AskBwog: Can You Hack the ROTC Survey?
A tech-savvy commenter speculated that after “clearing their cookies” (a term we’ll define for the computer illiterate in just a minute), voters can change their personal survey ID number to someone else’s, which in theory would mean that anyone would be able to vote multiple times.
Bwog’s on-call computer whiz kids Hans E Hyttinen and Anish Bramhandkar explain why this is actually possible, but relatively unlikely:
Hans: Once you access the survey page, a cookie is created on your computer that stores a bit of information, probably indicating whether or not you have completed the survey, so that the next time you visit that URL, it can let you resume your survey (try this by clicking on your link, but closing the page without voting and then reopening the page). I don’t think clearing the cookie would do anything of consequence.
If you do change the ID number in the URL, it looks like you can vote again on that ID, just like you can vote again on your ID. It’s very stupid that there is no confirmation message or “sorry, you have already voted” message.
However, everyone is given a unique identifier (in the “WEM=” part of the URL) that you’d be hard pressed to just guess. So no, I don’t think you can actually change someone’s vote.
Anish: Perhaps they’re tracking by IP address? Perhaps preventing subsequent votes that aren’t from the same IP. Columbia IPs are dynamic, but most people are connected constantly enough that they don’t change.
I doubt that they’re doing either of these, but the ID number in the survey URL is so long that you’d be hard-pressed to find someone else’s legit ID.
Still, minutes later, one Bwog staffer tested it out and “changed one of the numbers and got a different working link. Clearing cookies was necessary, though. When I went back and clicked my own link, I had my own displayed.”
Tags: 2008 ROTC referenda, askbwog, computers, nrotc
24 November 2008 @ 4:29 PM · 23 comments
on 
And thanks to Google Chrome’s incognito mode, which doesn’t store cookies….
typical columbia bureaucracy fucking up again
is officially retarded
cuit, would you?
Hate on CUIT all you want when the printers fuck up, but this fucked up survey is a CCIT production. http://ccit.college.columbia.edu/
someone feels stupid now
welcome to bureaucracy. ccit does exist, in the hamilton basement.
If it’s that easy to cheat? Is the USenate really going to listen to a vote that can be hacked this easily? It’s worse than Florida in 2000.
you should have to log in to vote so everyone could only vote once. Duh, CCIT.
what’s that? you want different parts of the fractured bureaucracy to work together to create a survey based on the preexisting WIND login structure (i.e. using your UNI)?
Nooooo, that’s crazy talk man!
WIND explained: http://www.columbia.edu/acis/rad/authmethods/wind/index.html#d0e37
Summary: Columbia’s sign in system is cribbed from Yale. :(
Obligatory WikiCU link: http://www.wikicu.com/Columbia_College_Information_Technology
This is ridiculous! We already pay-out tuition, register for classes, and pick housing on-line! How hard is it to make a secure one question survey?
I voted in the computer room at Lerner. If someone else tries to vote on the survey using the same computer as I did, will it override my vote?
hilarious.
probably not ccit’s fault. i’d prefer to blame the councils.
my phone? I was able to take it twice…shame on me.
How easy would have it been to repurpose the Council elections voting system for this survey?
No less than a 150% voter turnout for the survey now.
on the councils thought letting CCIT do something this dumb was a good idea?
Why not just do stuff the way we do elections?
i’m expecting a 5 percent turnout since everyone will have used the same link.
chose to use surveysays without consulting CCIT. They were the ones dumb enough to choose a poll system without WIND authentication.
Tech people would be smart enough to use WIND.
i was able to pull up a survey page and vote without an identification url token or cookie. whether or not this means anything (the vote will probably just show up as unassociated with an identifier, and if they’re smart, they’ll toss votes without identifiers) is hard to say…
however, it is somewhat apparent that the software they chose to use wasn’t specifically designed with a “trusted voting” usecase in mind.
you can’t spell CommUnIsT without CUIT
and for the old farts, you can’t spell fACISt without acis :)