HTS Needs to Stop Sucking

Got an idea on how things should be done? A problem with something on the site? Voice your opinion!

Re: HTS Needs to Stop Sucking

Post by sanddbox on Wed Jan 19, 2011 10:27 pm
([msg=52475]see Re: HTS Needs to Stop Sucking[/msg])

Wow, there's been a lot of posts. Here goes:

neuromanta wrote:Here's another thing: there are many new topics by new users, asking where to start learning if they want to become a hacker. I think that there should be an easily recognizable link on the main page, what points the newcomer to a page, where everything is written down for the newcomers.


We already plan to add a very detailed FAQ page for the newcomers. I doubt many will actually read it, but it's a step in the right direction.

@Wells: All valid points you've raised (and you've raised them many times). I'm sure with NightQuest as lead dev your input will actually be listened to.

@0xBEEF1337: I remember that thread, and I also remember being impressed as hell when I read your post. Honestly, I don't think any of us knew much about the topic, or at least didn't possess nearly the amount of knowledge you did. Remember, even if people don't acknowledge it, good posts get noticed.
------------------------------------------------------------------------------------------------------------------------------------------------------
Now, for the important part. @Kage:

Since you've decided to take discussion of staff members public, I will too.

I honestly and respectfully do not believe you are the right person to administrate HTS. You've been on IRC actively for at least a month now, and yet I have never seen you respond to me or other staff, with the exception of Monica. 2 days ago, I submitted a list of changes Goatboy and I had brainstormed, and I had literally no reply; you didn't even acknowledge that you had received my message.

I admit I have been a staff member for a short time, but with the exception of the occasional server maintenance, I have literally seen you do nothing for HTS. You remain inactive, you refuse to hire the right staff members (NightQuest is a case in point), and I have seen you make no effort to improve HTS. Despite your unwillingness to work, you refuse to give access to anyone else so that they may get work done.

This is not acceptable for someone in control of our paypal account, emails, servers, and DNS (at least partially). In fact, at this point I'm not sure you're not simply pocketing all the money HTS makes. I guarantee you, if you ask any intelligent member of HTS who has been here for more than two years, they will tell you that you are the bane of progress here at HTS.

You cannot keep a steel grip on power and not use it in any way whatsoever. You provide no transparency; in fact, you are active exclusively when a takeover is forming.

Monica, despite her abuse of spray tan and dramatic nature, has done far more for HTS than you ever will, while running a fairly successful gaming league on the side.

TL;DR: I respectfully believe that you should be little more than a sysadmin.

EDIT: Since both Korvin and Monica are most likely illiterate, I'll clarify. "You should be little more than a sysadmin" = "You should be not much more than a sysadmin".
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2331
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Re: HTS Needs to Stop Sucking

Post by mutantsrus on Thu Jan 20, 2011 2:14 am
([msg=52491]see Re: HTS Needs to Stop Sucking[/msg])

HTS never changes, eh?
Still drama, a lack of active devs, and Monica sticking her hand in the dev cookie jar past her bedtime.
Like I said before, I'd love to help out around here again, but only as an official dev this time. Years ago HTS milked me for missions and didn't really give anything back. (Although Monica did give me a spiffy title which was appreciated)
I was contacted by Bren2010 about coding some missions, but I'd like to hear the opinions of ALL of the devs as well.
User avatar
mutantsrus
New User
New User
 
Posts: 40
Joined: Wed Jan 21, 2009 8:01 pm
Blog: View Blog (0)


Re: HTS Needs to Stop Sucking

Post by NightQuest on Thu Jan 20, 2011 2:31 am
([msg=52492]see Re: HTS Needs to Stop Sucking[/msg])

This thread was brought to my attention earlier, and just to clarify -- I am in no way asking for Lead Dev.
I had about 5 people message me on IRC today telling me "Grats on Lead Dev, so what are your plans?".
albeit to say I was a little surprised.

