I think this is covered on the page
"Successfully manipulating a poll which employs this method would require following efforts and resources:
Gaining control over a large number of devices in the target geographic region for submitting votes through those devices"
So yes, it seems like it can be defeated via a remote desktop (or any proxy in the allowed area)
If you're using a proxy, I don't think whether or not the source device is in the region changes anything. The only variance is in the time from where traffic exits the proxy to servers.
> Gaining control over a large number of devices in the target geographic region for submitting votes through those devices
Does AWS Lambda count as a machine for these purposes? If so, you can get a nearly infinite number of them just by cycling a config param and casting another vote.
I assume they'd just ban the entire AWS IP block. And similarly for other cloud providers.
Couldn't the "test" add some variety of math challenge, thus making a simple proxy insufficient. Obviously, this method would add more noise to the final calculation, but if the proxy would need to forward its data to the end-user machine to perform the math, then a simple proxy in this case wouldn't be sufficient.
You don’t even need to gain control over a large number of devices in the region.
You just need _one_ device in the region, which can connect to the VPN or proxy service you were already using (the assumption seems to be that the attacker has a large number of IPs they can access through such a service). That device will get some added latency from going through the VPN/proxy, but because it’s physically close, the added latency will be small, probably not enough to reliably detect.