A cautionary tale of democracy online and why identity-based security is critical for elections large and small.
We have a confession to make.
10:43 am — August 20th, 2019 — New York, NY
Let us start by making one thing abundantly clear. Passbase did not win Hacker Noon’s “Most Exciting Startup” award fairly. We employed powerful forces outside the bounds of fair competition to manipulate the results of this “election” and it worked. We did not do this to win, but instead to make a point. This is the story of how, and why, we hacked the 2019 Hacker Noon “Most Exciting Startup” Award, what it means for the democratic process online, and what we can do about it.
Oh shit. It actually worked.
8:46 am — August 20th, 2019 — New York, NY
I woke up on the couch of our old San Francisco apartment, the place where our company was original conceived. Still half asleep, I read through my emails as I do every morning and, at the top of my inbox, I saw a much-anticipated email. Hacker Noon had just announced the winners of their first-ever award competition, the Noonies.
As designed, my company Passbase was featured at #1 in the polls. This came as no surprise. After all, that was the plan. We just didn’t think the plan would actually work.
Realizing what had just happened, I woke up my co-founders and gathered them around the coffee table. We came to the unanimous decision that we would come clean and tell the world our story.
We concluded that our ability to compromise the integrity of this democratically selected award was representative of a far greater set of issues facing the digital world.
Our hack had demonstrated the power that fake identities can have online when left unchecked. We hope that by shining a light on our actions, we can help institutions of all sizes avoid these types of manipulation. So we finished our coffee and got to work writing our confession…
It started with an honest lead
6:30 pm — August 11th, 2019 — New York, NY
“Yeehoo! We’re in the lead.” — Felix, CPO of Passbase
We had worked hard over the past year to build a network of supporters for our young company. Taking philosophical positions on timely issues relating to privacy and data ownership online, pushing strategically targeted campaigns, and just old-fashioned grassroots marketing.
Following the Facebook-Cambridge Analytica hack and Experian data breach, our commitment to addressing issues of privacy and data ownership seemed to have reached an enthusiastic audience.
Thanks to our loyal following and some targeted social campaigns, we were able to collect enough votes to reach the leading position in the Hacker Noon polls.
After securing what we believed to be a sizable lead, we took our foot off the gas and turned our marketing efforts back towards content creation and lead generation.
Then it turned into an arms race
5:30 pm — August 14th, 2019 — New York, NY
“Those F*****rs!” — Mathias, CEO of Passbase
We had dropped two places in the rankings just 24 hours before the competition was scheduled to end. After some research into our competition, we concluded that the volume of votes required to overtake us in that small amount of time was near impossible without some “assistance”.
The velocity at which new votes were entering the system, just hours before competition close, could mean only one thing. Bots.
Sitting at #3 in the polls with a few hours left in the competition and some fairly obvious voter manipulation occurring, we had an idea. Could we beat the hackers at their own game? Not to win, but to make a point? What happened over the next 24 hours was a frenzy of programmatic voter fraud.
How we Hacked it
1:30 pm — August 15th, 2019 — New York, NY
Like many other polls online, Hacker Noon’s award was based on browser sessions. They did not require an individual to signup or complete any form of verification which made our “hack” quite easy to execute at scale.
Our team quickly developed a python script to execute votes programmatically from a theoretically unlimited number of virtual machines — cast a vote, clear the browser cache, change the IP address, repeat.
All of this was done within a few seconds for each new vote. As we scaled up this operation, we spun up several AWS instances and began executing the script. Boom. We received thousands of upvotes and climbed to first in the polls within the last few hours of competition with other “competitors” right on our heel, receiving an equally implausible number of votes over the course of a few hours.
By our conservative estimate, over 25,000 new votes were posted and allocated to top few contenders within the last 24 hours. The total vote count went from 25k to 50k within a day. By the end, there were approximately 3,000 votes per hour entering the poll.
As the polls ended with Passbase in the leading position, we closed our laptops and breathed a sigh of relief. As expected, a few days later we received the email informing us that Passbase had won.
The Big Picture
What does this mean? How can we trust any poll or election that has been conducted online? More specifically, how can we trust any “individual” we interact with online? These are all questions that as a society and as a company we need to ask ourselves.
Our thesis is that the world is in desperate need of a more seamless and secure system of digital identification. The methods we used to manipulate this poll are completely avoidable if the appropriate steps are taken to verify the identities of people participating. But these methods can be invasive, and cumbersome.
As we look to the future, it seems obvious that more and more sensitive processes and services are being moved online. Whether those services are polling, ride-sharing, or digital banking they all share one thing in common: identity matters. It’s important to consider the important role that identity plays online and just how large of an impact it can have if not secured properly.
In the wake of Cambridge Analytica, Experian, and other hacks, we now are beginning to see the cracks in our system. Fake or stolen digital identities are at the heart of Russian election meddling, global credit card fraud, and our very own Hacker Noon hack.
At Passbase, we aim to build a more secure future in which we can trust the identity of others online and unlock the next generation of trust-based products — from secure polling to on-demand babysitting.
A Final Word
Obviously, we cannot, and will not, in good faith accept this award and apologize to all those who competed fairly. In the spirit of redemption, we offer our verification services to Hacker Noon for the 2020 Noonies, free of charge, to ensure their polling process is free from manipulation.
By shining a light on this vulnerability, it is our hope that the necessary precautions are taken to ensure the sovereignty of future elections both large and small. Hacker Noon isn’t the only one running an election in 2020…