

4chan hacker discusses the manipulation of the Time poll - mcantelon
http://musicmachinery.com/2009/04/15/inside-the-precision-hack/

======
joshsharp
I was surprised to read how easy it was to game... at the heart of the success
seems to be a real lack of quality coding on Time's behalf.

~~~
extension
Fair internet voting is generally an unsolvable problem, unless you have a
voting list from a more reliable source and you can authenticate people on
that list. Despite best practices, any high profile "best person in the world"
poll has a pretty good chance of being won by moot/Lowtax/gimmick-meme-of-the-
day.

~~~
coopr
Indeed Switzerland seems to seem think that fair internet voting is possible -
<http://www.geneve.ch/evoting/english/presentation_projet.asp> and
[http://www.cbsnews.com/stories/2004/09/25/world/main645615.s...](http://www.cbsnews.com/stories/2004/09/25/world/main645615.shtml)
describe how they've experimented with it in national elections.

~~~
moss
But a big part of the system described there is about authenticating people as
being registered voters, which is what extension said the prerequisite was for
fair internet voting.

------
noodle
i have to admit, gaming the poll is kind of silly, but this is a pretty
interesting recap of the process.

~~~
ja27
I'm always amazed by what lengths random people will go to hack software. Half
my developers don't even understand SQL injection attacks. There's not one of
them that really understands buffer overflows. So what chance do I have of
getting a secure product out?

Those sorts of things really should be part of every programmer's education.

~~~
mattmcknight
This seems far simpler than SQL Injection of Buffer Overlow attacks. Why
doesn't Time require some kind of registration? They could use registered
users as a basis for, dare I say, "Web 2.0" features.

~~~
potatolicious
Registration instantly kills participation. This is a poll, not a transaction,
or a subscription, or anything complicated like that - there's no reason to
make it so.

A captcha would have worked nicely - hassle free, commitment free (remember,
most of your visitors will flee for the hills as soon as you present a
registration), and tough enough to crack that most people wouldn't even try.
Even if you had a script that farmed captchas all day to manual labour the
effect is still relatively small.

------
entelarust
At it again: Website users create internet script in attempt to reach
1,000,000 followers first <http://www.bnonews.com/news/261.html>

------
neilo
Time used GET to execute the vote script? Initially someone could have set an
IMG SRC to the desired URL, right? That's just nuts, you wouldn't even have to
click a link at that point

------
robryan
they could just captcha the poll, it's not like they really need the random
votes of people to lazy to fill it out in the first place.

seems like ip authentication is useless now because of the amount of proxies
avaliable to people.

------
Confusion
At the end, it appears the author doesn't really get it. He thinks there was
luck involved:

 _Ultimately, this hack involved [..] and a little bit of luck. Someone
figured out the voting URL protocol. [..] and a member discovered the ’salt’_

There is no luck involved in figuring out the 'protocol' and discovering this
kind of 'salt'.

~~~
dhs
I believe that "luck" alludes to one of them finding out that voters using an
IPv6 address wouldn't be blocked (IPv4 sites got blocked if they voted for the
same candidate more often than once every 13 seconds).

------
anticucho
I really enjoyed reading this article. Zero Cool would be proud.