Things like this are why I (and many other people) take 'breaks' from HTS (or leave entirely), and why we don't actually try to become staff, it just sort of happens -- there's too much pointless drama.
Bored? call someone a faggot. Had a bad day? Insult the crap out of someone in #help. Want to feel good about yourself? ban an entire ISP from a public channel.. Etc.
And the worst part? this is common-place on HTS, and the rules are barely enforced by the staff - some even participate in this (you know who you are). Not to mention the admins barely respond to anyone.

The HTS recode has been through how many revisions now? three? four? five? Each time it has died the lead dev has left usually because of drama, administration restrictions, or something else -- And each time, the lead dev has taken the code with them.
The 'current' code repository for HTS is closed, and/or Kage will not add anyone to its access list. Why? Because he wants to focus all coding on the recode. So because of this in combination to the various recodes that have happened, it has led to HTS being 'inactive' for a while.

Keep in mind that developing on the current website is extremely unpleasant, as you are given access to the websites .php files and that's it. Need a query ran? Ask Kage. Need the structure for the missions table? Look in the source files and figure it out yourself. Etc. The website is not documented at all, not even the database -- to figure out how something works you have to read the code already there. And from what I've seen the recodes are taking the same route, there is no documentation on any of the databases, coding, or even the coding standard to use.

This community is failing to provide a stable environment for hackers to communicate about programming, exploits, and helping newbies learn (Isn't that supposedly our 'mission'?). -- They're doing the opposite, creating a hostile environment where only a select few actually help, and if you're a newbie? well, you'd best avoid the hub of the site, the IRC. If you do join the IRC beware to ignore most people, as they will try to detour you from being an active member on the site, telling you that "you won't learn anything useful here".

Unless the staff and community start taking this seriously I will deny Lead Dev if its offered, and my apps will continue to be limited, otherwise I will continue to make app challenges when I have nothing better to do. This is because I refuse to be a part of an administration or development for a website and community that bites the hand that feeds them. There's not enough appreciation going around, ideas are stomped on for personal favour of people in high positions of power, and the staff simply doesn't care anymore and I would hate to be the only one that does.


On a side note, Bren did put a lot of work into the recode, give him a little credit - whether or not you agree with things he did, the security of the recode, or anything else.

tl;dr: Unless HTS stops acting so much like an asshole, my help will be limited.
Image
User avatar
NightQuest
Developer
Developer
 
Posts: 46
Joined: Sun Feb 22, 2009 6:03 am
Blog: View Blog (0)


Re: HTS Needs to Stop Sucking

Post by Monica on Thu Jan 20, 2011 2:45 am
([msg=52493]see Re: HTS Needs to Stop Sucking[/msg])

<3's NightQuest.
hi am new so plz dont troll me or i report 2 the HTS mods ty
User avatar
Monica
Contributor
Contributor
 
Posts: 877
Joined: Thu Oct 02, 2008 12:29 am
Location: In The Shadows
Blog: View Blog (0)


Re: HTS Needs to Stop Sucking

Post by neuromanta on Thu Jan 20, 2011 4:26 am
([msg=52495]see Re: HTS Needs to Stop Sucking[/msg])

0xBEEF1337 wrote:I click on the "new threads" post which is mostly low-level help requests, directly related to the missions, or just irrelevant to my interests. If you want to attract people and start a cohesive community where people like me regularly contribute, you need to generate better content and discussions.

Hacking is a huge topic, and the community has really cool interests. Lets talk about 2600 articles we read, lets talk about Off the wall podcasts, lets talk about that recent php exploit in greater detail -- where we figure out what actually causes the floating point to crash php. If you want a community, content needs to be king. All this bullshit about the forum skin is secondary, and yeah it does look like shit, I've blocked the "woah man I'm 14 years old and graffiti is sw33t" graphic on top using adblock, I don't want to visit this site if someone else can see my screen because it just looks embarrassing once you're in the professional arena.


