Herald Hacker did us all a favour

Written By: - Date published: 8:00 am, November 4th, 2009 - 27 comments
Categories: interweb, polls - Tags:

The New Zealand Herald have disabled all online polls on their website until further notice, after a hacker (or hackers) severely skewed the results of three polls. I say well done, and I’m sure I’m not the only one sick of online polls being carried out by the media and reported as news.

Firstly there’s the obvious problem that online polls are in no way scientific. The findings cannot be transferred to the population at large because those surveyed are only those visiting the particular website. The results can’t even be claimed to be representative of the overall readership of the website, as only those choosing to participate are included.

The only way to claim a poll has any validity is to take a truly random sample of the target population. The views of people visiting a website may not represent the views of people in the rest of the population. The type of people choosing to participate in an online poll may not represent the wider selection of people who visit the website.

Despite all of this, I’ve seen far too many cases where the NZ Herald has published online poll results as front page news. Having a tiny disclaimer at the bottom of the article saying the poll results aren’t scientific doesn’t make it any less misleading.

Secondly, even if the media want their online polls to simply be a gimmick, and only report them as being the views of those who read the website and choose to participate, there are still issues that can’t be resolved.

There is no way to secure an online poll and still have it open to anyone who visits the website. By secure I mean preventing people from entering multiple times. The ways I’ve seen various media attempt to do it are:

1. Cookies
This involves storing a record on the users computer once they have participated, and checking for that record every time someone tries to enter the poll to ensure no one votes more than once.

This is among the most primitive methods for securing a poll, and the one currently used by the NZ Herald. First, it is very easy to disable cookies on your computer, eliminating the problem for most polls (including the NZ Herald polls). Some polls are a little smarter and will not allow you to enter the poll unless you have cookies enabled. This is still easy to get around as you can delete your cookies and then re-enter.

2. Email Address
This involves making people enter an email address before participating, and then ensuring that the same email address cannot participate more than once. If utilised correctly, this method can be slightly more effective than the cookies method.

The Dominion Post used this method in a very insecure way a couple of years ago by simply making people enter an email address before participating. They didn’t bother to verify email address entered, so anyone could just make up non-existent email addresses and enter multiple times.

The more secure way of using this method is to send the user an email and force them to click on a unique link before their vote is counted. This ensures that the person does own the email address in question. Of course for people like me who own domain names and have “catch-all” email addresses, we can just start with say 1@domain.com, 2@domain.com, 3@domain.com and keep going for eternity.

3. IP Address
Everyone using the internet has a unique Internet Protocol Address, at least for the particular time they are on the web. The smartest polls only allow one entry per IP Address, but the method is still not full-proof. Limiting by IP Address means only one person per household or office can participate for a start.

Those without a static or fixed IP Address (most of NZ) can simply reboot their modem or router, thereby re-logging on to their Internet Service Provider and obtaining a new IP Address. Of course this takes time, and probably limits the number of times someone might be willing to bother entering.

Unfortunately for those utilising this method, there are easier and more effective ways to bypass it. IP Addresses are sent in the header data to a web page, and are very easy to fake if you know what you’re doing.

I’ve never seen an online poll for which I can’t easily write a script to run on my computer and vote as many times as I may wish. I can even multi-thread the scripts so they vote multiple times simultaneously over and over again. Even better, none of this so called “hacking” is illegal, as it doesn’t involve anything more than accessing what is publicly available.

The media continue to use online polls and report the results as news, seemingly not caring that all security methods have been proven unsafe in the past. So thanks to the hacker who forced the NZ Herald to stop using online polls. Let’s hope the change is permanent and they don’t attempt any of the other insecure methods listed above.

lprent: Editing teh Herald also posted on this with some interesting points (between the justifiable sniggering)

27 comments on “Herald Hacker did us all a favour ”

  1. IrishBill 1

    You know more about his than I do Rocky but I thought that a “hacker” actually had to hack something. Somehow I doubt that someone broke into the back end of the Herald poll and skewed it.

    If they did I’d suggest they probably need to get out more. I do tire of these polls being used as cheap-hit news stories though.

    • rocky 1.1

      Agreed Irish – it isn’t technically hacking. The Herald called it that to make it look like it wasn’t their own fault.

  2. lprent 2

    Maybe we should do everyone a service and publish some scripts?

    • Tigger 2.1

      Great idea. Unscientific online polling quoted as hard fact is a serious threat to democracy. Kill them or at least turn them into the fun little sideshow they should bee.

    • rocky 2.2

      Hmmm… not a bad idea. Let’s wait and see if the Herald put their polls back up since they’re the ones who abuse the reporting of them the most. Know of any other media that report them as seriously as the Herald?

  3. Funnily enough, the Herald article about this mentioned that the “…hacker entered the system…”.

    Now whether that’s another example of psuedo-technospeak that the rest of the article is riddled with, or whether they actually think their internal systems were tampered with remains to be seen.

    Try as they might, clearing your cookies is by no definition hacking.

    • rocky 3.1

      Well I guess technically you’re “entering the system” even if you are just viewing a web page. I’ve seen various definitions of hacking, some would include this and some would not. Most importantly, it isn’t hacking in the legal sense.

  4. l33t hax0r 4

    There is one way to prevent scripted attacks against online polls, and it’s the same method that this blog uses as an anti-spam prevention when posting comments: a captcha image. http://en.wikipedia.org/wiki/CAPTCHA

    It’s still not perfect, but it’s far better than nothing (and far better than cookies or IP restrictions or unvalidated input fields), and the concept is widely deployed and understood.

