Bruce Schneier

 

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

About Bruce Schneier

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« Book Review: The Science of Fear | Main | DHS Recruitment Drive »

April 20, 2009

Hacking a Time Poll

Not a particularly subtle hack, but clever nonetheless.

EDITED TO ADD (4/20): Details of the hack.

EDITED TO ADD (4/29): More details.

Posted on April 20, 2009 at 12:10 PM25 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

"Much to his surprise, he found that no matter what he did, he was never getting banned by Time.com. Zombocom suspects that his ban immunity may be because he’s running an ipv6 stack which may be confusing Time.com’s IP blocker."

Obviously a sophisticated, knowledgeable individual.

Posted by: right at April 20, 2009 12:45 PM

I just can't wait to see the voting chaos that ensues when we have our first presidential election online...

Posted by: Bill Clay at April 20, 2009 12:52 PM

"I just can't wait to see the voting chaos that ensues when we have our first presidential election online..."

...and the presidency goes to...Ceiling Cat!

Posted by: Chris at April 20, 2009 1:06 PM

The hacking of a poll isn't a huge thing, I used to control a program on MTV that used internet voting to pick the next video they were going to play. I'd get my choice 9 times out of 10. I was only voting like 300 times a second though. The elegance of this hack is the arrangement of the first letters, and I think we'll see more of it in the future.

Plus, this hack supports 4chan by putting 'also the game' in there too. I think that moot started pulling ahead even before the scripts got in play though.

I believe that mass groups of people on sites like 4chan should be acknowledged by Time for their interest in supporting their King. But if they do, next year will be year of 4chan's Queen, Boxxy.

Posted by: Gonzo at April 20, 2009 1:34 PM

Wow, what a hack! Incidentally, I've hacked this very web site. If you look at the capital letters in the menu on the left you'll see they spell "HBCGNBEOENIAVSSPSCCI". This is an anagram of "Cops Nabbing Chess Vice", which is a warning to Bruce that if he doesn't stop cheating at chess I'll find a way to have him arrested.

Seriously, "marblecake also the game"? Is this supposed to make sense to anyone? Looks to me more like someone figured out that the first letters of the poll results spelled something almost like a sentence and decided to take credit. Either that or it's the final clue in a really, really lame murder mystery pulp novel.

Posted by: Chelloveck at April 20, 2009 1:37 PM

Diebold -- eat your heart out .. see how simple it is :-)

Posted by: sooth sayer at April 20, 2009 1:37 PM

Oh boy.
Yeah, I remember the spam in 4chan trying to get more people to vote in. It only amuses the /b/ crowd, the rest of us just sigh and look away.

On security, I'm worried about how many institutions leave decisions to internet polls, without checking for tampering.
I named a building on my hometown. The trick was that the poll counted your computed as "already voted" by using a cookie. Just blocked it and proceeded to hammer the hell out of it.
Amusing. But on hindsight, so ridiculously teenage.

Posted by: Anonymous at April 20, 2009 1:44 PM

Doing stuff like this is as old as the internet. Given the source, it was probably inspired by 2ch doing the same thing in 2001. http://www.wired.com/culture/lifestyle/news/2007/...

Vote rigging: When comedian Masashi Tashiro was nominated for Time magazine's Person of the Year in 2001, 2-channelers hacked the voting system and placed multiple votes that propelled him to the No. 1 position over Osama bin Laden and George W. Bush, and crashed Time.com's server. Tashiro -- who is infamous for his blatant sexual harassment and belligerent public behavior -- was removed from the list.

Posted by: Anonymous at April 20, 2009 2:31 PM

@Chelloveck

"Seriously, "marblecake also the game"? Is this supposed to make sense to anyone?"

Seriously, the linked article is more than a paragraph. You could go back and finish it if you really want the answer to your question.

Also, I lost the game.

Posted by: Anonymous at April 20, 2009 2:48 PM

Does Time.com support IPv6 at all, or was that guy just being a retard?

Posted by: nick at April 20, 2009 3:11 PM

I find it to be rather stupid that Time didn't think to disallow the GET decoding and leave only POST open. That would have ended the link baiting campaigns on the forums at the least.

Time's hash + salt technique was slightly clever, but their method of employing it obviously didn't work at all. I'd probably have had the server spit out random salts over an encrypted channel - one which uses an algorithm intentionally designed to take significant computing power to decode rather than provide any real security. An individual casting one vote would not notice the hit to their performance, but a bot would find that to be an insurmountable computational obstacle.

Posted by: Ward S. Denker at April 20, 2009 3:17 PM

This reminds me of the anecdotal citation to accompany the award of the Congressional Medal of Honor which reads: "...for conspicuous gallantry and heroism above and beyond the call of duty while serving as unit ribbons and awards clerk, we hereby award ..."

