Posted by Jerry Stuckle on 11/04/06 04:56

Gordon Burditt wrote:
>>>>>You could try a "I voted on this survey" cookie. If you insist that they
>>>>>accept cookies before even SEEING the survey, this might work well enough
>>>>>for your purposes. They are, however, easily defeatable.
>>>>
>>>>I am sorry, I don't quite get this idea, could you give more details?
>>>
>>>
>>>It's very simple (and very defeatable). For each different thing
>>>they can vote on, define a cookie name, like
>>>"I_VOTED_FOR_Benbrook_DOG_CATCHER_PLACE_53". Perhaps you want to
>>>make this a bit less obvious. If you try to vote for Benbrook Dog
>>>Catcher Place 53 (the place has really gone to the dogs if it needs
>>>53 dog catchers) and this cookie is ALREADY set, they're trying to
>>>vote twice for this race. After they vote, set that cookie.
>>>
>>>This tries to enforce one vote per computer. Or perhaps one per
>>>computer account, if they've got different profiles. That's a
>>>better approximation to one per person than one vote per IP.
>>>
>>>This works (a little) better if you insist that they turn on cookies
>>>before they get to the vote pages. It's easy to defeat if the user
>>>is asked whether to accept cookies and he refuses any set after you
>>>submit the voting page.
>>>
>>>You could perhaps use this in conjunction with IP checking. For
>>>example, you might allow votes from a given IP more often if they
>>>don't have the cookie and haven't been trying to duplicate-vote
>>>recently according to the cookie.
>>>
>>>
>>>
>>>>And one more question, maybe more on the psychological side - what
>>>>actually stops these kids from manipulating digg's content? I guess
>>>>opening 100 accounts shouldn't take too much and it should be enough to
>>>>get any link on top of the list?
>>>
>>>
>>Doesn't work at all. For instance, I have my systems set up to clear
>>all cookies when the browser is closed. And I could also go in and
>>clear the cookies manually at any time.
>
>
> Yes, it does. It means that the kiddies who don't use bots have
> to close and re-open the browser every time, and that slows them
> down by at least a factor of two. Probably more. And manually
> clearing cookies probably doubles the number of mouseclicks or
> keystrokes needed per vote. So it slows down the rate of duplicate
> votes. A little. It also prevents the casual cheaters who don't
> know what a cookie is and give up easily from casting duplicate
> votes.
>

Or just clear the cookies. A couple of clicks with the mouse. No problem.

> As I said, the method is very defeatable. It's a lot like making
> a vault door out of 1-ply toilet paper, which is still better than
> no door at all: it might slow down bank robbers by a second or so.
> More if they can't stop laughing.
>

So defeatable it's not worth doing. Worse than providing no security,
rather it provides the illusion of security.

>
> People spending millions of dollars on elections (like the US
> government and state governments) haven't managed to stop phony
> votes, either. You're certainly not going to do any better without
> even having a voter registration list. All they can do is try to
> reduce the problem.
>
>
>

Yep.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]