miriku.com

if there is one thing that programmers can almost uniformly be accused of is coding for the best case: wanting to write programs designed around all things behaving correctly every time.

one random facet of this is the assumption that crowds and their voting can be trusted to behave in a productive way. let’s say you have a website where people vote on who is the best poster / reviewer / uploader / whatever, and rewards them in some way. simple to implement, simple to test, and you’re done, right?

well, never underestimate the willingness of crowds to behave maliciously. getting 1000 people to do a prank on a system like that is trivial, and it’s even easier to get one person with a bunch of zombie machines all over the planet.

attacks like this are really common: websites raid amazon review / recommendation pages for fun, 4chan obliterated a “person of the year” TIME poll, and twitter “trending topics” seem to be raids more often than not.

the last one in particular strikes me as funny. businesses are now using personal hash tags to let people talk about them using hashtags, and in some cases display the results real time in the lobby or on their page. i’m astounded at this. all it takes is one message board post asking everyone to twitpic porn to the hashtag and voila, instant PR disaster.

always program for the worst case, not the best case. unless you have some method to block them, assume that at any point in time there are thousands of bored suburban teenagers who would love to abuse any ranking system you have for laughs.