• Choose a category
• All
• Classic-Fiction

Overview of Methods

1. Cookies - the simplest method (to implement and to evade). In short, you, as a developer, can save a small text file on the user's computer and read its contents later (at least, if the user is not a paranoiac freak who turned cookies off). Evading cookies is as simple as turning them off, deleting them, or changing their contents. This works for some less experienced cheaters. Recently (September/October 2010), some smart guy developed “evercookies” ( http://samy.pl/evercookie/ ), an API that tries many different methods of storing the "undeletable" equivalent of cookies. It's nice, but it doesn’t work when you are connecting in a different method, like Curl, or using the "safe" mode in your browser.

2. CAPTCHA - this acronym stands for "Completely Automated Public Turing test to tell Computers and Humans Apart." In other words, it's more or less garbled text displayed to you that you have to retype. In many situations, it'll help you to avoid people who would like to write automated scripts to do the dirty work, although if your CAPTCHA is lousy, it is easy to read it with some OCR-like script. If it isn't, there are some Russian folks who would be happy to help you ( http://captchabot.com/en/index.html - I didn't test them and am not endorsing them in any way; I'm just impressed by their service, and maybe you'll find it useful). It's still not effective against folks who sit at their computer 24/7 and press "vote" every five seconds and then retype the password (more about that later).

3. Email Confirmation Link - the vote would be counted only when the user clicks on the link that is sent to him/her by email. The main advantage of this method is that the process is more time consuming for the user (so it's a little bit harder to mass vote). Filtering out illegitimate votes is possible, but needs some knowledge from the perspective of the attacker. You can block known disposable email addresses like spam.la or 10minutemail.com; you can see if someone tries to use known capabilities of free mail services (i.e., in Gmail, those addresses are connected to the same account: example+something@gmail.com, e.xample@gmail.com, e.x.a.mple@gmail.com, etc.); other evasions can be tracked in the post analysis, i.e., you can see that somebody created a catch-all alias in their own domain, or is using free addresses like john01@yahoo.com, john02@yahoo.com, john03@yahoo.com, etc.). A more annoying extension to this method is forcing users to register an account on your site.

4. Facebook Connect - it's not always a good idea, but sometimes the competition is directed to the Facebook users. The Facebook user ID is an additional variable that we can take into account (but it is not wise to rely only on that!).

5. IP Limit - limiting one vote per IP (i.e., per day). It looks like the best idea, but isn’t always. For example, ADSL or mobile providers don't assign their subscribers a fixed IP. Instead, they can change it every time a connection is established. A Tor network ( http://www.torproject.org/ ) might be used to change one's IP address every time they wanted. On the other hand, people in the same network (office, home, or university network) would be unable to vote, even if they were on different workstations, as they are visible on the outside as if they were connecting from the same host.

6. Browser Fingerprint - nice method that you can read about at https://panopticlick.eff.org/ and http://www.networkworld.com/news/2010/051810-eff-forget-cookies-your-browser.html. It turns out that your browser leaves many traces that, combined into one, allows for a quite unique fingerprint. As with evercookies, it’s good for non-advanced users using browsers, but completely useless if someone wants to cheat you using Curl or something.

7. SMS Verification - OK, in my opinion this method is the best, but clients don't want to implement it because it's expensive. The idea is simple - if you want to vote, you have to give your mobile number. We send you an SMS with