Great Circle Associates List-Managers
(July 2002)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Surveying list users.
From: Nick Simicich <njs @ scifi . squawk . com>
Date: Sat, 13 Jul 2002 01:15:14 -0400
To: Chuq Von Rospach <chuqui @ plaidworks . com>, list-managers <list-managers @ greatcircle . com>
In-reply-to: <B954DB29 . 47C0B%chuqui @ plaidworks . com>
References: <5 . 1 . 0 . 14 . 2 . 20020712213716 . 0798e198 @ 127 . 0 . 0 . 1>

At 07:14 PM 2002-07-12 -0700, Chuq Von Rospach wrote:
Trivial to override, which makes the data pretty useless if someone stuffs
50,000 sets of votes in around the cookie. I'm still at risk of some hacking
attempts (the easy one is a @
chuqui .
com, aa @
chuqui .
com, ab @
chuqui .
com, ad
infinitum) but I think it's manageable. If necessary, I can invalidate an
entire domain that seems to be scripted in.

The people at MLB do something fairly simple for their all star voting to stop scripting, and I think it is a pretty good idea.... They throw up a dynamically generated gif which is a six digit number but which is generated and has a name that does not change, and they hand the user a cookie (or a hidden form field or something). The user has to type in the number off of the GIF into the form, and they compare it against the random that is associated with the form --- it has to match or the vote is not accepted. It makes it hard to script the voting---or at least I have not heard of anyone who has written a character recognition thing to automate the form fillout for the voting.

If someone wants to vote manually a couple hundred times I do not care, I don't think, not against the size turnout you want. I am worried about 1000 votes, maybe...although I would think that if you simply recorded ip addresses (or even an MD5 of each octet) that would settle automated voting down.

An MD5 hash of each octet of the IP address, the top two qualifiers of the domain name, an MD5 of the e-mail address, (maybe two MD5s, localpart and domain) and the actual timestamp. That should make any scripting pretty easy to detect if there is a question. I hope you will publish the actual raw data and not just the summaries, so long as there is no reversible stuff that can be traced to any individuals.

--
"Forgive him, for he believes that the customs of his tribe are the laws of nature!"
 -- George Bernard Shaw (1856-1950)
Nick Simicich - njs @
scifi .
squawk .
com




Follow-Ups:
References:
Indexed By Date Previous: Re: MUA elitism
From: Rich Kulawiec <rsk @ magpage . com>
Next: Re: Surveying list users.
From: Chuq Von Rospach <chuqui @ plaidworks . com>
Indexed By Thread Previous: Re: Surveying list users.
From: Chuq Von Rospach <chuqui @ plaidworks . com>
Next: Re: Surveying list users.
From: Chuq Von Rospach <chuqui @ plaidworks . com>

Google
 
Search Internet Search www.greatcircle.com