Search for new and used cars from NH dealers.
web feeds

Mobile

Sep122006

Not as secure as we thought?

Filed under Uncategorized by damon kiesow at 4:53 pm

Well - apparently if you are into that sort of thing - it is possible to manipulate our reader polls without logging in - despite what I said yesterday.

Please see the comments at the bottom of this post to see how we found it out.

In the meantime - we have pulled today’s poll offline (it was getting a bit old) after it received another 441 votes from Austin, TX. We replaced it with a question about today’s voting.

Here is the email I sent after our error was pointed out:

—————

Mr. Earl

Thank you for your note. We were actually under the impression that you needed to be logged in to vote, but we had not tried to circumvent the process and test it. Fortunately, from watching the voting results for the past six months, I am fairly confident no one else has either.

If you would care to call our CMS provider and explain the situation to them - I am sure they would be more than pleased to make those changes. I am sure you have read my blog entry and noted that we have been aware of this vulnerability and have been requesting a fix for some time now.

www.saxotech.com

I truly wish we had a development team in the office who could handle these kind of programming issues, but unfortunately we must rely in large part on our vendors to handle that work. The blogs are, as I am sure you are aware, an open source solution, so we were able to secure those for the most part with some minor PHP work and some available plug-ins.

In the meantime - the polls, as imperfect as they are, will remain a feature of the site. If you have cause to think they are in fact being rigged in opposition to Dr Earl - I would be more than happy to send you a few charts showing votes by domain per day. I will post one of those online later today for reference.

If instead, it is your intention to manipulate the polls on a regular basis, I would only ask that you do not. I believe your point has been duly noted.

Thanks

Damon Kiesow

Managing Editor / Online

NashuaTelegraph.com

——-

For reference - here is a list of the top 25 domains representing readers that voted today - and how many times each voted.

Viewing 2 Comments

    • ^
    • v

    Mr. Kiesow


    I’ve just read your “Web Notes” blog entry of the 12th regarding the polls. I might have a suggestion to alleviate some of the inflated numbers you occasionally see, though not all of them.


    But first, a word of confession: Those 18 “votes” recorded from adelphia.net were in all probability mine. I’m a regular, registered non-resident reader of the Telegraph and have been so for some time now. I read every part of the website nearly, including the polls on occasion. Unfortunately, in order to read the polls we must “vote.”


    In all likelihood those 18 recorded “votes” related to the situation with Dr. Julia Earl, which I have followed as best I might since the whole matter blew up three months ago. Those 18 “votes” – or rather 17 of them – were cast solely for the purpose of checking “the public pulse” on the issue.


    Programming is not my forte` and I’m a bit rusty at web coding, but the remedy I propose is rather simple at least on its face: In posting the polls, you might include an option to “view poll results without voting.” I’ve seen other newspapers use that option in polls and have found it rather convenient, as I am a strong proponent of the “one person, one vote” philosophy.


    While it does nothing to address the security issue you’re currently grappling with, it might go at least some distance in reducing inflation of poll results.


    With kind regards and a wish to be part of a solution rather than a contributor to an obvious problem, I am


    Douglas A. Walters

    • ^
    • v

    Mr Walters.


    Thank you for the suggestion. It is one that has been requested by staff at the Telegraph as well - as they do not want to vote in the polls (and sway the results) in order to see the results.


    I will pass the idea along - but I believe as with the overall security issue - it is something that we can not do in-house, and needs to be addressed by our vendor.


    Nonetheless - a good idea.


    thanks


    Damon

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus