hackthissite.org

Dear wechall users
I think right now wechall has a lot of quality participating sites, but there are more good sites out there as well. For example, it will be good, if hackthissite.org would join us. Their userbase is ~350000 right now, and they have some very good challenges as well (I've found the realistic challenges very nice). I've made a post on the hackthissite forum about joining us, but it looks like not many people have replied yet (exactly 0). So if you are registered on hackthissite, have some points and you will be happy to see hackthissite on wechall, then please leave a reply for my post like "Yeah, it will be great if hackthissite coud join wechall" or something like that. Don't forget, that wechall is kinda "open source community", the more people help wechall, the better it will be.

The forum:
http://www.hackthissite.org/forums/viewtopic.php?f=9&t=1837

Thanks for your help.
Z

[Gizmore]fixed the link

Yes, you are right...there is still a lots of good sites including hackthissite (I'll try to say something nice).Did you contact someone from enigmagroup.org,zeroidentity.org and hackits.de?

Axel from hackits.de told me that they plan to join us in hackits version 4, but there is no plan when will they do that. I haven't contacted the other sites yet, but if you know the admins there, please feel free to contact them and show them http://www.wechall.net/join.php as well, and notify us about their reply. Thanks in advance

Hi: this is "comperr" from HTS.
This will be the only official reply you get from HTS on these forums.
For now on all communications from HTS will come from comperr@hackthissite.org
</end official reply>
<personal>
I had something long typed out here but I clicked on the wrong reply button.
Your user interface needs some fixing: http://www.useit.com/ --> fix it.

So does that mean HTS will not be joining WeChall??

Still a "personal" reply:
Currently it seems that it is likely that we will join. However this has to be a unanimous decision on our part.
As a side point: is support@wechall.net the correct email address?

yes, support@wechall.net is our main contact address.
I think many users here would be glad if more "quality sites" join.
Especially a well known english site is very welcome !

I am aware of some "evil buttons" shown in the bad UserInterface.
Hopefully i find the time to upload a better wechall soon.

Greetings
Gizmore

I sent an email

Quote from My

We would like to join - however we do have some issues that need to be worked out.
1) The API required to verify users is insecure. It can easily be used to brute force email addresses. It is likely that we will need to work out some other more secure API.
2) We do not allow users to post the answers to missions on our site or on affiliated sites. While we are aware that several sites do provide step by step answers to our missions this is not something we condone. WeChall must not allow answers to HTS missions to be posted on their forums
3) We get a lot of traffic - far more than any of the sites you presently have listed. Assuming we use the auto updating script this is something you will need to be aware of.
4) Your site must be able to deal with users whose points is greater than the max. This happens mostly when a) users get hall of fame entries, write articles, or such b) staff complete beta missions.
5) Our challenges require you to log in.
6) How are decisions made with regard to major WeChall changes?
7) (personal note) The notice you posted on our forums was (correctly) marked as spam by our mods. I happened to see it in the logs. I would suggest that you try something else to advertise ;)

I am sorry for the long delay but i finally replied to the mail.
Hopefully most questions are cleared.

As question 1) might be interesting for other users as well, i will post my answer to that question here, too.

Quote from Xmen

1) The API required to verify users is insecure. It can easily be used to brute force email addresses. It is likely that we will need to work out some other more secure API.

The current API should expose no security threat.
You can not link other people accounts by guessing their email address. The linking has to be confirmed via email.
The only thing you could do is guess username/email pairs to reveal someones identity.
The validation URL is kept secret, and you can use any name for script and get vars on HTS.

In summary i have to admit that Xmen and hackthissite.org are right:

It is possibly easy to disclose private information using the validation script.

Thank you for pointing that out and harden privacy a bit

We respect privacy and will introduce an authentication key to prevent abuse of the scripts.
The site administrators will be able to see their key and change URLs in the site administration page.
It is recommended to make use of the authkey or other techniques to prevent abuse.

The changes will be up around this weekend and we are sorry for any inconvinence caused.

Greetings
Gizmore