Or is running an effective online poll truly hopeless?
I'm coming up with all sorts of similes but they all sound snarky, and I don't want to be snarky, so I'll just say it straight: there is no "integrity" in an online poll.
The results are always stunningly, catastrophically, inarguably invalid for any sort of rigorous use. The only thing that makes this particular poll more obviously flawed than the Ron Paul surges which were more obviously flawed then the garden variety online poll is that the latent vulnerability was exploited to an extent approaching parody.
(Note you don't have to have an adversary at all to make an online poll invalid. They're always the result of self-selection on the part of the participants anyhow.)
But you're right - in any case where the voters find you, your results will be trash.
I'm guessing some kind of statistical method for determining which votes don't fit the profile of a site's visitors combined with actively weeding out obvious instances of mass voting could make the results at least appear more accurate.
Sure there's no actual validity or rigor to online poll results, but the point is more to have results that at least appear plausible.
Seems to me the issue raised is about the "integrity" of online/offline "journalism" (of Time) in not acknowledging the meaninglessness of the poll results (or even the fact they were badly hacked). [ Maybe that's for Newsweek to report?]
I think that if one vote, or any small number of votes were allowed
per IP, the attack would have been much more difficult, as there
simply are not tens of thousands of readily available proxies, unless
these people have access to a big botnet.
A downside to one vote per IP is that AOL and some organizations place
their outgoing web traffic behind one or a small pool of IP addresses.
So these users wouldn't have been able to vote.
That would not have been such a big problem. But be sure to play 'dead man' and maintain the illusion that every vote counts.
Even more devious would be accepting the unwelcome votes, but also reversing each one of them after a random time has passed. This way the attackers get the see illusion, that their attacks succeed, but are fought back (or drown out in counter-votes from real people) only a few hours later.
At least I spent a few minutes here and there since yesterday thinking how it could be secured. Any method I thought was quickly demolished by a few attacks that would work.
But I am open to be corrected! If anyone thought they could have solved this problem, please reply :)
Of course, if you were only polling existing users, you could limit voting to those users who were there before you started the poll.
Why didn't Time blacklist the "devoters" by their IPs (or respective small subnets) ? They couldn't be that incompetent. So it's reasonable to assume that the blacklisting wasn't working, which means the hack must've been mounted in a distributed fashion, which in turn implies it was ran over a botnet of some kind. Hmm ..
As the article points out, they didn't even write the poll correctly: Two pairs of candidates shared the same ID. That means that if Oprah Winfrey got the highest score, then Ratan Tata would also get the highest score. If the competition was not hacked, these pairs might have done quite well, since they'd get the combined votes of the two candidates.
If TIME couldn't be bothered to get the poll right in the first place, it's not surprising that they barely tried to fix the hacking.
After it was obvious they were being gamed, they did just that. For IPv4.
Then someone discovered there were no blacklisting going on for IPv6 requests and ran amok, effectively being able to throw out around 30k votes a minute without a botnet. After that the poll pretty much looked exactly like whatever whoever gamed it decided it should be.
Learn by doing. Get things done, one way or the other. The very essence of hacking!
A hack would be to let the TIME web team to know the details of the crack and the solution to fix it.
In the grand scheme of things, the ranking of TIME's list is relatively unimportant. I believe this is only the second time they've done a ranking poll, and it was effectively gamed last time as well (by a much larger group of people, though: Stephen Colbert fans and Rain fans).
I assume that a hack is the product from a hacker and I get my definition of hacker from the article "How to Become a Hacker" by Eric Steven Raymond.