23 Comments
A tech-savvy commenter speculated that after “clearing their cookies” (a term we’ll define for the computer illiterate in just a minute), voters can change their personal survey ID number to someone else’s, which in theory would mean that anyone would be able to vote multiple times.
Bwog’s on-call computer whiz kids Hans E Hyttinen and Anish Bramhandkar explain why this is actually possible, but relatively unlikely:
Hans: Once you access the survey page, a cookie is created on your computer that stores a bit of information, probably indicating whether or not you have completed the survey, so that the next time you visit that URL, it can let you resume your survey (try this by clicking on your link, but closing the page without voting and then reopening the page). I don’t think clearing the cookie would do anything of consequence.
If you do change the ID number in the URL, it looks like you can vote again on that ID, just like you can vote again on your ID. It’s very stupid that there is no confirmation message or “sorry, you have already voted” message.
However, everyone is given a unique identifier (in the “WEM=” part of the URL) that you’d be hard pressed to just guess. So no, I don’t think you can actually change someone’s vote.
Anish: Perhaps they’re tracking by IP address? Perhaps preventing subsequent votes that aren’t from the same IP. Columbia IPs are dynamic, but most people are connected constantly enough that they don’t change.
I doubt that they’re doing either of these, but the ID number in the survey URL is so long that you’d be hard-pressed to find someone else’s legit ID.
Still, minutes later, one Bwog staffer tested it out and “changed one of the numbers and got a different working link. Clearing cookies was necessary, though. When I went back and clicked my own link, I had my own displayed.”
Loading …
23 Comments
@well you can’t spell CommUnIsT without CUIT
and for the old farts, you can’t spell fACISt without acis :)
@... i was able to pull up a survey page and vote without an identification url token or cookie. whether or not this means anything (the vote will probably just show up as unassociated with an identifier, and if they’re smart, they’ll toss votes without identifiers) is hard to say…
however, it is somewhat apparent that the software they chose to use wasn’t specifically designed with a “trusted voting” usecase in mind.
@The councils chose to use surveysays without consulting CCIT. They were the ones dumb enough to choose a poll system without WIND authentication.
@Figures Tech people would be smart enough to use WIND.
@actually i’m expecting a 5 percent turnout since everyone will have used the same link.
@Who on the councils thought letting CCIT do something this dumb was a good idea?
Why not just do stuff the way we do elections?
@I am expecting... No less than a 150% voter turnout for the survey now.
@wondering How easy would have it been to repurpose the Council elections voting system for this survey?
@what about my phone? I was able to take it twice…shame on me.
@hahaha hilarious.
probably not ccit’s fault. i’d prefer to blame the councils.
@Bwog Experts I voted in the computer room at Lerner. If someone else tries to vote on the survey using the same computer as I did, will it override my vote?
@Ridiculous This is ridiculous! We already pay-out tuition, register for classes, and pick housing on-line! How hard is it to make a secure one question survey?
@wait 2.0 WIND explained: http://www.columbia.edu/acis/rad/authmethods/wind/index.html#d0e37
Summary: Columbia’s sign in system is cribbed from Yale. :(
Obligatory WikiCU link: http://www.wikicu.com/Columbia_College_Information_Technology
@Duh you should have to log in to vote so everyone could only vote once. Duh, CCIT.
@wait what’s that? you want different parts of the fractured bureaucracy to work together to create a survey based on the preexisting WIND login structure (i.e. using your UNI)?
Nooooo, that’s crazy talk man!
@Can you trust this? If it’s that easy to cheat? Is the USenate really going to listen to a vote that can be hacked this easily? It’s worse than Florida in 2000.
@ccit welcome to bureaucracy. ccit does exist, in the hamilton basement.
@ccit is officially retarded
@would wouldn't mean cuit, would you?
@naw brah Hate on CUIT all you want when the printers fuck up, but this fucked up survey is a CCIT production. http://ccit.college.columbia.edu/
@haha someone feels stupid now
@... And thanks to Google Chrome’s incognito mode, which doesn’t store cookies….
@What about proxies? typical columbia bureaucracy fucking up again