Schneier on Security
A blog covering security and security technology.
« New DHS Head Understands Security |
| FBI Stoking Fear »
November 27, 2008
Victoria's Secret Competition Gets Hacked
Colleges aren't assigning enough homework these days.
In seriousness, it's hard to prevent ballot stuffing in online polls.
Posted on November 27, 2008 at 8:39 AM
• 40 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
You forgot to mention who Victoria's Secret is and what the comp is about, for those of us not from the US (who have not watched M.I.B.II).
In all seriousness, I agree colleges are not assigning enough homework! ;-)
The ultimate winners in the online ballot stuffing competition must be the men and women of bestactever.com - they voted for Rick Astley in the MTV European Awards and gave him something like a billion votes. Much to the obvious dismay of MTV come presentation night.
At the very least they could have limited to one vote per IP-address. That's rules out people using a quick script from a single computer.
"You forgot to mention who Victoria's Secret is and what the comp is about, for those of us not from the US (who have not watched M.I.B.II)."
That's what the embedded URL is for.
@A nonny bunny: One vote per IP address also means, in most cases these days, one vote per household and one vote per corporate gateway, which isn't necessarily what is desired.
And in MTV's case, they were quite happy with people ballot stuffing via their browser. It increases pageviews, and hence ad impressions, quite a lot...
"At the very least they could have limited to one vote per IP-address. That's rules out people using a quick script from a single computer."
It's worse than that -- this was done through Facebook, so all the voters are _already authenticated_. All they had to do was not allow people to vote more than once... >.
You forget the Time Person of the Century competition they tried to run online once, which ended up with a minor Irish soccer player (Ronnie O'Brien) leading the pack ahead of Martin Luther King and Albert Einstein. A convenient 'computer crash' at Time put an end to that.
An anti-British song sung by a band called The Wolfe Tones, A Nation Once Again, did manage to win BBC World Service's 'best ever song' competition, though.
Well, this could have been homework. You know, one of those extra-credit options for a computer security class - illustrate weaknesses in current mainstream web sites in a non-destructive manner... :-)
Leave it to nerds to hack VS for such a lame reason. On a slightly more serious note, there is no way bragging about such exploits to the media is going to be good for their future.
For a start:
* Limit votes to one per IP;
* Also one per session;
* Also sign the form URL uniquely (corresponding to the IP used to display the original Web page) so you can de-dupe clicks from URLs which get copied into scripts.
I really love the fact that this compo was hacked, and I don't really think VS should've done anything against the hackers. I mean - what's the message we want to deliver to our students? Shouldn't the smartest kids get the lingerie-clad college award, or whatever ridiculous handout they're giving out?
Rather than ballot stuffing, would this be a case of online bra stuffing?
MoveOn solved this problem, for some applications: With each vote, collect an email address and phone number (and get people to agree that they *may* get a phone call). After the close of the vote, call back a random sample of voters to check on them.
When you've got an online poll with real consequences, it's worth the expense. MoveOn did this for the online poll to determine whether they should endorse Barack Obama.
(MoveOn also sent each member an online "ballot" with a unique code in the URL, but I think the bigger part of the security and trustworthiness of their poll comes from the phone call protocol)
"For a start:
* Limit votes to one per IP; "
No, for reasons stated above. You can have thousands of people sharing the same corporate proxy server, so they would only be able to cast one single vote. And on the other hand, ballot stuffers could still use scripts through a proxy network like TOR to submit fake votes.
The idea of voting is that it's one vote per person, not one vote per Internet gateway. One is not an acceptable substitute for the other. One vote per Facebook account or per email address is a closer match to what is desired. And yet even that is not perfect.
Surely this is a case for a use of a ReCaptcha
May not stop the vote stuffing, but at least will require the vote-stuffers to digitize a few books in order to win.
How is that a solution? Anybody can generate unique (and valid) email addresses until the cows come home. They can also give bogus phone numbers if the only "consequence" is a small random sample of them being invalidated. Any such challenge/response system is fundamentally flawed, not the silver bullet that you seem to think it is.
Shouldn't those people sharing the same corporate server be doing actual corporate work rather than voting on spurious polls?
