*
programming and human factors
by Jeff Atwood
*
Inside the Precision Hack is a great read. It's all about how the Time Magazine World's Most Influential People poll was gamed. But the actual hack itself is somewhat less impressive when you start digging into the details.
Here's the voting UI for the Time poll in question.
Casting a vote submits a HTTP GET in the form of:
http://www.timepolls.com/contentpolls/Vote.do ?pollName=time100_2009&id=1883924&rating=1
Where id is a number associated with the person being voted for, and rating is how influential you think that person is from 1 to 100. Simple enough, but Time's execution was .. less than optimal.
In early stages of the poll, Time.com didn't have any authentication or validation -- the door was wide open to any client that wanted to stuff the ballot box.Soon afterward, it was discovered that the Time.com Poll didn't even range check its parameters to ensure that the ratings fell within the 1 to 100 range
The outcome of the 2009 Time 100 World's Most Influential People poll isn't that important in the big scheme of things, but it's difficult to understand why a high profile website would conduct an anonymous worldwide poll without even the most basic of safeguards in place. This isn't high security; this is web 101. Any programmer with even a rudimentary understanding of how the web works would have thought of these exploits immediately.
Without any safeguards, wannabe "hackers" set out to game the poll in every obvious way you can think of. Time eventually responded -- with all the skill and expertise of ... a team who put together the world's most insecure online poll.
Shortly afterward, Time.com changed the protocol to attempt to authenticate votes by requiring a key be appended to the poll submission URL. The key consisted of an MD5 hash of the URL + a secret word (aka 'the salt'). [hackers eventually] discovered that the salt [..] was poorly hidden in Time.com's voting flash application. With the salt extracted, the autovoters were back online, rocking the vote.
So-called secret poorly hidden on the client: check!
Another challenge faced by the autovoters was that if you voted for the same person more often than once every 13 seconds, your IP would be banned from voting. However, it was noticed that you could cycle through votes for other candidates during those 13 seconds. The autovoters quickly adapted to take advantage of this loophole, interleaving up-votes for moot with down-votes for the competition -- ensuring that no candidate received a vote more frequently than once every 13 seconds, maximizing the voting leverage.
Sloppy, incomplete IP throttling: check!
At this point, here's the mental image I had of the web developers running the show at time.com:
Remember my advice from design for evil?
When good is dumb, evil will always triumph.
Well, here's your proof. I'm not sure they come any dumber than these clowns.
The article goes on to document how the "hackers" exploited these truck sized holes in the time.com online voting system to not only put moot on top, but spell out a little message, too, for good measure:
Looking at the first letters of each of the top 21 leading names in the poll we find the message "marblecake, also the game". The poll announces (perhaps subtly) to the world, that the most influential are not the Obamas, Britneys or the Rick Warrens of the world, the most influential are an extremely advanced intelligence: the hackers.
It's a nice sentiment, I suppose. But is it really a precision hack when your adversaries are incompetent? If you want to read about a real hack -- one that took "extremely advanced intelligence" in the face of a nearly unstoppable adversary -- try the black sunday hack. Now that's a hack.
Update: A second article describing more Time poll hilarity. Now with 100% more CAPTCHA!
I'm sure the poll votes weren't even recorded. They like to make you think your vote does something, but Time new it was going to be barack.. How you ask? Because the boss said so. Kinda like the real election. :O
Joe Beam on April 20, 2009 2:34 AMLet me just say this, MANY sites run polls like this. From serious competitions where there is something of value as a reward to the mundane polls. And MOST of them are implemented VERY poorly.
This is hacking 095 folks. Snoop around craigslist and you will find people willing to pay someone to hack a poll (every now and then).
M on April 20, 2009 3:08 AMThis seems like the preaching to the choir you don't like in your anti-DailyWTF post. The Time site programmers probably don't read this blog :)
http://www.codinghorror.com/blog/archives/000824.html
squidbot on April 20, 2009 3:12 AMThis story definitely should go on dailywtf and failblog.org
as funny as this is, sadly this is happening everywhere.
someone should try sql injection attack on these polls and i wont be surprised if the hacker wiped out the poll database..or worse
Terry on April 20, 2009 3:36 AM..., but it's difficult to understand why a high profile website would conduct an anonymous worldwide poll without even the most basic of safeguards in place. This isn't high security; this is web 101.
