What do you want to see in HBH Version 3.0.0
Were currently working on HBH version which updates and remakes all challenges on HBH! We are also changing the theme to a new one which has more of a focus on coumminty and more infomation about what people are doing and what challenges they have completed.
With version 3.0.0 it will be the first time since 2004 that a real focus on the challenges and the progression though them has been looked at. We are also hoping to have our labs system online for version 3.0.0 however this is not a guarantee as the labs very much depend on funds to enable us to pay for the labs being online.
With version 3.0.0 it will be the biggest update to HBH ever, that includes the version 2.0.0 move from HBH-Fusion. However we want to know what you want to see in version 3.0.0 and what features you want, so please post below so we know what to add.
Thanks
First off- great job to you and the rest of the team. The v2 redesign and the openness/responsiveness of the administration has been just absolutely top-notch :)
That being said… challenges. You said this is a goal but I think it should be THE goal. Of course I understand if people disagree, but the challenges got me into this and I think they’re a good cornerstone.
Challenges
- Standardize flags. I shouldn’t have to guess which of these arbitrarily-long strings of ascii values should be copy/pasted into the submit form. I suggest something like
hbh{HASH(username || chal_secret)}
when possible. Should help keep sharing of passwords to a minimum while at the same time making it easy to know when you’re “done” with a challenge. - We’ve talked at length about how I perceive our current challenge lineup. Every individual one should teach a user something new or expand upon a previously-taught idea in a novel way. I think they should also be organized in a more meaningful way. If the goal of a challenge is to teach (which I believe that it is), then we shouldn’t be hiding their basic premises from a user. We should have
xss
category and asql injection
category and ajavascript
(I suppose…) and a...
category. No more of this “here’s a password prompt glhf lol”. It is my belief that any user should be able to solve every challenge and that these should be building blocks for therealistic
category (orLabs
or whatever) where things actually get tested. - This is a personal preference and maybe not something of interest more widely, but significantly increase the amount of binary exploitation related information on this site. HBH has traditionally been about mostly web-based information. I would like to fix this. I started this with my reverse engineering series (which I believe should replace the current
application
branch of challenges…) and intend to finish with a a whole range of “pwn”/exploitation content. - Maybe a standardized way to create new challenges. That is, supply and API that contains things like
get_hbh_username
or whatever and require overloaded functions likecheck_for_correct_answer
orprovide_hint
or whatever. Require source code and build instructions for everything. Maybe even require tests.
Community
- Forum -> This is hard and not something I’m able to suggest too much towards HOWEVER I do know that basically the entire backlog of forum posts is pretty “useless”. Maybe fun for a “blast from the past” perspective (for me, at least!), but rarely beyond that. Maybe the admins should have a comb-through to find the diamonds, but honestly I think it’d be best to start fresh.
- Articles -> Similar. Too much chaff, too little wheat. Cut it or cull it.
- Code Bank -> Cold garbage. Cut it.
- Blog -> Just staff announcements. More on this below.
- How to deal with discord communications vs site communications. Maybe the forum isn’t necessary at all anymore? Maybe the shoutbox is obsolete? Maybe “sorry, you should ask that in the forum” is something that should be seen more often in discord? I don’t have an answer.
Content
- I know the staff does this for free in their free time so these suggestions are clearly flawed, but it’s my opinion that if you want people to contribute you have to prove that this is a place worth contributing to. My hope is that good challenges will lead to good discussion about challenges will lead to good information about hacking in general. This will be a slow process. The alternative (and I think more sound) option is to “seed” this site with good information.
- Find knowledgeable people to write (monthly?) blog posts about something interesting. Maybe tie challenge releases to it. For example, I can write a series on binary exploitation and each time period can release an article and accompanying challenges. Topics could be like advanced uses for xss/sql, new common web-dev technologies, popular web back ends and how to exploit them, state-of-the-art web protections (and how to overcome/avoid/fingerprint them). Etc.
- Change the “News” column to something else. Maybe like a “Topic of the Week” or something? For example, next week in XSS WEEK where folks can drop everything xss related they find. Prominent hacks, interesting websites, fun challenges from other sites etc. Again, this will require seeding, which is clearly hard.
