I’m beginning web development and I found that session management and authentication are two of the areas that have the least information about. Everyone knows SQL injection and cross-site scripting, but with all the tools to do sessions and auth most people doesn’t know what goes on behind it all. Sometimes theoretical knowledge is a must and can’t be abstracted very well.
Jeff, what has got into you lately? The previous blog post had you accusing some programmers of sucking at their job because they didn’t use any exception logging statement, and today you are accusing another load of coders of being clowns?
Admittedly, these guys are not doing things in the best possible way but there is no need to be quite so harsh - you don’t know what pressures they are under, what experience they have had with the tools available etc.etc.
You used to be the kind of guy that stuck up for the downtrodden coder, the one who tears his hair out everyday worrying about whether he/she is doing everything in the best possible way, the one who has made a whole bunch of mistakes (probably some of which are not too dissimilar to this one) - someone whom many of us could relate to.
I think that the success of SO has maybe gone to your head recently and you are now thing that you are superior to us everyday programmers…
So THAT’S how Obama got elected.
I knew somebody must have screwed that up.
Men, when will you delete the comment from Time to act?
And yes, the captcha is orange.
@Time to act:
Christmas will be eliminated to ‘not hurt the foreigners’ sensibility’, showing no respect for our sensibility… that is the sensibility of the owners’ house!!
That’s an urban myth! You know, a lie that is believed and propagated because it sounds like it is true, but is still fairly amazing and therefore should be passed on even though you have no evidence that it IS actually true. FYI - people aren’t waking up in a bath of ice having had their kidneys stolen either…
Of the organisations that actually say that they are stopping religious activities for this reason, none actually are. On investigation every one has found to be using that as a cover excuse to save $$, with no record of a complaint about Christmas/Easter evident.
It isn’t a commonly known fact that almost all religions respect each other. But you see religions fighting all the time, right? Nope - look deeper and you will almost always find that they are almost always fighting for land. Culture against culture, not religion against religion.
It is an even less known fact that the Islamic faith believes in Jesus, however they believe he is a profit and not the messiah. I have been told by several Muslims (university students) that it is against their faith to speak negatively of a prophet and therefore against their faith to lobby for Christmas or Easter to be eliminated or reduced in any form.
From your arguments it sounds like you are from England (these arguments are common in London). If, like others I have spoken to, you feel that strongly, why don’t you form or join a political party and be pro-active about your beliefs rather than pushing them onto this community? You live in a democracy, use it! Be democratic! If they are illegal residents then they DON’T have a say but you do. Advocate, vote, and stand up for what you believe. This type of talk incites anti-democratic activities which will subvert your cause and make the situation worse.
That’s my 2 cents…
Eagan,
I don’t disagree with you. I’m not above making mistakes either, and I’ve learned plenty of hard lessons from them. The difference is my mistakes aren’t made from lack of trying to do the right thing.
No range checking, no authentication, etc… Sounds an awful lot like not trying to me. It would be another situation entirely if these things had existed but were just buggy.
I feel for the guy who got reamed for this, but to defend it? Ignorance is a really good reason, but it’s a very poor excuse.
Anywho… I thought the post was funny.
It’s not hackers, it’s large numbers of bored people with a little bit of time to spare.
This wasn’t a great hack, but it would have taken no time at all to setup and the outcome was pretty funny.
Human beings can now collaborate on a massive scale for the most useless of purposes, this is an amazing thing
- Jessta
@Time to act
If you’re from U.S., this is for you: http://www.uwgb.edu/dutchs/PSEUDOSC/ModestProp.HTM
I think Jeff is unfair.
Unfair to people who hacked it, because being geek is all about doing something because you can, not because you need a reason. The hack doesn’t need to be very complex, i suggest reading how blu-ray was cracked (well not exactly cracked, but copying was made possible). Nothing really complicated there, but still amazing.
Also it’s unfair to programmers who did the poll, in similar manner one could say that the programmer who creates commenting system with static captcha is also one of the clowns from the picture…
I get that Jeff’s point is that hacking badly written web app isn’t an accomplishment, but i think it was just entertaining for people who did and reading about it also is.
great article!!! 5 of 5 for sure.
off topic.
always the captcha is orange?
Time may have figured that if disabling fraud detection was OK for Obama’s fundraising web site, then it was OK for their poll.
(The claim that Obama raised lots of money from the little people is unverifiable. Since address and name checking was deliberately disabled on Obama’s fundraising site, it’s entirely possible that most of his funds came from wealthy supporters using legitimate credit and debit cards, but with phony names and addresses to defeat campaign finance restrictions.)
Is this poll meant to be serious, or is it a spoof? I ask, bearing in mind the previous two winners, and the final quote.
http://www.time.com/time/arts/article/0,8599,1894028,00.html
Undoubtedly, many people will question Moot’s worthiness of the title world’s most influential person. TIME.com managing editor Josh Tyrangiel says that Moot is no less deserving than previous title-holders Nintendo video game designer Shigeru Miyamoto (2007) and Korean pop star Rain (2006). I would remind anyone who doubts the results that this is an Internet poll. Doubting the results is kind of the point.
Paul Lamere posted a followup detailing how reCaptcha was circumvented to achieve the result:
http://musicmachinery.com/2009/04/27/moot-wins-time-inc-loses/
I once saw a poll where you voted for the most beautiful contestant.
You could vote as many times as you liked and the solution to the captcha was embedded in the captcha-image URL.
Simple. Bad programmers create bad (insecure) code.
There’s no logic that says Time hires the best of the lot.
Thanks u r information
One word comes to mind after reading this… FAIL
It was a pretty poor implementation, but was there really that more they could have done? Anonymous online polls are basically impossible to protect from ballot stuffing. No matter how good their IP limiting was, they could still be abused using open HTTP proxies (and you can bet the 4chan crowd have plenty of those lying around). You have to ask yourself how much effort you’re willing to invest in preventing the inevitable - if people want to rig an anonymous online poll that much, they’re going to find a way.
Good fun. It just orange to show you that you that security doesn’t have to be hard, just thoughtful.
I don’t assume that the developers are clowns, I assume that they are a combination of:
a. Developers who are not well versed in security
b. Employed by people who don’t actually care about security
Time doesn’t really care about the integrity of its poll or it wouldn’t have paid bottom dollar for the security. You can make a safe assumption that this is what they did based on the story presented here. Time is not alone in this. Honestly, they really don’t care. If they have a reason to believe that the poll is tampered with, they can either throw it out or write a story about it. Or, if they are feeling really unscrupulous they can simply change the votes themselves.
Their interest is not in a fair and secure ballot. Their interest is in having fodder for a story and giving their readers a sense of investment in the product. Nothing more.