I would even go as far as calling it input validation, not security. I consider this to be such a basic check that I'd consider calling this low security an insult to every person who's ever had to deal with a buffer overflow and other forms of code injection.
Giel on April 20, 2009 5:21 AMIt's interesting also that they give you a range of 0--100.
Is anyone really going to sit there and think, Hmm, I think Barack Obama's a 73 .. or is he more like a 72?
I wager that the legit votes are heavily skewed to the extremes, with a hump at 50. Really, they should have just given three options: Not, Somewhat, Very.
John Fouhy on April 20, 2009 5:26 AMThe better question that no one has asked yet is why is a news organization even running and reporting the results of a poll that by its nature is based on self selected sample and therefore scientifically invalid -- even if the code weren't written by idiots.
kdt on April 20, 2009 7:00 AMExcellent post as a case study, but this text is offensive. More respect is appreciated
Daniel on April 20, 2009 7:26 AMIt's funny how we give plenty of credit to those who break web apps, while calling those who make them clowns and idiots. Making is much harder than breaking, at least when it comes to webapps with no authentication.
We shouldn't be encouraging these hackers... Hacking anonymous online polls is easy and thus lame.
Securing them against a determined attacker is much harder, especially if you don't want to impact the usability for legitimate users.
Igor Ostrovsky on April 20, 2009 7:45 AMAny script kiddy could have done that, and yes Time are retards if it did not occur to them to implement something like that with more than about 30 seconds worth of effort, but the real story would have been if someone had managed to *add* a candidate. Father Christmas? God? Ronald McDonald?
Hokey.
--
omnibus locis fit caedes
--
I'm sorry but as funny as this story and ones like it are. Hackers are NOT the most influential people.
ChrisD on April 20, 2009 10:53 AMIn this circumstance, Hackers are relatively the most influential people.
Bill on April 20, 2009 11:01 AMIf you can repeatedly remove the influence of others and disproportionately increase your own influence, then, in circumstances where this is possible, you can be said to be most influential.
Guillermo Llosa on April 20, 2009 11:04 AMI don't think that the webdevelopers are dumb - I think they have to work for people who know next to nothing about the net and on top of this have to make financial ends meet. Something like Put this poll online ASAP. Here is you budget of $500. followed by What is your problem? How hard can it be? Everybody has poll on his blog so this doesn't look like rocket science to me. Get the heck on it before I fire you.
TonyS on April 20, 2009 11:20 AMWhat clowns! They should have used a strong captcha proof, like orange.
Charles on April 20, 2009 11:24 AMAgree with TonyS. Criticism on a blog post? Of course. But this is a bit much.
I'd say the major failing here is attempting to do this in-house when they clearly didn't have the necessary expertise. They should have instead found an established partner whose main business is to provide these kinds of polls. A company with a proven track record. Budget problems? Give the company some visibility and they'd probably love to take on such a high profile poll.
Tom on April 20, 2009 11:30 AMMan, you must be scared of being dumb. It would mean the end of the world to you, right?
Dennis on April 20, 2009 11:41 AMYou won't hear about the precision hacks, not in the news, and not on blogs and such.
The now retired admin for a post-secondary institution got his job cause he pwnd the network - and I mean everything.
It took 3 guys at his same pay grade to replace him, and they still couldn't figure out what his scripts does.
Calyth on April 20, 2009 11:46 AMIt would be clever to let all sorts of obvious bullshit votes through, and then post-process the results later. (Remove out-of-range, obvious bot votes, etc, after the voting is closed.)
You avoid an arms race that way.
Our server team had this written on the wall:
Make sure that everything you send is valid, assume that everything you receive is invalid.