General Site Stuff
- You said the UI is being updated. This is good. My suggestion is to remove all (or most!) of the stuff that says “Coming Soon”. Or at least group them all together at the bottom of the sidebar or something. There’s too much to click over there and most of it leads to nothing. It’s hard to know what’s worth clicking on.
- WHAT IS THE PURPOSE OF THIS SITE? If the homepage is to be believed, it’s the forum (pretty inactive), the blog (updated three times in the last year), or the Tech News (copy/pasted articles). This looks bad and also just… is bad? I don’t have a solution beyond I guess just… think about it? If we want to focus on challenges, have a “these are the people completing this challenges” section or a “here’s the leaderboard for who’s completed the most challenges” etc.
- Feels like we’re stuck in a purgatory of sorts between “we have to keep everything that hbh was” and “here’s what we want hbh to be” and it’s… not working. If it doesn’t cost too much, just leave a mirror for the old site or something.
What I think this all boils down to is
- Focus. Focus on something and hope the rest follows. Focus on challenges and hope community builds around it. Focus on community and hope challenges get built out of it. But currently the focus seems to be on backend development (which is necessary!) and that doesn’t seem to be solving any of the challenges we’ve been seeing.
- Decide. Decide on what’s more important. Preserving the history of hbh or building something better. I’m personally a fan of mirroring the old and embracing the new.
- Content begets content. If you want people to contribute things you have to prove that it’s worth their time to post. Are the challenge good and interesting? Folks can interact around them. Is there fun new information being posting semi-constantly? Folks can interact around that. Do we even want interaction?
- More people? As far as I can tell, it’s basically just you working on everything above. You can’t be doing backend fixes and frontend updates and community outreach and content creation/curation. I appreciate it’s hard to bring more people “into the fold,” but maybe finding a way to create smaller “slices” of problems that can be worked on (see challenge api above). But maybe even open sourcing portions of hbh and going from there should be the game?
@Futility Thank you for the feedback about version 2 and the comments on the fundermental changes in how the site is run and the openness on our costs and other parts of running the site. This will only incrases in time with other “company” changes coming soon.
The challenges are the main focus for version 3 as they haven’t had any real focus since 2004 and not much focus during the version 2 other than moving them from procedural PHP to MVC based and bugs fixes as they were ported over.
Challenges
Standardize flags. I shouldn’t have to guess which of these arbitrarily-long strings of ascii values should be copy/pasted into the submit form. I suggest something like hbh{HASH(username || chal_secret)} when possible. Should help keep sharing of passwords to a minimum while at the same time making it easy to know when you’re “done” with a challenge.
Passwords for some of the challenges currently change as they map to the users session to stop sharing passwords. However moving to flags is the current plan for version 3. The format of these flags hasn’t been finalised but the system is bulit in a way where the flags and format can be change at any point.
We’ve talked at length about how I perceive our current challenge lineup. Every individual one should teach a user something new or expand upon a previously-taught idea in a novel way. I think they should also be organized in a more meaningful way. If the goal of a challenge is to teach (which I believe that it is), then we shouldn’t be hiding their basic premises from a user. We should have xss category and a sql injection category and a javascript (I suppose…) and a … category. No more of this “here’s a password prompt glhf lol”. It is my belief that any user should be able to solve every challenge and that these should be building blocks for the realistic category (or Labs or whatever) where things actually get tested.
The goal of HBH is to teach not just the challenges which is why version 3 is all about the challenges. We are currently discusing this very thing internally and how progression will work. The short version is all challenges get your ready for the realistic challenges which use eveything you have learn from the other challenges and are used as the intro into the labs as they will be real systems. ( think back to the crash and burn event)
This is a personal preference and maybe not something of interest more widely, but significantly increase the amount of binary exploitation related information on this site. HBH has traditionally been about mostly web-based information. I would like to fix this. I started this with my reverse engineering series (which I believe should replace the current application branch of challenges…) and intend to finish with a a whole range of “pwn”/exploitation content.
This is something that we have spoken about and are happy to have.