+1

But I'd add that the underground look and feel of HTS is not much of a problem. I don't think that elitism would help in any way.
User avatar
neuromanta
Poster
Poster
 
Posts: 302
Joined: Mon Nov 30, 2009 9:29 am
Location: Hungary
Blog: View Blog (0)


Re: HTS Needs to Stop Sucking

Post by mutantsrus on Thu Jan 20, 2011 5:20 am
([msg=52496]see Re: HTS Needs to Stop Sucking[/msg])

NightQuest wrote:This thread was brought to my attention earlier, and just to clarify -- I am in no way asking for Lead Dev.
I had about 5 people message me on IRC today telling me "Grats on Lead Dev, so what are your plans?".
albeit to say I was a little surprised.

Things like this are why I (and many other people) take 'breaks' from HTS (or leave entirely), and why we don't actually try to become staff, it just sort of happens -- there's too much pointless drama.
Bored? call someone a faggot. Had a bad day? Insult the crap out of someone in #help. Want to feel good about yourself? ban an entire ISP from a public channel.. Etc.
And the worst part? this is common-place on HTS, and the rules are barely enforced by the staff - some even participate in this (you know who you are). Not to mention the admins barely respond to anyone.

The HTS recode has been through how many revisions now? three? four? five? Each time it has died the lead dev has left usually because of drama, administration restrictions, or something else -- And each time, the lead dev has taken the code with them.
The 'current' code repository for HTS is closed, and/or Kage will not add anyone to its access list. Why? Because he wants to focus all coding on the recode. So because of this in combination to the various recodes that have happened, it has led to HTS being 'inactive' for a while.

Keep in mind that developing on the current website is extremely unpleasant, as you are given access to the websites .php files and that's it. Need a query ran? Ask Kage. Need the structure for the missions table? Look in the source files and figure it out yourself. Etc. The website is not documented at all, not even the database -- to figure out how something works you have to read the code already there. And from what I've seen the recodes are taking the same route, there is no documentation on any of the databases, coding, or even the coding standard to use.

This community is failing to provide a stable environment for hackers to communicate about programming, exploits, and helping newbies learn (Isn't that supposedly our 'mission'?). -- They're doing the opposite, creating a hostile environment where only a select few actually help, and if you're a newbie? well, you'd best avoid the hub of the site, the IRC. If you do join the IRC beware to ignore most people, as they will try to detour you from being an active member on the site, telling you that "you won't learn anything useful here".

Unless the staff and community start taking this seriously I will deny Lead Dev if its offered, and my apps will continue to be limited, otherwise I will continue to make app challenges when I have nothing better to do. This is because I refuse to be a part of an administration or development for a website and community that bites the hand that feeds them. There's not enough appreciation going around, ideas are stomped on for personal favour of people in high positions of power, and the staff simply doesn't care anymore and I would hate to be the only one that does.


On a side note, Bren did put a lot of work into the recode, give him a little credit - whether or not you agree with things he did, the security of the recode, or anything else.

tl;dr: Unless HTS stops acting so much like an asshole, my help will be limited.


I understand you completely regarding the occasional "break" from HTS. I've been gone for quite a while now, but things don't seem to have changed at all around here. I also agree with what you said about HTS "biting the hand that feeds". Like I said before, I got used. Now HTS is actually asking users for missions, which is fine and all and fits with the community-aspect of the site, but what of the so-called devs? Why is it that no new missions are being made? One word: recode. Now, while I'm all for a fresh start, the "recode" seems to be just like Duke Nukem Forever... with one major difference: Duke Nukem actually ended up getting finished.
User avatar
mutantsrus
New User
New User
 
Posts: 40
Joined: Wed Jan 21, 2009 8:01 pm
Blog: View Blog (0)


Re: HTS Needs to Stop Sucking

Post by Wells on Thu Jan 20, 2011 7:14 am
([msg=52499]see Re: HTS Needs to Stop Sucking[/msg])

LOL

So I thought I'd remind myself of how bad the current HTS missions are and why we really need some better content.