Tatu on April 20, 2009 12:01 PMSimon's right (as usual, I might add). If you allow anonymous voting, you're going to create a vulnerability. But most of the time, you can handle vote-rigging in the way IvyMike suggests. You simply toss out the extreme values, whether they're valid or not. It's worked beautifully for me in the past. In a way you're taking the Google approach over the Microsoft approach, by using statistical techniques to get you a pretty good and robust answer.
Marcel Levy on April 20, 2009 12:05 PMI'm somewhat skeptical about all the claims made in the post about the hack.
Time.com doesn't even have IPv6.
Thanks for the breakdown, I really enjoyed it. Any chance you might have an article waiting in the wings for some suggestions?
jay on April 20, 2009 12:12 PMHeh, Victoria's Secret had a very similar contest last fall, where you could vote for the next college to become part of its Pink line of underwear.
http://www.uwire.com/Article.aspx?id=3569898
At first you could vote just by sending an HTTP request with the right URL parameters. After the first realized they had a problem, they changed it so you needed to add an voted=true to the URL. Laughable.
Next they added an MD5 checksum with a salt (just like Time), but of course the salt was embedded in the Flash, so that was broken in not too long.
Finally they just froze the vote totals of the top schools at the time. Since MIT could no longer vote for itself, they decided to vote for the most conservative of schools for hilarity, including Bob Jones University and Zion Bible College.
Adam Rosenfield on April 20, 2009 12:17 PMI agree man; Time totally dropped the ball here.
I was actually contracted by a company to exploit a poll in my younger, more naive, days and I'm always amazed how easy it still is to compromise an online poll. I maintain it's inexcusable; it's easier to implement some obvious integrity checking than most people think. It just takes a little forethought into how you could hack the poll.
::Shameless Plug::
BTW, I wrote a post about this on my blog a couple days ago that goes into some detail about how to prevent this sort of fiasco.
LOL! Hilarious!! Excellent case study though!! :)
Jaskirat on April 20, 2009 12:21 PMHaving done some work on small pieces and modules like this on a few Time.com projects (third party marketing firm I do contract work for) - I almost want to doubt that Time even did this internally, though it's entirely possible.
thismat on April 20, 2009 12:24 PMThis should have been on TheDailyWTF instead. Ha.
Cullen Murphy on April 20, 2009 12:27 PMP.S: Why does your captcha always just show orange ? I dont remember seeing anything other than orange.
Jaskirat on April 20, 2009 12:28 PMI guess that fact that their site wasn't throwing exceptions lulled them into a false sense of security.
Will on April 20, 2009 12:49 PMI bet the 'clowns' a) had certifcations and/or were 'degreed'.
Tarkin on April 20, 2009 12:55 PMThe reason the poll was broken was because Time didn't give a shit. No online poll works, because you have absolutely no idea who's voting or why. If the poll gave screwy results, Time would just flush it down the toilet. If it gave them a result they could babble on about, they'd keep it. Validity is a distant second.
The hackers just hacked something that no-one cared about. That's why it was so easy.
William on April 20, 2009 12:55 PMMarblecake? I might have missed that meme completely.
Time definitely lost the game; but they've been losing it for a LONG time.
A long time ago, I bought a feeder. I put it on the porch. It was beautiful to see birds standing close to me.
A week later, however, there were a lot of them. They started to build nests on the roof, tables, even in my car.
Then, the inevitable showed up: shit. It was everywhere. On my roof, on the tables, on my clothes... on everywhere! After some time, they started to be aggresive. They were over me, even though I was the person who was feeding them. Some of them were loudly and arrogant. They were invading my house, making sounds all the time, to remind me to fill the feeder if there wasn't food.
After some time I coudn't even sit down on my own chairs. I decided to throw away the feeder, and after three days they weren't neither on the garden nor in my house anymore. I cleaned and I put everything in order, eliminating even the nests. Soon, everything come back to normal: a peaceful and safety place, without any troublemaker asking for 'the right to free food'.
Now, is time to think about it.
We got with our hard work and with the work of our parents and grandparents a system with many benefits: access to a universal health care system, a little imperfect but better than nothing. We have public schools and public transport, economic facilities for the most needed people, etc. and we let to anyone that was born here to be a citizenship of our contry.