Posted by: bob at April 20, 2009 3:20 PM

I can remember when GET requests were idempotent.

/me shakes fist at cloud

Posted by: Chris at April 20, 2009 4:37 PM

@Anonymous:

I read the whole article. It still doesn't make sense. "marblecake" is apparently an IRC channel on which they discuss "hugraids" and "moralfag stuff", whatever those are. The terms probably mean something to someone, but not to me. The significance of "also the game" is never explained, except that one of the perl scripts was named 'the_game.pl'. There's undoubtedly some deeper significance, given the number of comments that are variations on "I lost the game".

I have no doubt that this guy did what he claims, just trying to point out that to anyone outside of the in-crowd it seems like little more than finding word-like patterns in a random arrangement of letters.

Posted by: Chelloveck at April 20, 2009 4:37 PM

@nick

That's what I immediately wondered. I have an IPv6 tunnel with he.net at home I can try it out when I get there. My gut reaction is no, they do not.

Posted by: Eric in PDX at April 20, 2009 4:48 PM

Oops, it the post too soon:

; >> DiG 9.4.1-P1 >> time.com a
;; global options: printcmd
;; Got answer:
;; ->>HEADER ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;time.com. IN A

;; ANSWER SECTION:
time.com. 3600 IN A 64.236.55.244
time.com. 3600 IN A 205.188.238.109
time.com. 3600 IN A 205.188.238.181

;; AUTHORITY SECTION:
time.com. 3600 IN NS ns1.timeinc.net.
time.com. 3600 IN NS ns2.timeinc.net.
time.com. 3600 IN NS ns3.timeinc.net.
time.com. 3600 IN NS ns4.timeinc.net.

;; ADDITIONAL SECTION:
ns1.timeinc.net. 79601 IN A 64.12.55.139
ns2.timeinc.net. 79601 IN A 64.12.55.169
ns3.timeinc.net. 109602 IN A 205.188.238.92
ns4.timeinc.net. 79601 IN A 205.188.238.156

And:

erric@fury ~ $ dig www.time.com a

; >> DiG 9.4.1-P1 >> www.time.com a
;; global options: printcmd
;; Got answer:
;; ->>HEADER ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;www.time.com. IN A

;; ANSWER SECTION:
www.time.com. 60 IN CNAME mags1.gtimeinc.aol.com.
mags1.gtimeinc.aol.com. 53 IN A 64.236.55.244

;; AUTHORITY SECTION:
gtimeinc.aol.com. 3593 IN NS mtc-gdns010.ns.aol.com.
gtimeinc.aol.com. 3593 IN NS dtc-gdns010.ns.aol.com.


I don't see an AAAA records like I do for Verio:

; >> DiG 9.4.1-P1 >> www.verio.net a
;; global options: printcmd
;; Got answer:
;; ->>HEADER ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:
;www.verio.net. IN A

;; ANSWER SECTION:
www.verio.net. 600 IN A 204.202.20.3

;; AUTHORITY SECTION:
www.verio.net. 86400 IN NS a.ns.verio.net.
www.verio.net. 86400 IN NS s.ns.verio.net.

;; ADDITIONAL SECTION:
a.ns.verio.net. 1525 IN A 129.250.35.31
a.ns.verio.net. 32503 IN AAAA 2001:418:3ff:2::10
s.ns.verio.net. 49657 IN A 192.67.14.15

;; Query time: 102 msec
;; SERVER: 209.190.74.89#53(209.190.74.89)
;; WHEN: Mon Apr 20 14:23:39 2009
;; MSG SIZE rcvd: 142

Posted by: Eric in PDX at April 20, 2009 4:49 PM

; >> DiG 9.4.1-P1 >> www.time.com a
;; global options: printcmd
;; Got answer:
;; ->>HEADER ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;www.time.com. IN A

;; ANSWER SECTION:
www.time.com. 60 IN CNAME mags1.gtimeinc.aol.com.
mags1.gtimeinc.aol.com. 60 IN A 205.188.238.109

;; AUTHORITY SECTION:
gtimeinc.aol.com. 1986 IN NS mtc-gdns010.ns.aol.com.
gtimeinc.aol.com. 1986 IN NS dtc-gdns010.ns.aol.com.

;; Query time: 41 msec
;; SERVER: 209.190.74.89#53(209.190.74.89)
;; WHEN: Mon Apr 20 14:34:54 2009
;; MSG SIZE rcvd: 134

Posted by: Eric in PDX at April 20, 2009 5:00 PM

"Also the game" refers to this http://en.wikipedia.org/wiki/The_Game_(mind_game)

Posted by: Tom Smith at April 20, 2009 7:14 PM

@Chelloveck - "The Game" is a meme. I first heard about it like 10 years ago, I'm sure it's been around longer.