I really don't see the problem in limiting it per IP. Better than allowing a million votes from the same IP on the off chance it's a very big family/company.
And sure, someone that desperately wants to stuff the ballots would find a way, but you don't have to make it this easy. In the end they could use any technique spammers use, including automating the registering of innumerable email addresses and accounts and employing botnets. But at least it'd take a bit more effort than running a script you can write in 5 minutes.
Preventing multiple voting by the same person is an issue that cannot be solved without unforgable proof of an individuals ID, that also cannot be duplicated, and where the authentication of such ID cannot be reused.
Like that of age verification this is not a simple problem to solve, especially when the individual would wish to remain anonymous.
Although not impossible there are currently no systems in place to facilitate it.
I suspect that in our current climate "those that be" will not alow a fully anonymous system to be put into place.
So the issue will remain unresolved for now.
I vote per second / 5 seconds / 10 seconds etc. per IP address.
Might be resource hungry for large polls.
That comment above should read
1 vote per second / etc.
Other people have commented on one vote per IP.
One vote per browser session, I can write a script that will create a browser session per vote.
Regarding signature... if the form contains a unique id for a real submission, a script can generate a unique id per submission. Although if you embedded the time into various bits of the id, you could post-verify if the "random" id was submitted at close to the same time as the form was submitted.
Even easier, if you're willing to suffer one or two orders of magnitude drop in voting numbers, is one vote per registered account (as has been mentioned a few times already); but then you don't get to put out a marketing statement of how many people responded to your poll... conservatively reduced to account for scripts... perhaps only millions :-)
"That's what the embedded URL is for."
And it was not very informative...
As I was lying here in bed the nurse beside me asked what I was doing and I showed her.
And as she appears to be up for a giggle I asked her with a straight face if she knew who Victoria's Secret was and she said yes and she had some of their "long jane" bed wear.
So to push my luck pulled up one of their adds on my mobile and asked her what "ultra-cut underwear was" and her reply was,
"Three pieces of dental floss and a satin hamock for a mouse"
Ah the joys of the UK's NHS where else would you get such informed and well rounded examples of nurses to help you at your bedside...
> I really don't see the problem in limiting it per IP.
First, it doesn't prevent ballot stuffing to any meaningful extent. There are plenty of computer geeks out there with easy and more-or-less legitimate access to entire Class A networks, and then there are the real bad guys, who have botnets.
Second, even if we assume that all online polls are inherently inappropriate for corporate users (which admittedly is fairly close to the current state of affairs, perhaps *because* of the ballot-stuffing problem that prevents anything really meaningful from being decided by online poll), nonetheless, not everyone who shares an IP address is a corporate user who shouldn't be wasting time voting in online polls. It's not unheard-of for a home user's web traffic to run through an ISP's proxy. More to the point, something that's *very* common is for people who don't have internet access at home (a significant percentage of the population of North America, and in some parts of the world the overwhelming majority) to use the internet at a public library, coffee shop, or other public-access location.
Actually, I can simply both reasons into a single statement for you: 20% of the population controls 80% of the IP addresses.
This is not a very big deal for something like a Victoria's Secret poll, but there again, what happened is not a very big deal in that case either. But if we're talking in general about solving the problem of ballot stuffing in online polls, the one-vote-per-IP-address approach is worse than useless.
Generating a "unique key" for the form each time is also useless. The user (or script) just has to retrieve two pages instead of one each time he stuffs the ballot. You can complicate it to increase the number of required page loads (three, four), at the expense of hassling the regular non-ballot-stuffing users with extra clicking and waiting, but the ballot stuffers will not be significantly deterred by this.
Clive - I truly hope she models them for you on her next shift.
And if she does, please capture the moment on your phone and I'll send you details of a safe drop.
Shouldn't you be in private care btw?
I wanna hack victorias secret, I know that DHS has some super clothes penetrating radar, but I also remember someone telling me about some light or devise that can see through synthetic fibre clothing, cant remember if it was UV or IR, and apparently you need the special goggles.
"And if she does, please capture the moment on your phone and I'll send you details of a safe drop."
If she does I will probably be in urgent need of the crash cart and it's team...