Then, thousands of illegal immigrants come here, and get all the same benefits that we have. Because they are illegal immigrants, they don't need to pay taxes. Because of that, they are payed more than us, because in order to pay to a legal worker 2000£, the employeer needs to spend about 4000£.
To pay the extra expenses, we need to pay more taxes.
Council houses are being taken by them, sometimes by force, and we are the ones that pay the rent, just like happens in Becontree and Bransholme.
If we need to go to the hospital we need to wait more hours before we get attended, because the hospitals are invaded by illegal immigrants, including workers that do not have the degrees we need to get those jobs.
In the schools, our childrens have to bear the problems when they're studing, even when they're eating, because the dining hall is set up by religious impositions.
Christmas will be eliminated to 'not hurt the foreigners' sensibility', showing no respect for our sensibility... that is the sensibility of the owners' house!!
About a 75% of criminal acts against common people (we) are committed by a 10% of the poblation (illegal immigrants); meanwhile, prisons are so full of crimminals that, with the help of ineffective justice, are released from prison in short time, so they start to commit crimes again.
If we try to stop all this madness, we'll find protests, organized by assholes that scream against human rights violations (because these assholes don't give a shit about our rights) or they say that we have the same rights as them, because our parents and granparents were the ones that pay all taxes when we were kids. So, it seems that my father doesn't have the right to choose where will his money go, whether to his childrens or to someone else's children. My father only had one children. Mi Colombian neighbor has six. Because of the global financial crisis, we'll see if I can have one children.
I want to make clear that this is just my opinion, but maybe it is time for the goverment to throw away the feeder, and clean the house.
If you agree with me, reproduce this message.
If you disagree with me, continue to clean shit... just like Germany was cleaning long time ago.
Time to act on April 20, 2009 1:04 PMThank you.
I was tempted to post something like this myself but decided against it... at least I know I wasn't alone in reading that and thinking right away This isn't a clever hack, its just bad programming in action.
Just goes to show, bad programming is everywhere! :)
Jheriko on April 20, 2009 1:11 PMBlack Sunday is the greatest hack (or reverse hack) of all time. Absolutely astounding.
Its difficult to understand how otherwise outstanding programmers can be so incredibly incompetent when it comes to simple security like this.
Ryan on April 20, 2009 1:11 PMSeems a bit rich to label those involved as dumb clowns, when only a couple of days ago you were advocating rushing untested software out the door, and only fixing bugs that generated exceptions.
As you said,
Your software will ship with bugs anyway. Everyone's software does. Real software crashes. Real software loses data. Real software is hard to learn, and hard to use. The question isn't how many bugs you will ship with, but how fast can you fix those bugs?
Besides, it might have been more helpful to explain how you would have avoided these issues.
Steve W on April 20, 2009 1:18 PMThe worst magazine survey had to of been from Software Development. They were having a contest answer a series of computer trivia questions, multiple guess, and have a change to win. Went and gave it try and as soon as you hit the submit button you got back a dialog saying how many you had answered. This being pre-AJAX I looked at the code to see how they did it, and there in the javascript was an array with the question number and answer.
will on April 20, 2009 1:22 PMNot doing server-side bounds-checking was certainly a clownish mistake, but beyond that I don't see the stark contrast between Time and DirecTV that your post tries to set up. They are both fundamentally facing the same impossible problem: trying to authenticate users with a token that can be examined, reproduced, and faked. The obvious ways for Time to improve their security (e.g. requiring email-verified user registration) were likely ruled out by business requirements. The black sunday anti-hack was delivered with more panache, but that panache didn't ultimately secure DirecTV against what is a simply a theoretically impossible problem.
David Wright on April 20, 2009 1:56 PMSome of our departments have been slashed 80%. We have no QA testers. We have no development team. Sometimes it's just us and a Pentium 4 rusting away in a cubical. The reality is, we have to get stuff out the door while we are mired in bureaucracy. The bureaucracy is more important than the application itself because management doesn't even use the application, but they ready your paperwork.
