Poll: VHS Principles of Unity - Full Disclosure

garthomite · October 15, 2014, 7:14pm

Well I wanted to try out the polling, this is as good as topic as any.

See Should we update the VHS Principles of Unity?

This is only relates to the current “Full Disclosure” line, would you like to:

Keep it as-is
Drop it
Reword to “Full Disclosure - Please be honest about why you are here, using our shared resources”

tdwebste · October 15, 2014, 7:23pm

I think this poll should be worded as

keep it as-is "

Full disclosure - Disclose your motives and affiliations

Drop it

Reword to "Full Disclosure - Please be honest about why you are here, using our shared resources

tdwebste · October 15, 2014, 7:24pm

I think this poll should be worded as

keep it as-is "
Full disclosure - Disclose your motives and affiliations

Drop it

Reword to "
Full Disclosure - Please be honest about why you are here, using our shared resources

tdwebste · October 15, 2014, 7:25pm

Also this poll is too easy to spoof and should be used for entertainment purposely ONLY!

garthomite · October 15, 2014, 7:37pm

Care to backup this claim?

https://github.com/discourse/discourse/blob/master/plugins/poll/poll.rb#L146

tdwebste · October 15, 2014, 8:01pm

Actually the requirement is that it is proven secure and proven unable to spoof.

NOT the other way around. This is why paper votes are good, because it is easy for anyone to verify the voting and counting process.

First by proving that a user can not be spoofed.

Then prove that the result can not be modified externally. Remember, many people do have root access.

I would first start by getting root access to the server, which many of us already have. I would use that access to modified the either create temp users. Or temporary over ride user authentication.

This is not where I would start to attack this code. I would start with the user authentication. If that was too hard I would attack the database where the vote count is kept.

garthomite · October 15, 2014, 8:33pm

No, you made the claim that it was easy to spoof so back that up. I’m not making claims that this is impenetrable, but i’m not saying it’s easy either.

Even with root access this is not easy, you still have to access the container to even get to the database and then have to create the users or else you will have votes not tied to any account.

Is it? Are you sure it’s not in redis?

Not saying it can’t be done but it’s not easy either. Easy would be something you can do without root access.

Jarrett · October 15, 2014, 10:21pm

Polls? How do we do polls?

tdwebste · October 15, 2014, 11:10pm

To to a poll correctly requires, that members are randomly selected and not self selected.

Polls in which them members self select themselves are for entertainment purposes. And don’t represent the membership.

miststlkr · October 15, 2014, 11:23pm

Just like all poitical elections, now that you mention it...