I was surprised to read how easy it was to game... at the heart of the success seems to be a real lack of quality coding on Time's behalf.

Fair internet voting is generally an unsolvable problem, unless you have a voting list from a more reliable source and you can authenticate people on that list. Despite best practices, any high profile "best person in the world" poll has a pretty good chance of being won by moot/Lowtax/gimmick-meme-of-the-day.

Indeed Switzerland seems to seem think that fair internet voting is possible - http://www.geneve.ch/evoting/english/presentation_projet.asp and http://www.cbsnews.com/stories/2004/09/25/world/main645615.s... describe how they've experimented with it in national elections.

But a big part of the system described there is about authenticating people as being registered voters, which is what extension said the prerequisite was for fair internet voting.

Best answer is probably just to use Facebook Connect- they're already pouring money into CS reps whose job it is to take down fake accounts. Blocks out people who aren't on Facebook, but it's a simple solution to something that can otherwise be a huge timesink.

How much of CNN's viewer base is Facebook-connected? The point of this sort of polling is to drive traffic - this ain't gonna happen if most of the people can't vote without going through a big signup for a service they don't want.

quite surprising, since time's poll has historically been a target of similar attacks.

Looks like they are still using the same codebase that was gamed before. http://news.ycombinator.com/item?id=27475

What could they have done to prevent this?

Several (flawed)things, limit voting to ip, mail confirmation, but I think a captcha would be the best trade-off between inconvenience for the user and blocking bots.

Captcha makes it harder, but it doesn't block bots. You can use Python's sphinx library (the voice one) to turn those mp3s back into the original text, then use mechanize or windmill or whatever to re-enter it.

Choosing a new salt that isn't easily obtainable in a flash applet would certainly help :)

i have to admit, gaming the poll is kind of silly, but this is a pretty interesting recap of the process.

I'm always amazed by what lengths random people will go to hack software. Half my developers don't even understand SQL injection attacks. There's not one of them that really understands buffer overflows. So what chance do I have of getting a secure product out?

Those sorts of things really should be part of every programmer's education.

they were in mine. in fact, had a whole class and (private, disconnected, secure) lab devoted to them. covered everything from your basics (buffer overflow, sql injection) to more interesting stuff (analyzing/creating/decompiling viruses). it was my favorite class. good times.

i was thoroughly surprised when i started working in the "real world" and no one had any clue about what i thought was basic security practices.

CPSC 420? Sounds like a good class.

This seems far simpler than SQL Injection of Buffer Overlow attacks. Why doesn't Time require some kind of registration? They could use registered users as a basis for, dare I say, "Web 2.0" features.

Registration instantly kills participation. This is a poll, not a transaction, or a subscription, or anything complicated like that - there's no reason to make it so.

A captcha would have worked nicely - hassle free, commitment free (remember, most of your visitors will flee for the hills as soon as you present a registration), and tough enough to crack that most people wouldn't even try. Even if you had a script that farmed captchas all day to manual labour the effect is still relatively small.

its similar to a really easy to perform sql injection.

So...where do you work?

:)

4chan is basically the definition of silly.

4chan, overall, might be silly, but /b/ is trolling elevated to an art form. absolutely, the most depraved and nihilistic of all the internet, so much so that it becomes something beautiful. /b/ is the works of Marquis De Sade, John Waters, Roger Corman, Banksy, Cortney Love and Dead Kennedys all rolled into one. (also, throw in Kant and Hegel for good measure, because /b/ operates under its own dialectic.)

It's the low points of humanity pursued with ecclesiastical rigor. /b/ will fuck you over in every possible way, for no reason, and you will get up whipping your bloody nose knowing you have made someone else's lulz possible. And what pleasure!

I think Xoxohth/Autoadmit (a law school admissions forum that is actually about 20 trolls using 800 user names to "flame" each other) is more artsy than /b/, though it doesn't have quite as much force. XO has resulted in lawsuits, and it has also brought to trolling the "heroic women" and "guys at my high school" memes, the WGWAG acronym, whokebe and the word "pwnsive" (a corruption of "pensive").

At it again: Website users create internet script in attempt to reach 1,000,000 followers first http://www.bnonews.com/news/261.html

Time used GET to execute the vote script? Initially someone could have set an IMG SRC to the desired URL, right? That's just nuts, you wouldn't even have to click a link at that point

they could just captcha the poll, it's not like they really need the random votes of people to lazy to fill it out in the first place.

seems like ip authentication is useless now because of the amount of proxies avaliable to people.

At the end, it appears the author doesn't really get it. He thinks there was luck involved:

Ultimately, this hack involved [..] and a little bit of luck. Someone figured out the voting URL protocol. [..] and a member discovered the ’salt’

There is no luck involved in figuring out the 'protocol' and discovering this kind of 'salt'.

I believe that "luck" alludes to one of them finding out that voters using an IPv6 address wouldn't be blocked (IPv4 sites got blocked if they voted for the same candidate more often than once every 13 seconds).