Lewis Salem on April 21, 2009 2:04 AM@Steve W
I see your point. My interpretation was that you handle obvious exceptions, but didn't try to handle every single exception until you got into a higher volume environment. IMO sometimes it's better to see an actual failure as opposed to having a poorly handled exception.
I think that's pretty much what you were just saying though :).
Eagan on April 21, 2009 2:52 AMMr Atwood:
The assumption here is that poor quality code is written only by incompetent software engineers. Not so. I have seen so much poor quality software written by competent software engineers that destroys that assumption.
I have no objection to your technical assessment but I have strong objection to your singling out unknown persons who wrote the piece of code under discussion as incompetent. You do not give any thought to the conditions, environment or other possible contexts that might give rise to this poor code. In doing so you do not further the cause of software engineering especially in the areas of software development and IT project management.
From some of the comments I have read I see that I am not the only person concerned with the direction of your developing personality and dimming acuity.
Sam on April 21, 2009 2:55 AMThe precision part was in countering the real votes enough to ensure the exact order of the 20 names, in real time, with a deadline looming and the possibility that they weren't the only ones gaming the system. Not as tricky as you'd think given the ineptitude of the poll, but not exactly trivial either. They'd have looked pretty foolish if they'd have borked it at the last minute...
Schmoo on April 21, 2009 3:08 AMYeah, they probably assigned this to a poor junior programmer getting paid minimum wage and gave him like 5 minutes to get it done...
I'm sure this was good experience for them and no harm was done since it's just a crappy anonymous online poll that has no meaning whatsoever, you make it sound like this was the system used for the actual election lol.
ND on April 21, 2009 3:08 AMYeah, they probably assigned this to a poor junior programmer getting paid minimum wage and gave him like 5 minutes to get it done...
I'm sure this was good experience for them and no harm was done since it's just a crappy anonymous online poll that has no meaning whatsoever, you make it sound like this was the system used for the actual election lol.
ND on April 21, 2009 3:08 AMWord up
Me! on April 21, 2009 3:10 AM@Sam: I've been the one producing appalling code when given no choice by an ignorant employer, but I'd still label that as incompetence. Forced incompetence doesn't look any different to the outside world than ignorant incompetence, so the label's fine by me. If I'd valued the label more than putting food on my family's table, I'd have refused to do it.
Schmoo on April 21, 2009 3:16 AMIn research all of these polls are considered Junk Science.
Why? Because you have no ability to ensure that the respondents are random. In fact, you don't have the ability to work out anything about the respondents unless you ask, and if you do people probably won't bother with the poll.
That is - even if you stop the bodgy votes you are still going to get mainly people who WANT to respond rather than an average Joe. What's more, if it is on a site like Times, you are getting a very non-random demographic of respondents.
Just try this in a scientific journal:
Of people who visited this specific site, and who are interested in the poll topic enough to lodge their opinion...
yeah.... that doesn't hold much weight.
No - this type of poll is only good at finding out general opinions of your demogrpahic of users. So on a site like this a poll on what should be the name of XYZ new site - which happened with stackoverflow - is a great idea. But that's about as far as these polls go.
Philip on April 21, 2009 4:45 AM@Schmoo: but you knew you were producing bad code, right? I'd say that demonstrates competence. I have to agree with Sam on this - the circumstances need to be fully known before blame can be placed.
Kent Boogaart on April 21, 2009 5:23 AMI just implemented a poll similar to this myself.
In my poll you can only vote true or false, and I check the inputs so there is no way to overweight a vote.
I have put basic checks in there to stop casual repeated votes (browser cookie - which is obviously 'opt in'), and IP throttling to reduce the impact of script kiddies.
But given the very small dev budget (fairly typical of these little polls I think), what else can be done to protect against 'hackers'? I could not think of anything that was worth the effort...
Now you can see why there are no online polls for shows like American Idol, etc. When you have to pay X cents a vote, you can vote as often as you want, because both the tv show and the mobile phone network split the proceeds while at the same time getting instant feedback demographics. Genius.
