Girly man geek helps jock get on MTV

This post is more than 2 years old.

I swear - it's like I'm in high school again. Check out the email I got on Sunday:

Hello my name is XXX and Im in the running for the last contestant on Mtv's the Real World. The competition is online voting and I was wondering if you knew anything about autovoters. Some of the contestants are using them and I would really like one to use. I just have no idea how to use them. If you could make me one that was be fantastic. We could come to some sort of agreement. The site is http://www.realworldcasting.com

My personal site is XXX

Please let me know! Thanks!

I'm hiding the name and his personal URL as I'm going to assume that maybe he is just worried about others beating him unfairly and he is just resorting to cheating as a last measure (although I will ping MTV - who wants to bet that I'll actually hear back). With that in mind though - it does bring up a good topic - securing online voting.

I'm pretty sure I've covered this in other blog posts, and I know its a common question. How would you prevent against auto-posting? About the only solution I know of would to be both a) require a unique email address for the vote and b) follow up with a confirmation link to finalize the vote.

One problem with this approach though is that it isn't terribly hard to generate fake email addresses. At gmail you can just add a -XXX to your address to add a new unique email address. If I were building such a voting system I'd add a rule just for gmail.

Another problem is that a lot of people probably won't bother to reply to a confirmation link. I'd be willing to bet you would lose close to half of the votes. Of course, that will be evenly distributed amongst all votes probably.

p.s. What we really need is a "Real World CF". Can you imagine a bunch of us ColdFusion bloggers in one house?!?!

Raymond Camden's Picture

About Raymond Camden

Raymond is a senior developer evangelist for Adobe. He focuses on document services, JavaScript, and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA https://www.raymondcamden.com

Archived Comments

Comment 1 by Lola LB posted on 7/2/2007 at 8:24 PM

How about checking for IP addresses and time stamps? If you detect 3, 4, or more vote posts in rapid succession within 1 minute or something like that from a single IP, that's a good chance that this is an auto vote machine. Check for these variables, and throw out these vote posts.

Comment 2 by Scott P posted on 7/2/2007 at 9:28 PM

A problem with ip checks is folks behind firewalls and NAT. Can't say for sure that IP X has voted 50 times, that could be legit votes from different people.

Most everyone knows the clear cookie trick for voting already.

I've tried hashing the useragent and ip address to guess if it is the same person. That works for home users but most networks will have some set image with the same useragent string on each machine or have the firewall strip out the useragent data.

I can't wait to read what the community comes up with as to "real world" suggestions for handling this.

Comment 3 by TJ Downes posted on 7/2/2007 at 9:37 PM

verification via SMS. They send you a message to your cell phone and you reply.

Comment 4 by todd sharp posted on 7/2/2007 at 9:46 PM

Or IM?

We had RealWorld CF the other day - a bunch of geeks drinking beer and watching Beavis and Butthead...don't think it makes for real compelling TV :)

Comment 5 by Dan G. Switzer, II posted on 7/2/2007 at 9:51 PM

NFL.com essentially has been using a CAPTCHA system for online voting. They make you enter in a 7 digit number (I think it's seven numbers.)

While they don't prevent you from voting multiple times, the CAPTCHA system does prevent autobots and seriously limits a persons ability to flood the system with votes.

Comment 6 by john W posted on 7/2/2007 at 10:13 PM

'While they don't prevent you from voting multiple times, the CAPTCHA system does prevent autobots and seriously limits a persons ability to flood the system with votes.'

But it lets Decpticons vote? That seems one sided...

Sorry couldn't resist :)

Comment 7 by David Herman posted on 7/2/2007 at 10:53 PM

I actually like the idea of a guid(or the like) sent to the page, and read back upon posting so the only way to do it would be to automate the browser, in combination with new emails etc.

Comment 8 by Dustin posted on 7/2/2007 at 10:59 PM

I'm going to venture to say that you'll never stop someone determined enough. I mean, we still haven't solved voter fraud where there is actually a persons face to look at. With that said, sort of having everyone get a verifiable client certificate (PKI), there's not a real way to verify 1 vote per person.

Comment 9 by Dustin posted on 7/2/2007 at 11:14 PM

On another note, this topic always reminds me of this speech:

http://identity20.com/media...

Comment 10 by Joshua Curtiss posted on 7/2/2007 at 11:18 PM

A Flex/Flash based voting system would probably make it tough to autovote from a DOM perspective, but it would be totally vulnerable to a macro-based screen recording/playback program.

However, the limitations of those kinds of systems are that they often are based on the physical location of clicks. So randomize things up. Change the ordering of the entries and the "Vote" buttons.

I saw this technique used on shareware in the past. The "Try" and "Buy" buttons would sometimes swap positions, making a macro to automate the clicking of the "Try" button a bit frustrating. :-)

Used in combination with some other afore-mentioned techniques, and it'd be a frustrating system to hack..

Comment 11 by Chris Jordan posted on 7/2/2007 at 11:40 PM

You know that if we could solve this problem, then we could begin voting in elections online, though admittedly there are a few more problems with that sort of thing that current online voting systems wouldn't have to deal with (like age verification, citizenship verification, etc.)

The SMS suggestion reminds me of the old BBS Callback Verifier days! I used to love playing L.O.R.D., Trade Wars, and Food Fight. :o) *getting nostalgic*

Comment 12 by Dan Vega posted on 7/3/2007 at 7:29 AM

That house would need like 20 T1's :)

Comment 13 by Phillip Senn posted on 7/16/2007 at 7:04 PM

Or what about one of those elimination challenge shows, like Top Chef?
Each week a contestant would be voted off the cf island.

Think of all the code that would come out of that!