I've added the best hash to the results when the client sends back the metahash, and as I thought, the results are highly erratic. Averaging over 10 minutes doesn't reduce the error to an acceptable level. Averaging over longer periods would either mean clients must stay connected longer, or the server must save the client's work between client connections, and I'm not prepared to write all the code involved in tracking and saving client state.
So... have clients send back their best N hashes (and the average should be N times better).RE: detecting server cheating: Over a very long period of time, clients should be able to figure out approximately how many hash/sec the server's network is generating. So they should be able to detect blatant cheating. I should've taken statistics in college, seems like it'd be an interesting problem to work out the chances that a server is lying based on how many blocks it has generated over the last week...