Did you really think any anonymous online poll would mean sh*t?
Polls are hard, lets go shopping. I need a new clown suit.
---
PS @Time to act - f*ck you and your hate. Unless you're an African in Africa, everyone is an immigrant. This is not a politics blog. Read a book and edjucate yer ignerunt face. (Jeff feel free to delete this PS if you delete that hate-spam)
---
Steve W wrote: Seems a bit rich to label those involved as dumb clowns, when only a couple of days ago you were advocating rushing untested software out the door, and only fixing bugs that generated exceptions.
That isn't what he was saying at all. What he was advocating was handling exceptions responsibly instead of trying to fix things that won't ever need to be fixed.
Catching/Handling everything usually doesn't catch the exceptions that you're going to run into in high volume testing / real world scenarios. It can hide problems that should be made obvious, wastes a ton of time for no real benefit, and adversely affects the readability of your code.
Exceptions, like Kung Fu should only be used when they need to be used. There's a reason they're called *Exception* Handlers, instead of *Everygoddmanthing* Handlers.
:) That said the clown comment was a little harsh. Time management is probably more to blame.
Eagan on April 21, 2009 8:21 AMI'm really surprised at how defensive the comments are here. I'm guessing the tone of the post is what is setting people off. There's only one truth here. The implementation was bad. Laughably bad. To any programmer worth his salt (education), this is a joke. The negligence of this implementation has nothing to do with budget and everything to do with the programmer not putting fundamental practices in to use. No range validation is the tells you exactly how much thought was given to this poll. It's not an oversight... it's lame.
Bonewolf on April 21, 2009 8:26 AMFunny how many people are being critical of Jeff being critical of poorly written software...
It's call having an opinion (a valid one at that)
HB on April 21, 2009 9:00 AMI can't tell you how many sites I've hit using the same techniques. Firebug (or Safari's new web inspector) provides the request information needed to send what you want. curl does the rest.
Cory Collier on April 21, 2009 9:06 AMI have yet to hear how this online poll could be made more hack proof...
(other than range checks - which is a basic oversight I admit)
Jack on April 21, 2009 9:42 AMThese types of mass voting competitions are really fun. A while ago i got caught up in one for voting for your sports team. I was competing with the fans of some Czech team. We were getting thousands of votes every day and the site had a captcha plus an IP restriction of one vote per hour. :)
It was never clear to me whether the Czech fans were auto-voting as well or were just really dedicated, but they kept up.
It's not worth it unless it's challenging.
Job on April 21, 2009 10:16 AMBonewolf wrote: To any programmer worth his salt (education), this is a joke. everything to do with the programmer not putting fundamental practices in to use.
In my experience implementing fundamental practices is the domain of engineers who've sought out better ways to work after their formal education is over. In fact, that usually happens as a result of making mistakes just like this.
If you think about it, I don't think it's too hard to figure out why there are so many angry comments. The people reading this blog are engineers!
Come on! Think about it! What is the one thing that happened to most of us in school and quite possibly our entire adult life? (Depending on how much DD, cosplay, star trek, and whatever other generally frowned upon past time we're into).
That's right, we got called mean names. Like we needed *those* painful memories brought back up - especially from one of our own! For shame Mr. Atwood. You meanie.
:D
I think this mistake is more likely due to a lack of experience than incompetence.
Eagan on April 21, 2009 10:21 AM@Eagan
Iím sorry that my comments on Exception-Driven Development were a bit exaggerated. Iíve found a number of Jeffís posts recently to be OTT and I was responding in kind. Iím sure Jeff doesnít advocate shipping untested software, but I did find a lot of his last post ambiguous.
You say,
ìThat isn't what he was saying at all. What he was advocating was handling exceptions responsibly instead of trying to fix things that won't ever need to be fixedî
But handling exceptions isnít a new development methodology; itís just good practice. Fixing things that wonít ever need to be fixed is fine if you have precognition, but my interpretation of Jeffís post was that you donít know which bugs will need to be fixed, so you donít fix them until a user has encountered them. And if you are not going to fix bugs until a user finds them why waste time testing?
