It would be clever to let all sorts of obvious bullshit votes through, and then post-process the results later. (Remove out-of-range, obvious bot votes, etc, after the voting is closed.)
You avoid an arms race that way.
Our server team had this written on the wall:
Make sure that everything you send is valid, assume that everything you receive is invalid.
Simon’s right (as usual, I might add). If you allow anonymous voting, you’re going to create a vulnerability. But most of the time, you can handle vote-rigging in the way IvyMike suggests. You simply toss out the extreme values, whether they’re valid or not. It’s worked beautifully for me in the past. In a way you’re taking the Google approach over the Microsoft approach, by using statistical techniques to get you a pretty good and robust answer.
I’m somewhat skeptical about all the claims made in the post about the hack.
Time.com doesn’t even have IPv6.
Thanks for the breakdown, I really enjoyed it. Any chance you might have an article waiting in the wings for some suggestions?
Heh, Victoria’s Secret had a very similar contest last fall, where you could vote for the next college to become part of its Pink line of underwear.
http://www.uwire.com/Article.aspx?id=3569898
At first you could vote just by sending an HTTP request with the right URL parameters. After the first realized they had a problem, they changed it so you needed to add an voted=true to the URL. Laughable.
Next they added an MD5 checksum with a salt (just like Time), but of course the salt was embedded in the Flash, so that was broken in not too long.
Finally they just froze the vote totals of the top schools at the time. Since MIT could no longer vote for itself, they decided to vote for the most conservative of schools for hilarity, including Bob Jones University and Zion Bible College.
I agree man; Time totally dropped the ball here.
I was actually contracted by a company to exploit a poll in my younger, more naive, days and I’m always amazed how easy it still is to compromise an online poll. I maintain it’s inexcusable; it’s easier to implement some obvious integrity checking than most people think. It just takes a little forethought into how you could hack the poll.
::Shameless Plug::
BTW, I wrote a post about this on my blog a couple days ago that goes into some detail about how to prevent this sort of fiasco.
LOL! Hilarious!! Excellent case study though!! 
Having done some work on small pieces and modules like this on a few Time.com projects (third party marketing firm I do contract work for) - I almost want to doubt that Time even did this internally, though it’s entirely possible.
This should have been on TheDailyWTF instead. Ha.
P.S: Why does your captcha always just show orange ? I dont remember seeing anything other than orange.
I guess that fact that their site wasn’t throwing exceptions lulled them into a false sense of security.
I bet the ‘clowns’ a) had certifcations and/or were ‘degreed’.
The reason the poll was broken was because Time didn’t give a shit. No online poll works, because you have absolutely no idea who’s voting or why. If the poll gave screwy results, Time would just flush it down the toilet. If it gave them a result they could babble on about, they’d keep it. Validity is a distant second.
The hackers just hacked something that no-one cared about. That’s why it was so easy.
Marblecake? I might have missed that meme completely.
Time definitely lost the game; but they’ve been losing it for a LONG time.
Thank you.
I was tempted to post something like this myself but decided against it… at least I know I wasn’t alone in reading that and thinking right away This isn’t a clever hack, its just bad programming in action.
Just goes to show, bad programming is everywhere!
Black Sunday is the greatest hack (or reverse hack) of all time. Absolutely astounding.
Its difficult to understand how otherwise outstanding programmers can be so incredibly incompetent when it comes to simple security like this.
Seems a bit rich to label those involved as dumb clowns, when only a couple of days ago you were advocating rushing untested software out the door, and only fixing bugs that generated exceptions.
As you said,
Your software will ship with bugs anyway. Everyone’s software does. Real software crashes. Real software loses data. Real software is hard to learn, and hard to use. The question isn’t how many bugs you will ship with, but how fast can you fix those bugs?
Besides, it might have been more helpful to explain how you would have avoided these issues.
The worst magazine survey had to of been from Software Development. They were having a contest answer a series of computer trivia questions, multiple guess, and have a change to win. Went and gave it try and as soon as you hit the submit button you got back a dialog saying how many you had answered. This being pre-AJAX I looked at the code to see how they did it, and there in the javascript was an array with the question number and answer.
Not doing server-side bounds-checking was certainly a clownish mistake, but beyond that I don’t see the stark contrast between Time and DirecTV that your post tries to set up. They are both fundamentally facing the same impossible problem: trying to authenticate users with a token that can be examined, reproduced, and faked. The obvious ways for Time to improve their security (e.g. requiring email-verified user registration) were likely ruled out by business requirements. The black sunday anti-hack was delivered with more panache, but that panache didn’t ultimately secure DirecTV against what is a simply a theoretically impossible problem.