The rules of "The Game" are:

1) Once you start playing, you never stop
2) Once you think about The Game, you lose
3) You can never win.

Reminding people about the game in subtle or original fashions has become a contest. Similar to a rick roll.

Posted by: jackofarcades at April 20, 2009 7:20 PM

@Chelloveck

You are correct, most of that are various injokes and memes. There is, believe it or not, an encyclopedia on those words and the sub-culture, http://encyclopediadramatica (NSFW). I've described some of the terms below. Enjoy. :-)

"The Game": More or less what jackofarcades said except it is theoretically possible to win the game. However, knowing this requires thinking of the game which means losing it. Confusing? A brief description can be found here: http://www.losethegame.com/memegame.htm

"Moralfags": The suffix -fag seems to be a (derogatory?) synonym for person. Moralfags are those who do stuff for good.

"Marblecake": A "Leaderfag", whatever that is.

"Hug raid": I'm not sure what this is. My guess, a raid for moral purposes, perhaps like the anti-Scientology raids.

"For the lulz": The reason why anything is done. "Why did you break my wndow?" "For the lulz." Lulz is the corruption of LOLs; laughter at the expense of another; entertainment from someone else's misfortune.

Personally, I think Time was asking for it. Merely adding moot to a candidates list for an online poll is like putting up a "Crack Me!" sign on its front page.

Posted by: DESU DESU DESU DESU DESU DESU DESU DESU DESU DESU DESU DESU DESU DESU DESU DESU DESU DESU DESU DESU at April 20, 2009 10:32 PM

>I read the whole article. It still doesn't make sense

You must have accidentally the whole thing.

Posted by: anon at April 21, 2009 3:00 AM

I used actually work for a subsidiary of Time and I was at least partly responsible for making sure that there were no glaring security holes in the code that was written before it went live.

One of the biggest problems was that there wasn't enough buy-in from management in this regard and hence the ratio of developers to security auditors was far too high. It simply wasn't possible to read every line of code manually so we used automated tools and random sampling. Clearly, this leaves some room for improvement. Automated tools can pick up a lot but will always miss some things that a competent auditor will see.

Another problem was the quick turnaround required on some code. For instance, the poll can be announced in the magazine or even on the website by the editors and no mention of this made to the developers until a couple of days before it is due to go live. This shouldn't happen, but it does, and because the developers pull an all-nighter to get it up and running, the editors never have to take the blame for it not working. Hence, no incentive to modify their behaviour.

The last problem I will mention here was the varying nature of the developers. Some had good security coding practices and others didn't. Team managers should have been fixing this when auditing code but, as I said earlier, not enough auditing was done.

I believe things have improved a little in the department where I worked but obviously the problem is not a solved one just yet. From my observations at other places I have worked and/or audited, these problems are not unique to Time.

Posted by: David Keech at April 21, 2009 8:53 AM

David Keech,

"I used actually work for a subsidiary of Time. Management were idiots. Some of the programmers were idiots. We used automated tools to try and catch the idiots, but nobody tried to correct their practices. I no longer work for this company."

See, much shorter. ;) Your story, differing only in some details, is the story of pretty much every programming job I've ever worked and, I imagine, the story of every programmer I've ever worked with too.

I'd love to find a place where the technical staff was well-understood by management, their concerns were actually listened to, and every one of my colleagues was competent in his/her work. If I do find such a place, I suspect I'll be riding a unicorn to work over the chocolate river, through the candy cane forest to gumdrop mountain...

Posted by: Ward S. Denker at April 21, 2009 12:51 PM

To expand on what DESU said, marblecake is the IRC channel (maybe also the name of the owner of that channel) where the Scientology protest raids/videos where first conceived and coordinated.

Posted by: Anonymous at April 21, 2009 7:14 PM

@David Keech:
> It simply wasn't possible to read every line of code manually so we used automated tools and random sampling.

I'm puzzled. A voting app is almost trivial. If you already use a standard framework for presentation layer and db access (as pretty well every serious web site does do), then in any modern high-level language the business logic should take only a few dozen lines. And that's *with* security checks.

How on earth did they manage to bloat such a simple thing to the extent it was unauditable?

I admit I've never done any Flash development -- but can it really be that horrible?

Posted by: Roger at April 24, 2009 4:07 AM

Subscribe to comments on this entry

Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Powered by Movable Type. Photo at top by Geoffrey Stone.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Blog Menu

Search


blog only
essays and op eds only
whole site

Blog Home Page
100 Latest Comments

Archives by Date

2012 J F
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D

Support Bloggers' Rights!
Defend Privacy--Support Epic
Latest Book
Liars & Outliers
more books by Bruce Schneier
Syndication
Full Text Feed
Excerpts Feed

Follow on Twitter
Subscribe via Kindle

Translations
German
Italian

more translations

Crypto-Gram Newsletter
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more