I'm beginning web development and I found that session management and authentication are two of the areas that have the least information about. Everyone knows SQL injection and cross-site scripting, but with all the tools to do sessions and auth most people doesn't know what goes on behind it all. Sometimes theoretical knowledge is a must and can't be abstracted very well.
Hoffmann on April 21, 2009 12:34 PMJeff, what has got into you lately? The previous blog post had you accusing some programmers of sucking at their job because they didn't use any exception logging statement, and today you are accusing another load of coders of being clowns?
Admittedly, these guys are not doing things in the best possible way but there is no need to be quite so harsh - you don't know what pressures they are under, what experience they have had with the tools available etc.etc.
You used to be the kind of guy that stuck up for the downtrodden coder, the one who tears his hair out everyday worrying about whether he/she is doing everything in the best possible way, the one who has made a whole bunch of mistakes (probably some of which are not too dissimilar to this one) - someone whom many of us could relate to.
I think that the success of SO has maybe gone to your head recently and you are now thing that you are superior to us everyday programmers....
Calanus on April 21, 2009 1:27 PMSo THAT'S how Obama got elected.
I knew somebody must have screwed that up.
Nick on April 21, 2009 1:32 PMMen, when will you delete the comment from Time to act?
And yes, the captcha is orange.
@Time to act:
Christmas will be eliminated to 'not hurt the foreigners' sensibility', showing no respect for our sensibility... that is the sensibility of the owners' house!!
That's an urban myth! You know, a lie that is believed and propagated because it sounds like it is true, but is still fairly amazing and therefore should be passed on even though you have no evidence that it IS actually true. FYI - people aren't waking up in a bath of ice having had their kidneys stolen either...
Of the organisations that actually say that they are stopping religious activities for this reason, none actually are. On investigation every one has found to be using that as a cover excuse to save $$, with no record of a complaint about Christmas/Easter evident.
It isn't a commonly known fact that almost all religions respect each other. But you see religions fighting all the time, right? Nope - look deeper and you will almost always find that they are almost always fighting for land. Culture against culture, not religion against religion.
It is an even less known fact that the Islamic faith believes in Jesus, however they believe he is a profit and not the messiah. I have been told by several Muslims (university students) that it is against their faith to speak negatively of a prophet and therefore against their faith to lobby for Christmas or Easter to be eliminated or reduced in any form.
From your arguments it sounds like you are from England (these arguments are common in London). If, like others I have spoken to, you feel that strongly, why don't you form or join a political party and be pro-active about your beliefs rather than pushing them onto this community? You live in a democracy, use it! Be democratic! If they are illegal residents then they DON'T have a say but you do. Advocate, vote, and stand up for what you believe. This type of talk incites anti-democratic activities which will subvert your cause and make the situation worse.
That's my 2 cents....
Eagan,
I don't disagree with you. I'm not above making mistakes either, and I've learned plenty of hard lessons from them. The difference is my mistakes aren't made from lack of trying to do the right thing.
No range checking, no authentication, etc... Sounds an awful lot like not trying to me. It would be another situation entirely if these things had existed but were just buggy.
I feel for the guy who got reamed for this, but to defend it? Ignorance is a really good reason, but it's a very poor excuse.
Anywho... I thought the post was funny.
Bonewolf on April 22, 2009 11:59 AMIt's not hackers, it's large numbers of bored people with a little bit of time to spare.
This wasn't a great hack, but it would have taken no time at all to setup and the outcome was pretty funny.
Human beings can now collaborate on a massive scale for the most useless of purposes, this is an amazing thing
- Jessta
Jesse McNelis on April 22, 2009 1:40 PM@Time to act
If you're from U.S., this is for you: http://www.uwgb.edu/dutchs/PSEUDOSC/ModestProp.HTM
zefi on April 23, 2009 3:38 AMI think Jeff is unfair.
Unfair to people who hacked it, because being geek is all about doing something because you can, not because you need a reason. The hack doesn't need to be very complex, i suggest reading how blu-ray was cracked (well not exactly cracked, but copying was made possible). Nothing really complicated there, but still amazing.