Maybe a standardized way to create new challenges. That is, supply and API that contains things like get_hbh_username or whatever and require overloaded functions like check_for_correct_answer or provide_hint or whatever. Require source code and build instructions for everything. Maybe even require tests.
This is something that we already have in place for version 2 as this was done to help move the challenges over from HBH-Fusion. The plan here is to publish one of the production challenges to show how they work and have our documention page enable publicly to describe how to bulid a challenge for use in the site. We will also list all the functions that are avavaible to use and what they do.
Community
Forum -> This is hard and not something I’m able to suggest too much towards HOWEVER I do know that basically the entire backlog of forum posts is pretty “useless”. Maybe fun for a “blast from the past” perspective (for me, at least!), but rarely beyond that. Maybe the admins should have a comb-through to find the diamonds, but honestly I think it’d be best to start fresh.
The forum is very basic in its function currently however plans for more functions such as polls is all on the roadmap for version 3. The content in the forum needs heavy moderation to fix the damge done over the years but just locking threads and killing constructive thread that went against the sites best intrest. This is a complex issues but with more time from the mods this can be cleaned up and move activity should make it better.
Articles -> Similar. Too much chaff, too little wheat. Cut it or cull it.
The article are due to edited to move them over to markdown and articles will be removed during this. There is also changes to the article system so child articles are linked from the parent. The best example for this is the Wifi articles so your finish part one and theres a link to part 2.
Code Bank -> Cold garbage. Cut it.
Currently being discused internal what to do with it.
Blog -> Just staff announcements. More on this below.
The blogs is used mainly for announcemnts currently however we have a back log of post about the migration to version 2 and infrastructure post on how manage and buld HBH and how the labs work. So the content her will get better.
How to deal with discord communications vs site communications. Maybe the forum isn’t necessary at all anymore? Maybe the shoutbox is obsolete? Maybe “sorry, you should ask that in the forum” is something that should be seen more often in discord? I don’t have an answer.
I think the forum is still needed personally but again this is something we are speaking about internally as its not a simple issue.
Content
I know the staff does this for free in their free time so these suggestions are clearly flawed, but it’s my opinion that if you want people to contribute you have to prove that this is a place worth contributing to. My hope is that good challenges will lead to good discussion about challenges will lead to good information about hacking in general. This will be a slow process. The alternative (and I think more sound) option is to “seed” this site with good information.
This is the general idea behide the focus on challenges in version 3 to bring in more community interactions. Based on numbers from our stats the site is busier month on month but the site lacks interaction with the people online.
Find knowledgeable people to write (monthly?) blog posts about something interesting. Maybe tie challenge releases to it. For example, I can write a series on binary exploitation and each time period can release an article and accompanying challenges. Topics could be like advanced uses for xss/sql, new common web-dev technologies, popular web back ends and how to exploit them, state-of-the-art web protections (and how to overcome/avoid/fingerprint them). Etc.
This idea is currently the plan for new challenges in version 3 to have a set of articles or forum posts on the idea behide the new challenge then publish the new challenge.
Change the “News” column to something else. Maybe like a “Topic of the Week” or something? For example, next week in XSS WEEK where folks can drop everything xss related they find. Prominent hacks, interesting websites, fun challenges from other sites etc. Again, this will require seeding, which is clearly hard.
The news is being removed in version 3 and the “home” page will have heavy changes to feed more coumminity interactions hopefully. I think the version 3 home page will be better than the current one however i expect it to change heavly once its public and we get more feedback from the community.
General Site Stuff
You said the UI is being updated. This is good. My suggestion is to remove all (or most!) of the stuff that says “Coming Soon”. Or at least group them all together at the bottom of the sidebar or something. There’s too much to click over there and most of it leads to nothing. It’s hard to know what’s worth clicking on.
Most of the coming soon pages are features that are in place and can be public but have been left off behide feature flags and will become active in version 3. So with version 3 this should be resolved.