"Shouldn't you be in private care btw?"
I think from some of your earlier posts (on shopping bar codes) you are a UK resident.
I'm therfore guessing that you are not yet of an age to have much use for health care in the UK. Otherwise you might be aware of one or two of the dirty little "private healthcare" secrets.
They effectivly cherry pick the easy work (as they cannot do critical care) and supply nice rooms and food, but they are no good at the real or emergancy problems and have no Intensive therapy/care facilities. Which is why it is not unknown for a private hospital to call an ambulance to take a patient to an NHS emergancy hospital when they have an emergancy such as post operative toxic shock etc.
Also they are not covered by many of the safety regulations (such as fire) that NHS hospitals are, and often their staffing ratios of qualified medical personel to patients is very poor.
So my view is if there is a significant risk (and there is in my case) of there being complications "cut out the middle man" and forgo the minimal pleasures of the private sector, for the sake of living...
"...remember someone telling me about some light or devise that can see through synthetic fibre clothing, cant remember if it was UV or IR, and apparently you need the special goggles."
Most likley it was to do with a range of designer swimware that was (supposadly) transparent to UVA/UVB to help the wearer avoid "bikini marks".
However I think in reality it would at best have been translucent as it was of woven fiber.
Alternativly you might have been told about near IR that will go through some light summer cloathing. At some point in the IR spectrum all cloathing becomes translucent, however as you move down the spectrum from visable light you quickly lose detail. You only have to look at a "thermograph" of a human to see just how much surface detail is lost.
And as has been observed "on the surface" of it "the devil is in the details" ;)
Good point(s) and well presented.
Here's wishing you a short and successful stay!
One vote per IP address?
MIT has a class A, 18.*.*.*. That gives them 16.8 million IP addresses, depending on how they subnet them, etc.
Somebody at their NOC could easily stuff the ballots with unique IP addresses.
That's supposed to be an argument? That someone in the network operating center might abuse their power to ballot-stuff an internet poll? That's even less likely than one of the people running the poll stuffing the ballot.
@A nonny bunny:
I considered it a statement of facts rather than an argument. Knowing how many unique IP addresses MIT has seemed somewhat relevant, given how many people were suggesting one IP per vote would solve the problem.
Would the NOC guys do this? Probably not, but I wouldn't put a lot of money on it.
http://hacks.mit.edu/ covers a lot of MIT hacks.
If they could do it safely, I wouldn't be surprised to see it happen.
My favourite competition subversion attempt was Manchester City Football Club's on-line poll to decide what to name the West stand. Popular sentiment was that it should be named after Colin Bell, a former player, but Manchester United fans hi-jacked the poll and suggested that it be called the 'Bell End', which has an entirely different meaning in that part of the world.
"but Manchester United fans hi-jacked the poll and suggested that it be called the 'Bell End', which has an entirely different meaning in that part of the world."
It was probably less than "tounge in cheek" revenge for the obscene amount Manchester City Football Club charge for their replica kit etc.
In all probablity "the managment" think their fans tug their "bell end" as an almost continuous activity...
How about hashcash?
"That's what the embedded URL is for."
Bruce - this does not help. The only explanation from the link is:
"With more than 5 million votes registered, Drexel University had overwhelmed the Victoria's Secret online poll to become the first school to be added to the Pink Collegiate Collection."
I have no idea what this means. Can someone explain?
I believe Slashdot (http://slashdot.org/pollBooth.pl?qid=1683&aid=-1) has the last word on such doings:
``This whole thing is wildly inaccurate. Rounding errors, ballot stuffers, dynamic IPs, firewalls. If you're using these numbers to do anything important, you're insane.''
@Clive Robinson: ``You forgot to mention who Victoria's Secret is and what the comp is about, for those of us not from the US (who have not watched M.I.B.II).''
That's beside the point. Everything you need to know is that there is an entity conducting an online poll: that'll allow you to understand the security aspects. Admittedly, knowing what _Victoria's Secret_ is will brighten the day of roughly 50% of readers, but ... :-)
Oh yeah, get well soon. Or, better, have gotten well by the time I posted this comment.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.