So I check out "realistic 16" which I had not completed. This is a webmail site. I look at the links in the menu, and under "Links" are the Wireshark homepage, and an article about how you "should not" write server-side files and GET those from a flash plugin to send data from the server to the client swf.

WTF? Clearly two big fucking clues right in the "Links" menu of this supposed webmail interface? Are you fucking kidding me? This is the highest numbered 'realistic' mission labelled as "Harder" and we have this?

And of course we have the "trawling through the source for every page" looking for the admin panel URL and the filename clues. Jesus.

The only interesting part was overwriting the config file. I actually tried just intercepting the server's response to the SWF first but that was checked for server-side on the resulting admin url.

Funnily enough I actually got stuck for ages here just because I didn't find some bullshit log in the HTML source. This is not real hacking.

Anyway, once I realized the username is a filename and you can write arbitrary strings there, I overwrote the config with a correct string on my first attempt. There is nothing difficult here.

And you don't need the clue about flash variables in files. It's clear from inspecting the HTTP traffic that the config file points to a url for the SWF to use, and it's clear that url returns values for the SWF. You don't need to hold the user's hand. Any intelligent person can figure this stuff out.

So once you have got to the admin panel the final stage is simply guessing a URL. And that's it. What skills have been tested?

1. Looking in the menu of the site for 2 huge clues. One telling us to sniff the HTTP requests, another telling you about how the flash file is using server responses to receive variables.
2. Looking through the HTML source and finding out your user name is a filename on the file system and you can write arbitrary data there.
3. Looking through the HTML source and finding the admin page.
4. One slightly-not-trivial injection into the config file.
5. Guessing a final url to pass the mission.

Honestly you don't need those two clues in the "Links" menu. Anyone with skill is going to be running some traffic inspector to see what HTTP requests are being made. I was using TamperData for Firefox. You don't need to put a link to frickin' Wireshark in there.

And you certainly don't need a link to the flash receiving variables bullshit. People can also figure *that* out.

My god.

What we need are solid fundamental missions teaching you about XSS, CSRF, HTTP sniffing/manipulation, exploiting buffer overflows, how to modify a JMP and other basic debugging skills, how to inject some SQL, or whatever. These can be fully written help pages like on hakdissitelol.org which have a simple mission to complete them.

Then once we have those done, we take as many of these basic concepts as we can and combine them in as many different ways as we can on a dummy site. And we don't hold the user's hand.

We don't want more missions where you just look through the source code to find hidden admin panels and clues that your user name is a filename and your profile can be written to that file. There's no imagination there. There's no skill involved.

Arg.
Wells
New User
New User
 
Posts: 23
Joined: Wed Jan 19, 2011 3:57 am
Blog: View Blog (0)


Re: HTS Needs to Stop Sucking

Post by mShred on Thu Jan 20, 2011 7:28 am
([msg=52500]see Re: HTS Needs to Stop Sucking[/msg])

Wells, everytime I read one of your posts, you somehow find a way to get me to agree with whatever you're saying. You're a damn good writer. Although, you will probably get flamed for the spoilerish post.
Image

For those about to rock.
User avatar
mShred
Administrator
Administrator
 
Posts: 1689
Joined: Tue Jun 22, 2010 4:22 pm
Blog: View Blog (2)


Re: HTS Needs to Stop Sucking

Post by Wells on Thu Jan 20, 2011 7:31 am
([msg=52501]see Re: HTS Needs to Stop Sucking[/msg])

Oh god, and the javascript missions too. I just finished them all in about 10 minutes. Is this some kind of a sick joke?

-- Thu Jan 20, 2011 7:40 am --

By the way. I did make my own programming mission about 6 months ago. I've contacted Kage directly multiple times and had no helpful response.