    • rocky 4.1

      Odd that I never thought of that method for securing polls given I use a captcha thingy on all web forms I write now. Perhaps it’s because I’ve never seen any NZ media use it to secure their polls.

      That would certainly prevent my scripts, though it wouldn’t stop multiple manual entries. Gets rid of my main argument against online polls anyway – as long as they then report them only for what they are.

    • lprent 4.2

      It’d be a good basic step. Definitely not perfect. I think I could write some edge tracking code that would bypass it. It isn’t that hard to do.

      On the other hand I’d write it at a C/ASM level so I guess that’d cause issues for all of the script bunnies (maybe not python – that is bloody fast).

    • Chris S 4.3

      Slight side-distraction here, but here’s a first hand account of how Anonymous/4chan hacked the Times “Most influentual person of the year” online poll in a most spectacular fashion.

      http://musicmachinery.com/2009/04/15/inside-the-precision-hack/

  5. BLiP 5

    Maori World Cup TV bid hits trouble

    … snip …

    And a new poll suggests Mr Key’s decision to make Maori TV lead the bid for the free-to-air rights was a line-ball call, with New Zealanders divided on whether it was the right thing to do. The Herald-Digipoll shows a slim majority of 45.2 per cent disapprove of Maori TV leading the bid, while 44.1 per cent approve. . . . snip . . . The poll shows how divisive the Maori TV bid has been, with much of the opposition related to the small amount of Maori language that would be incorporated in its commentary.

    Wow!! Imagine that!! Who’d have thunk it?

  6. ghostwhowalksnz 6

    Didnt the Herald list the IP addresses they were getting ‘hacked’ from.
    118.92.185.135, 118.90.40.97 and 203.109.154.13
    My quick check gives

    118.92.185.135 (118-92-185-135.dsl.dyn.ihug.co.nz)

    118.90.40.97 (ip-118-90-40-97.xdsl.xnet.co.nz

    203.109.154.13 (atm1-0-939.akl-grafton-car1.ihug.net)
    Seems to be just generic ISP addresses

  7. kaplan 7

    It may not be illegal but given the nature of the way the polls were screwed it would be interesting to know who was behind it. The whois info of course doesn’t tell us plebs much but the ISP’s will be able to narrow it down to an individual account holder or organisation and geographically as well, though I am not sure with how much accuracy they could easily do that.

    I find it interesting that the first poll affected was related to Destiny and it makes me wonder if someone with a vested interest went after that poll, then buoyed by their success had a partisan crack at the subsequent polls as well.

    I don’t buy the “18 yr old guy in a black t-shirt” line from Mr Rees. Actually wtf does that even mean? All hackers are goths?

    If The Herald really wanted to pursue this story I expect they would need to push the hacking angle to get the ISP’s cooperation. I think The Herald would view it as in their interests to pursue, if only to protect that false faith they want people to have in their polling!

    • funny how the Herald only ever mentions this stuff when the hacked result doesn’t align with their editorial interests. this isn’t the first time they’ve done this mock outrage over someone screwing their pretend polls.

    • rocky 7.2

      Might be partisan, might not be. Doesn’t look related to a particular party in any case – could be someone taking the piss or someone sharing their views. Who cares?

      “18 yr old guy in a black t-shirt’ I believe is more referring to a geeky teenage boy – your stereotypical hacker. Kind of like a teenage version of Lprent. Fortunately I don’t fit the stereotype 😉

      I can’t imagine the Herald would get the ISP’s cooperation unless they can prove illegal activity. Easy for the herald to ban those IP’s from their site though.

      [lprent: I didn’t fit the stereotype when I was young. That was more something I grew into later on after I stopped bothering being ‘responsible’. Takes maturity to get to the really great geeky states. Mind you the new geeks are mostly political activists….. ]

      [rocky: Maybe you didn’t fit the stereotype when you were young, but you have to admit if people were to imagine you at that age that is what they would imagine 😉 And while you might not have had the black t-shirt or the glasses, from all accounts you were a geek. Especially that story I hear about the programmable calculator you were given.]

      • kaplan 7.2.1

        So all this time I’ve been trying to fit my look to my profession by wearing glasses, white shirts, using pocket protectors and perfecting the ‘laugh-snort’ has been for nothing! I think I still have a black Pearl Jam t-shirt away in a box somewhere from my late teen years… I will have to dig it out.

        Re the polls, one swing was Pro-Act Party the other Pro-Destiny. Not sure if there is a link but I thought Actoids and Destiny members probably have some common ground. They don’t say what the swing on the environmental poll was, but if it was strongly anti-environment I think it could show a pattern.

        Having said that, the essence of your post does focus on the ridiculous way these polls are portrayed, when they really aren’t worth the bandwidth they consume, and I agree that is a more relevant subject that who did the hacking.

      • the sprout 7.2.2

        mmm, ‘maturity’ like a really ripe cheese

    • Draco T Bastard 7.3

      The whois info of course doesn’t tell us plebs much but the ISP’s will be able to narrow it down to an individual account holder or organisation and geographically as well, though I am not sure with how much accuracy they could easily do that.

      Very easily, wouldn’t take more than a few minutes to get all the relevant details of the account holders. In reality, there’s no such thing as anonymity on the internet.

  8. illuminatedtiger 8

    They did do us all a favor but I feel for the guy who unwittingly acquires one of the three IP addresses The Herald listed. Although it’s not surprising they did list them considering their definition of responsible journalism.