WHAT IS THE PURPOSE OF THIS SITE? If the homepage is to be believed, it’s the forum (pretty inactive), the blog (updated three times in the last year), or the Tech News (copy/pasted articles). This looks bad and also just… is bad? I don’t have a solution beyond I guess just… think about it? If we want to focus on challenges, have a “these are the people completing this challenges” section or a “here’s the leaderboard for who’s completed the most challenges” etc. Feels like we’re stuck in a purgatory of sorts between “we have to keep everything that hbh was” and “here’s what we want hbh to be” and it’s… not working. If it doesn’t cost too much, just leave a mirror for the old site or something.
The purpose of the site and fundamentaly the compnay behid it is teaching. The home page hasn’t been updated since it was bulit 2/3 years ago really due to lack of time while working on eveything else and not really much changing with features and the other stats on that page. A new Home page will be done for version 3 which will match the new theme and style of the site.
What I think this all boils down to is Focus on something and hope the rest follows. Focus on challenges and hope community builds around it. Focus on community and hope challenges get built out of it. But currently the focus seems to be on backend development (which is necessary!) and that doesn’t seem to be solving any of the challenges we’ve been seeing. Decide on what’s more important. Preserving the history of hbh or building something better. I’m personally a fan of mirroring the old and embracing the new. Content begets content. If you want people to contribute things you have to prove that it’s worth their time to post. Are the challenge good and interesting? Folks can interact around them. Is there fun new information being posting semi-constantly? Folks can interact around that. Do we even want interaction? More people? As far as I can tell, it’s basically just you working on everything above. You can’t be doing backend fixes and frontend updates and community outreach and content creation/curation. I appreciate it’s hard to bring more people “into the fold,” but maybe finding a way to create smaller “slices” of problems that can be worked on (see challenge api above). But maybe even open sourcing portions of hbh and going from there should be the game?
The main issue here is lack of time from people, myself included with the nealy 6 months I had off last year after surgery and thats what really kills the momentum. We had the crash and burn event 5 - 15 years ago and had bulit the labs systems within months of that event but then all staff got very busy with our jobs, families and the death of loved ones. If we had stayed the course we would have been one of the first sites to offer real systems to test the skills you have learnt. This same lack of time has always been HBH’s biggest problem.
We will be looking for more staff once version 3 is out using the Staff Applications page which will be like a job posting page where we list the role we are looking for and people can apply. Of course non of the staff roles at HBH are currently paid or have ever been paid but the hope is in the end we can have paid staff in the end so that momentum isn’t lost. I can’t say much about the compnay stuff currently as were still working on it however I can say that with the type of compnay that is planned I as the owner will never take a pay check from the site as its not something i’m intrested in and under UK law I’m not allowed to but we can pay other staff.
Version 2 was needed to ensure the site stayed online as running HBH-Fusion was becoming more and more complex and time consuming to keep online and any real edits to the code broke most of the site. Version 2 was the correct move for HBH to give us a solid base to keep buliding version 3 will give the challenges a real purpose and we will stick to the tag line for HBH “Learn how hackers break in, and how to keep them out” which we tried to do this in version 2 with the complete challenge page giving an explantion of how and why the challenge is important, and linking to more resources like articles and forums posts on the challenge.
Please keep the ideas coming!
Actual footage of Futility hitting the nails on the head.
A couple of points I’d like to reiterate.
As a casual user / hacking enthusiast of the site and probably more the target user, I’d just love to see interactions with challenges. Sounds like it’s in the pipeline, can’t wait.
I agree about the challenges and structure. I mean, is the goal to teach to swim or throw off the deep end. I’m not the sharpest tool in the toolbox and never really understood SQL injection until I started writing my own SQL statements. Maybe we should have some intermediate steps before being show a blank textbox for a blind attack that might be SQL. You can always say, (and users always have here) ‘Go learn and come back and try when you have a better understanding.’ But to think people are going to come back after learning somewhere else is likely the problem we are trying to solve here. Just some thoughts on that.
I agree about the forums. Cut the old stuff. I think it hurts the site more than helps it. It’s all out of order and gives a better insight into the 14 year old mind than anything about computers. Same with the code base, there isn’t anything of value there. Nothing that stack overflow doesn’t have. Or in a couple of years AI can’t write.
I think there is still a place for forums however. That promotes community and gives the site an alive feel over static.
That said, I think the work the staff have so far put into the site has been really something special. Really looking forward to v3.