Someone could upload it to the site today and post a news item. This would get some people excited and it means the site isn't sitting here dead. It's not a particularly amazing mission but it should get people engaged.

I might as well post it here:

Code: Select all
\x0a\xae\x02\x2f\x2a\x20\x6d\x69\x73\x73\x69\x6f\x6e\x2e\x70\x72\x6f\x74\x6f\x20
\x2a\x2f\x0a\x70\x61\x63\x6b\x61\x67\x65\x20\x68\x74\x73\x3b\x0a\x0a\x2f\x2a\x20
\x53\x65\x6e\x64\x20\x62\x61\x63\x6b\x20\x61\x20\x63\x6f\x6d\x6d\x61\x20\x73\x65
\x70\x61\x72\x61\x74\x65\x64\x20\x6c\x69\x73\x74\x20\x6f\x66\x20\x74\x68\x65\x20
\x73\x69\x67\x6e\x65\x64\x20\x36\x34\x20\x62\x69\x74\x20\x69\x6e\x74\x65\x67\x65
\x72\x0a\x20\x20\x20\x76\x61\x6c\x75\x65\x73\x20\x69\x6e\x20\x74\x68\x69\x73\x20
\x70\x61\x79\x6c\x6f\x61\x64\x20\x2a\x2f\x0a\x6d\x65\x73\x73\x61\x67\x65\x20\x50
\x61\x79\x6c\x6f\x61\x64\x20\x7b\x0a\x20\x20\x6f\x70\x74\x69\x6f\x6e\x61\x6c\x20
\x73\x74\x72\x69\x6e\x67\x20\x73\x65\x6c\x66\x5f\x64\x65\x73\x63\x72\x69\x70\x74
\x69\x6f\x6e\x20\x3d\x20\x31\x3b\x0a\x20\x20\x6d\x65\x73\x73\x61\x67\x65\x20\x4e
\x65\x73\x74\x65\x64\x50\x61\x79\x6c\x6f\x61\x64\x20\x7b\x0a\x20\x20\x20\x20\x72
\x65\x70\x65\x61\x74\x65\x64\x20\x73\x69\x6e\x74\x36\x34\x20\x70\x61\x79\x6c\x6f
\x61\x64\x5f\x76\x61\x6c\x75\x65\x73\x20\x3d\x20\x31\x3b\x0a\x20\x20\x7d\x0a\x20
\x20\x6f\x70\x74\x69\x6f\x6e\x61\x6c\x20\x4e\x65\x73\x74\x65\x64\x50\x61\x79\x6c
\x6f\x61\x64\x20\x6e\x65\x73\x74\x65\x64\x5f\x70\x61\x79\x6c\x6f\x61\x64\x20\x3d
\x20\x32\x3b\x0a\x7d\x12\x17\x08\x01\x08\x04\x08\x05\x08\x08\x08\xf1\x14\x08\xde
\xfb\xed\xea\x1b\x08\xfc\xea\xed\x8e\x18


You have to figure out the 7 signed 64-bit integers in the payload. You don't get any other clues unless people get stuck.
Wells
New User
New User
 
Posts: 23
Joined: Wed Jan 19, 2011 3:57 am
Blog: View Blog (0)


Re: HTS Needs to Stop Sucking

Post by goluhaque on Thu Jan 20, 2011 10:48 am
([msg=52504]see Re: HTS Needs to Stop Sucking[/msg])

btw, are we people entitled to ask whether the new code is based on MVC? If yes, which framework? Zend?
(23:45:03) hauk: I guess you are over the best part of your life when 4-year-olds say "Are you an evil man?"
(23:46:19) hauk: and "Ima punch you in the pecker"
User avatar
goluhaque
Poster
Poster
 
Posts: 153
Joined: Mon Apr 13, 2009 12:08 am
Location: India
Blog: View Blog (0)


PreviousNext

Return to Comments & Suggestions

Who is online

Users browsing this forum: No registered users and 0 guests