Also it's unfair to programmers who did the poll, in similar manner one could say that the programmer who creates commenting system with static captcha is also one of the clowns from the picture....
I get that Jeff's point is that hacking badly written web app isn't an accomplishment, but i think it was just entertaining for people who did and reading about it also is.
great article!!! 5 of 5 for sure.
off topic.
always the captcha is orange?
Time may have figured that if disabling fraud detection was OK for Obama's fundraising web site, then it was OK for their poll.
(The claim that Obama raised lots of money from the little people is unverifiable. Since address and name checking was deliberately disabled on Obama's fundraising site, it's entirely possible that most of his funds came from wealthy supporters using legitimate credit and debit cards, but with phony names and addresses to defeat campaign finance restrictions.)
Calvin Dodge on April 25, 2009 11:52 AMIs this poll meant to be serious, or is it a spoof? I ask, bearing in mind the previous two winners, and the final quote.
http://www.time.com/time/arts/article/0,8599,1894028,00.html
Undoubtedly, many people will question Moot's worthiness of the title world's most influential person. TIME.com managing editor Josh Tyrangiel says that Moot is no less deserving than previous title-holders Nintendo video game designer Shigeru Miyamoto (2007) and Korean pop star Rain (2006). I would remind anyone who doubts the results that this is an Internet poll. Doubting the results is kind of the point.
Steve W on April 27, 2009 7:22 AMPaul Lamere posted a followup detailing how reCaptcha was circumvented to achieve the result:
http://musicmachinery.com/2009/04/27/moot-wins-time-inc-loses/
David L. on April 28, 2009 11:08 AMI once saw a poll where you voted for the most beautiful contestant.
You could vote as many times as you liked and the solution to the captcha was embedded in the captcha-image URL.
fhq on April 30, 2009 8:54 AMSimple. Bad programmers create bad (insecure) code.
There's no logic that says Time hires the best of the lot.
Jagtesh Chadha on May 10, 2009 1:58 PMThanks u r information
web designer on May 18, 2009 12:11 PMOne word comes to mind after reading this.... FAIL
Leon Sodhi on February 6, 2010 11:17 PMIt was a pretty poor implementation, but was there really that more they could have done? Anonymous online polls are basically impossible to protect from ballot stuffing. No matter how good their IP limiting was, they could still be abused using open HTTP proxies (and you can bet the 4chan crowd have plenty of those lying around). You have to ask yourself how much effort you're willing to invest in preventing the inevitable - if people want to rig an anonymous online poll that much, they're going to find a way.
Simon Willison on February 6, 2010 11:17 PMGood fun. It just orange to show you that you that security doesn't have to be hard, just thoughtful.
anon on February 6, 2010 11:17 PMI don't assume that the developers are clowns, I assume that they are a combination of:
a. Developers who are not well versed in security
b. Employed by people who don't actually care about security
Time doesn't really care about the integrity of its poll or it wouldn't have paid bottom dollar for the security. You can make a safe assumption that this is what they did based on the story presented here. Time is not alone in this. Honestly, they really don't care. If they have a reason to believe that the poll is tampered with, they can either throw it out or write a story about it. Or, if they are feeling really unscrupulous they can simply change the votes themselves.
Their interest is not in a fair and secure ballot. Their interest is in having fodder for a story and giving their readers a sense of investment in the product. Nothing more.
anon on February 6, 2010 11:17 PM@Time To Act:
Procreate and be happy! The future belongs to those who show up for it. I missed Gran Torino at the cinema, but I'm going to get the DVD since I've heard good things about it.
Yves Saint Laurent Speckle Platform Pump
YSL Platform Pump in Black Leather
Yves Saint Laurent Tribtoo Suede Platform Pump in Red
This is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
| Content (c) 2009 Jeff Atwood. Logo image used with permission of the author. (c) 1993 Steven C. McConnell. All Rights Reserved. |
Subscribe in a reader
Subscribe via email
Posted by: |