

How 4chan hacked ReCAPTCHA to win the TIME 100 Poll - mariorz
http://musicmachinery.com/2009/04/27/moot-wins-time-inc-loses/

======
albertsun
While I don't doubt that TIME's poll security team (if it existed) was more
than overmatched, how could a website defend the integrity of their online
poll against such an attack?

Or is running an effective online poll truly hopeless?

~~~
palish
Why not only allow one vote per IP? It would be possible to spoof your IP, but
still, could all of the manual 4chan voters spoof their IPs for every vote?

~~~
hachiya
They could use a proxy to "spoof" their IP. But there is no known way they
could use IP spoofing to use any old IP address, as the voting app runs via
HTTP, which runs over TCP, which requires a full connection, and the known
spoofing attacks on TCP are blind, e.g. you can send but not receive data. So
HTTP would not work over blind TCP spoofing.

I think that if one vote, or any small number of votes were allowed per IP,
the attack would have been much more difficult, as there simply are not tens
of thousands of readily available proxies, unless these people have access to
a big botnet.

A downside to one vote per IP is that AOL and some organizations place their
outgoing web traffic behind one or a small pool of IP addresses. So these
users wouldn't have been able to vote.

~~~
eru
> A downside to one vote per IP is that AOL and some organizations place their
> outgoing web traffic behind one or a small pool of IP addresses. So these
> users wouldn't have been able to vote.

That would not have been such a big problem. But be sure to play 'dead man'
and maintain the illusion that every vote counts.

Eg here on Hacker News after you click on the vote-arrows Javascript
manipulates the counts accordingly, but did you ever check whether your vote
has had any effect on the "true" counts in the server? (Of course at Hackers
News it has, because PG is not evil.)

Even more devious would be accepting the unwelcome votes, but also reversing
each one of them after a random time has passed. This way the attackers get
the see illusion, that their attacks succeed, but are fought back (or drown
out in counter-votes from real people) only a few hours later.

~~~
lacker
Sometimes your vote does not have an effect on the "true" count on the server.
For example, try voting every comment on a page down, and then reload to see
the real counts. This isn't "evil" per se.

------
huhtenberg
Hmm .. something's not right.

Why didn't Time blacklist the "devoters" by their IPs (or respective small
subnets) ? They couldn't be _that_ incompetent. So it's reasonable to assume
that the blacklisting wasn't working, which means the hack must've been
mounted in a distributed fashion, which in turn implies it was ran over a
botnet of some kind. Hmm ..

~~~
andrewf
Web proxy farms mean you can't just say "100+ votes from a single IP address =
blacklist". You'd probably need manual intervention to distinguish proxies and
individual abusers. Once you're manually intervening, you may as well just
wait until the poll closes and drop the results you don't want.

~~~
dagobart
...which in turn might make oone wonder whether or not that's happening
already all the time and on just any poll around. Haven't it be the respected
TIME one could suspect they kept the poll as it turned out just because the
Anonymous group knew the exact number of votes for every rank.

------
peregrine
A simple forced login with email verification would have ended all of this
nonsense. Throw recaptcha for good measure.

~~~
potatolicious
TIME's purpose with the poll was to drive traffic and interest - the integrity
of the poll is a very distant second concern. Throw up barriers around voting
and you remove the participation and thus traffic from the equation.

~~~
CalmQuiet
If their purpose(s) include _only_ "to drive traffic and interest" -- then
they can forget about pretending that "journalism" (i.e., valuable, reliable
content) is no longer their business.

------
timothychung
I feel that it is more a crack than a hack. :-)

~~~
timothychung
I just think a hack is an improvement to anything while the action in the post
is just ruining the online voting system.

A hack would be to let the TIME web team to know the details of the crack and
the solution to fix it.

Cheers. :-)

~~~
jcl
Classically, a subset of "hacks" are pranks, which are relatively-but-not-
totally harmless ( _someone_ had to take down that car):

<http://hacks.mit.edu/Hacks/misc/best_of.html>

In the grand scheme of things, the ranking of TIME's list is relatively
unimportant. I believe this is only the second time they've done a ranking
poll, and it was effectively gamed last time as well (by a much larger group
of people, though: Stephen Colbert fans and Rain fans).

