) I work at Xilinx as my day job, but I have a passion for startups and spend quite a bit of time on HN (as a lurker though). I noticed there are 'who's hiring' posts every month, which are usually quite popular. I figured a dedicated website would suit the community well.

If I ever start charging, it would only be after I implement more features, make the site more useful, and depending on what feedback I get. Also if I do charge, whatever the cost might be, it would help filter out a lot of junk posts.

5) This is absolutely key. I hope to earn this trust. :)

I appreciate the feedback.

I see one posting in England, but damned if I can see how to add another! I'm assuming location has to match the auto-complete whitelist, and the only London(s) that show up are not the one I need.
1) The special token is much better idea. I don't feel comfortable giving out any passwords to anyone, (almost) ever.
I wish HN would do OAuth.
So, a generic bootstrap theme that looks broken in parts, is not laid out efficiently at all when you click a job, and requires me to put in my HN login information ? I'll pass.
Thanks for the valuable feedback. It's an MVP just to test the idea out. If it sticks the UI will improve significantly.
(comment deleted)
I think the whoishiring threads are enough, if you did it just for fun as a side project then its pretty cool.
SSL is a sweet bonus feature. Is this on Heroku?
Https should be default when handling logins. I won't use one of my strong passwords on non-https websites.
He's not using Strict Transport Security. The cookies that I can see don't have the secure flag set. I can't see a session cookie as I will not sign up to this service until he fixes the login. But I'm going to assume he hasn't set the secure flag on that either.

Which all boils down to the following: An active MITM can trivially steal your session cookie and take over your account.

The whole HN password thing is sketchy, but I'm not super tied to my account so I went ahead and tried to register. It's telling me that my HN account doesn't exist, though. What's up with that??
Hopefully PG has alright blocked this site from accessing HN.
You could do something useful instead.
I try to downvote fewer people (it's so demotivating to stay active in the community when you get downvoted for being disagreed with), but this is just entirely non-constructive. If you had given any reasons for your opinion, I wouldn't have.
If I have my opinion, I probably have reasons for it.

Taking everything from an emotional perspective is dumb.

What I need as a job searcher:

1. the ability to filter by geographic area (including some way of grabbing "remote"/"telecommute" jobs).

This is a great idea! I enforce location per job post so I can do this very thing. It's in the works.
I am a lazy ass. A few months back I wrote a crawler that goes thru all posts by "whoIsHiring" and dump in Db to collect stats like location, Skills etc. It is a Python script and DB has records of 2012
(comment deleted)
I apologize, my server got banned by HN, thus all registrations are failing. Pg can you unban the server's IP: 216.70.83.132?
No you don't need to do that. Just stop asking for a user's password. This way you're doing the exact opposite of what you should be doing: this is filtering the smart people out. Only naive users enter their password on a website that has just been created, exists for like five minutes, has a handful of jobs on it, and happened to make it to the HN homepage claiming to be a job site. I'd almost create a similar site, then post all password in a heavily hashed form so that users can check and confirm it's valid while not actually revealing their password.
How should I authenticate then? I could always let the user put a token in their profile, which I can scan for, but I can't do that either because the IP is blocked and I can't scrape the profile.
You could have people reply to a post somewhere (like in this thread, or one post in this thread). You can make a cronjob that checks every 10-30 seconds, which won't get you banned and is a reasonable time to wait for verification.

Profiles is another option but this requires more traffic and you probably need to authenticate to view profiles (which is not a problem, but there are probably more restrictions on accounts to keep bots out).

It's not even about trusting your website with my HN password, it's about the way it's asked. If people do this, they might do the exact same on any scam website. This kind of behavior shouldn't be encouraged. Even e-mail isn't considered safe to transmit password on, and that's supposed to be private.

You got banned for a reason so why would he unban you?
I really like it!

One minor error though: you misspelled "Hadoop" as "Haddop" on the listing gleaned from our "Who Is Hiring" posting even though the original doesn't have the mistake. Are you generating these automatically or manually?

Thanks!

I forgot I had this site opened in a tab amongst 12-16 tabs. With the tab that small, I thought I had a site open in the background about handjobs until I clicked it and realized it was the HN job board.
Is there any way to filter by remote, H1-B etc.?
You asked for my HN password. I entered "no fucking way". The page is still loading, but if it's not gonna pass (I ticked the box 'use a different password') I won't be registering on your website.

Edit: Okay even if I wanted to give you my HN password (which I have absolutely no intention of doing), I can't register: "Sorry please try again later. Failed to connect to news.ycombinator.com."

Interesting...

You may want to check out my program to search (and optionally) apply to all the jobs listed on HN. the difference is you searched jobs in the "Jobs" column, but I search on Who's hiring post. This is the url:

https://github.com/jw2013/HN_jobs