I swear - it's like I'm in high school again. Check out the email I got on Sunday:
Hello my name is XXX and Im in the running for the last contestant on Mtv's the Real World. The competition is online voting and I was wondering if you knew anything about autovoters. Some of the contestants are using them and I would really like one to use. I just have no idea how to use them. If you could make me one that was be fantastic. We could come to some sort of agreement. The site is http://www.realworldcasting.comMy personal site is XXX
Please let me know! Thanks!
I'm hiding the name and his personal URL as I'm going to assume that maybe he is just worried about others beating him unfairly and he is just resorting to cheating as a last measure (although I will ping MTV - who wants to bet that I'll actually hear back). With that in mind though - it does bring up a good topic - securing online voting.
I'm pretty sure I've covered this in other blog posts, and I know its a common question. How would you prevent against auto-posting? About the only solution I know of would to be both a) require a unique email address for the vote and b) follow up with a confirmation link to finalize the vote.
One problem with this approach though is that it isn't terribly hard to generate fake email addresses. At gmail you can just add a -XXX to your address to add a new unique email address. If I were building such a voting system I'd add a rule just for gmail.
Another problem is that a lot of people probably won't bother to reply to a confirmation link. I'd be willing to bet you would lose close to half of the votes. Of course, that will be evenly distributed amongst all votes probably.
p.s. What we really need is a "Real World CF". Can you imagine a bunch of us ColdFusion bloggers in one house?!?!
Archived Comments
How about checking for IP addresses and time stamps? If you detect 3, 4, or more vote posts in rapid succession within 1 minute or something like that from a single IP, that's a good chance that this is an auto vote machine. Check for these variables, and throw out these vote posts.
A problem with ip checks is folks behind firewalls and NAT. Can't say for sure that IP X has voted 50 times, that could be legit votes from different people.
Most everyone knows the clear cookie trick for voting already.
I've tried hashing the useragent and ip address to guess if it is the same person. That works for home users but most networks will have some set image with the same useragent string on each machine or have the firewall strip out the useragent data.
I can't wait to read what the community comes up with as to "real world" suggestions for handling this.
verification via SMS. They send you a message to your cell phone and you reply.
Or IM?
We had RealWorld CF the other day - a bunch of geeks drinking beer and watching Beavis and Butthead...don't think it makes for real compelling TV :)
NFL.com essentially has been using a CAPTCHA system for online voting. They make you enter in a 7 digit number (I think it's seven numbers.)
While they don't prevent you from voting multiple times, the CAPTCHA system does prevent autobots and seriously limits a persons ability to flood the system with votes.
'While they don't prevent you from voting multiple times, the CAPTCHA system does prevent autobots and seriously limits a persons ability to flood the system with votes.'
But it lets Decpticons vote? That seems one sided...
Sorry couldn't resist :)
I actually like the idea of a guid(or the like) sent to the page, and read back upon posting so the only way to do it would be to automate the browser, in combination with new emails etc.
I'm going to venture to say that you'll never stop someone determined enough. I mean, we still haven't solved voter fraud where there is actually a persons face to look at. With that said, sort of having everyone get a verifiable client certificate (PKI), there's not a real way to verify 1 vote per person.
On another note, this topic always reminds me of this speech:
http://identity20.com/media...
A Flex/Flash based voting system would probably make it tough to autovote from a DOM perspective, but it would be totally vulnerable to a macro-based screen recording/playback program.
However, the limitations of those kinds of systems are that they often are based on the physical location of clicks. So randomize things up. Change the ordering of the entries and the "Vote" buttons.
I saw this technique used on shareware in the past. The "Try" and "Buy" buttons would sometimes swap positions, making a macro to automate the clicking of the "Try" button a bit frustrating. :-)
Used in combination with some other afore-mentioned techniques, and it'd be a frustrating system to hack..
You know that if we could solve this problem, then we could begin voting in elections online, though admittedly there are a few more problems with that sort of thing that current online voting systems wouldn't have to deal with (like age verification, citizenship verification, etc.)
The SMS suggestion reminds me of the old BBS Callback Verifier days! I used to love playing L.O.R.D., Trade Wars, and Food Fight. :o) *getting nostalgic*
That house would need like 20 T1's :)
Or what about one of those elimination challenge shows, like Top Chef?
Each week a contestant would be voted off the cf island.
Think of all the code that would come out of that!