That got me wondering just how hackable the vote is. It turns out that the BCS has done almost nothing to prevent vote fraud. The only protection is a cookie set in your browser. Turn off cookies and you can vote as often as you want. Even more interesting is that it's possible to completely automate vote fraud since the BCS doesn't even insist on a POST, doesn't appear to be rate controlling IP addresses, doesn't require the cookie to get set, isn't checking the page referrer, ... In fact, the only sensitive think is the User Agent string which needs to make it look like a real browser is being used.
For example, it would be trivial to make you vote for Alan Turing. Here's the code to do that (I modified this very slightly so that it won't actually work). I could embed that 'image' in this page and everyone reading this would be voting for Alan Turing in the background.
In fact, that makes the vote security for this poll a total joke. Using a simple script containing the following I bumped up Alan Turing's percentage of the vote by a few tenths of percent as a test. If I'd left the script running I could have had him beating Hedy Lamarr within minutes.
wget --user-agent='Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;
en-US; rv:126.96.36.199) Gecko/20100315 Firefox/3.5.9' -S
http://pioneers.bcs.org/?`cat post` -O vote -d
So, what should the BCS have done? They could have used Flash Cookies to set a much more persistent cookie, they could have forced users to register and confirm an email address to vote, or they could have asked users to fill in a CAPTCHA to vote. As it is the current voting scheme is so open to fraud that the results are likely to be meaningless.
PS I emailed this blog post to the BCS and they replied:
Thanks very much for your email and blog post. We will be responding officially with a post on our blog shortly, but I just wanted to let you know that we have raised this issue with our site designer, and are looking at ways to change the voting system to keep it easy for people to vote and interact while preserving the vote's integrity.