Jacking Up Voting Results

Voting systems on different sites are constantly developing and programmers are trying to devise protection against visitors jacking up the voting counters. Suppose that you have decided to take a part in a poll conducted by some site and want your preferred answer to prevail. How can this be done? There are many ways. The one to employ depends on the program used to conduct the polling.

Let's consider one vote-boosting method, using the www.download.com site as an example. Here, visitors can vote for their favorite programs. When you see that your favorite program is way down in the ratings, you naturally want to lift it up and help the developers.

In order to know how to pad the votes, you must know how they are counted. The simplest methods use cookie files. These are files in which web servers save any useful for them information. Each web site has its own file, which only it can read. No site can read cookies created by other site servers. When you cast your vote for some cause or issue, the server saves the information about your vote in a cookie file. Let's consider the steps performed when registering votes:

• A packet with the answer to the question is sent.
• The server processes the answer and sends an acknowledgement.
• The local computer saves the acknowledgment in a cookie file.

Consequently, if you attempt to vote again, the server checks your computer hard disk for a cookie file with the vote acknowledgement and, if it finds one, it will not let you vote again. But this method is used only by the least experienced voting-program developers. We will now consider how to circumvent this kind of protection.

Vote-Padding Method #1

Five years ago, the voting system on site www.download.com had no protection of any kind against vote padding, and votes could be padded by the simple rapid-click method. You enter the site, select the answer you want, and start clicking rapidly on the Send button.

If your are using a dial-up Internet connection, sending your answer and receiving an acknowledgment for it (i.e., a cookie file) takes some time. If the Send button is clicked again during the sending/receiving process, the previous send is considered aborted and is cancelled, so a new sending-the-answer/receiving-the-cookie session starts. When the acknowledgment for a previous click, with a request to update the cookie file, arrives at your browser, the browser declines the request, because the session was aborted.

Consequently, rapidly clicking on the send button causes your answer to be sent to the server, which processes and accepts it. That is, steps 1 and 2 are carried out. Your computer, however, will refuse to accept the acknowledgments, and step 3 will not be carried out until one of the following events occurs:

• If you stop the rapid clicking of the Send button, the browser will accept and save the cookie file for the last send.
• If your trigger finger is too slow, the server may manage to process the first sending between two consecutive clicks, send the acknowledgement, which the browser will receive. The ensuing results will be the same as in the previous case.

On high bandwidth dedicated lines, the answers to the server and its acknowledgments travel at high speeds, and your next click may be not fast enough, meaning that the evil cookie file will be created. In these cases, number 2 method may work.

Vote-Padding Method #2

When voting system programmers noticed that their system was being fooled by method #1, they started protecting against it. The simplest protection technique employs Java script to disable the Send button right after it has been clicked. So, if the voting-system programmer is no stranger to Java Script, your fast index finger will do you no good, and you will have to look for other ways to advance your cause.

This method can also be used when you want to boost your vote by simply voting again, but cannot as a result of the cookie file. Since this file is stored on your computer, what is to prevent you from simply deleting it? Open the \Documents and Settings\User Name\Cookies folder (User Name is the account name under which you logged into the system). Cookies files are stored here in simple text files and named in User Name@site address.txt format. The part of the name after sign @ is the address of the site that sent the cookie. Find the cookie from the site in question, and simply delete it. This will enfranchise you again and let you cast another vote. Repeat as often as necessary.

Vote-Padding Method #3

The hardest defense to get around involves the use of the IP address. Simply put, if the server sees that a vote has already been cast from your IP address, it will not let you vote again. If you have a dial-up Internet connection, you are allocated an IP address every time you establish a connection. Disconnecting and then reconnecting will most likely result in the allocation of a new IP address, thus enabling you to vote again.

If you connect via a dedicated line, you are allocated a static IP address and the only way to circumvent this protection is to resort to anonymous proxy servers. There are plenty of proxy server addresses on the Internet, so you need to compile a good list, and then use each server on the list to cast one vote.

The IP and cookie protection methods are often used in tandem to fight vote padding. In this case, the corresponding cookie file also needs to be deleted. Otherwise, the vote-counting program will notice your attempt at pulling a sly one with the IP address switch.

Organizing vote padding protection based on the IP address is a difficult task. This is because there are many network users who connect to the Internet via the same IP address. For example, some corporate networks may comprise over a thousand of computers, all of which use one proxy server and one IP address to connect to the Internet. If only one employee on such a network casts his or her vote on a site that uses this protection, the other network users will be deprived of this opportunity.

This is why IP addresses are only used by voting systems to detect vote padding, but are not saved in the database for long. You will be able to vote from the same address some time later with no problems. For long-term voter identification, the cookies protection method is the one employed most often. As you know, these can be deleted and, if their format is known, edited as well.