return to table of content

Reverse Engineering Ticketmaster's Rotating Barcodes

RScholar
33 replies
1h39m

Software developers are the wizards and shamans of the modern age. We ought to use our powers with the austerity and integrity such power implies.

This is one of the most powerful truths underlying the world we currently inhabit. The sooner we can agree to behave accordingly, the better our prospects for ripping the reigns of society from the hands of those whose only animating principles are avarice and exploitation.

mattmaroon
14 replies
1h14m

I still don't blame the developers, I blame government. It's not the job of rank and file workers to police companies. I wouldn't work for LN, but I'm not going to blame someone else for doing so. We've all gotta feed our families. (I realize there's a line somewhere, you wouldn't excuse a prison guard at Auschwitz the same way, but I can't get too worked up about a developer making a ticketing app even if I hate the ticketing company.)

Developed countries long ago came to the conclusion that companies should not be allowed to have monopolies because it is bad for society as a whole, and it's hard to think of a current monopoly as egregious as this one. There is absolutely no reason one company should have exclusive rights to 85% of large venues, also be an evebt promoter, and also be the ticket seller.

Anything their developers do is not the real issue, a society that allows this to happen in the first place is.

ilrwbwrkhv
13 replies
1h3m

I mean would you say that developers who work for Facebook have crossed that line?

NavinF
10 replies
54m

...by doing what? FB is one of the largest employers of people on this site. If you ran a poll, I'd expect the majority to answer "no" to your question. Of the people who answered "yes", I bet the majority would still accept an offer from FB if it was just 20k more than the next best offer.

ilrwbwrkhv
9 replies
44m

One small example: In 2012 Facebook emotionally manipulated people in the name of science without anybody's consent by controlling positive / negative posts on their news feed.

Right? Wrong? Discuss.

NavinF
5 replies
39m

https://xkcd.com/1390/

I don't see the issue. Every social media site does this, FB was just naive enough to share their research

ilrwbwrkhv
3 replies
27m

And this just proved my point. During the Nazi regime, everyone was hating the jews. And everyone was doing fascism.

Now to bring this to a close, people like you, who will jump companies for 20_000 and have lost the ability to see a clear ethical violation will be holding the guns and guarding the gas chambers when the next Hitler comes along. Meditate on this.

Also this XKCD is dumb. Previously the feed was chronological post of friends which was definitely more ethical. But of course that didn't make people addicted enough.

mattmaroon
0 replies
17m

If that proved your point, you didn’t have a point. If you can’t see the difference between genocide and lack of informed consent on a social network algorithm experiment you can’t be helped.

I’m all for moral relativism, but there’s no future in which Facebook’s current actions aren’t at least reasonably debatable, and no past in which Auschwitz was.

If you wanted an example of where the line gets blurry (it does sometimes, just not in either of these) I’d go with pharmaceuticals.

immibis
0 replies
2m

One thing I have learned from the internet is that if you mention the Nazis or the Jews, you lose, good day sir, even if you are right.

People are illogical.

gowld
0 replies
2m

Did you get informed consent from me regarding the methods by which you constructed your comment? Or are you manipulating my emotions unethically?

pfisherman
0 replies
24m

The issue is the lack of informed consent. This is pretty basic ethical conduct of research stuff.

sethammons
1 replies
28m

I can't put any facebook developer in the same bucket as a guard at a concentration camp.

gowld
0 replies
4m

Because a concentration camp guard would be jailed or killed for refusing service, but a FB dev would lose a few $thousand in opportunity?

photonbeam
0 replies
55m

Depends on when they joined

mattmaroon
0 replies
55m

No. Not even close.

fmbb
5 replies
1h5m

I dont think it’s a truth.

Shamans and wizards (never heard this used to describe anyone in history but let’s assume it’s just any kind of supposed magic user) were people at the top tier of their societies in terms of political power. Not kings or chieftains, but above everyone else.

Programmers are just making a living selling their labor power like every other office drone in the world. We’re one of the most common lines of work out there.

If you want the mysticism angle, we are like those kids they used to catch “witches”.

namaria
1 replies
46m

Are there any documented examples of societies where "magics", "shamans" or "wizards" were at the top of the hierarchy? I gotta say, I'm an avid reader of Ancient History and Anthropology and the closest I can think of is the Priest-Kings of Sumeria and your garden variety theocracy and the latter is much more of a priestly bureeacracy than anything else...

dgb23
0 replies
20m

Perhaps not at the top in terms of day to day decision making and wealth, but the first that came to mind would be celtic druids and bards.

sethammons
0 replies
26m

I think you don't know what you think you know. My mom is a shaman type. These types often live at the outskirts of society where no well-to-do person would like to be seen. Zero political power but enough utility to keep at an arm's distance -- further if possible while not needed.

rangerelf
0 replies
1m

Shamans and wizards (never heard this used to describe anyone in history but let’s assume it’s just any kind of supposed magic user) were people at the top tier of their societies in terms of political power. Not kings or chieftains, but above everyone else.

I don't know where you came by such a notion; Shamans, "Wizards", witches, "wise women/men", are usually shunned from society such that they tend to live near the outskirts of towns or cities, nobody really wants to live close to them; and when "bad things happen" tend to be the first ones to get blamed for it; then they also are commonly used as scapegoats for whatever political, economic or religious effort some corrupt officials try to push.

That doesn't sound very societal top-tier to me.

We're definitely not witches or wizards, at most we are scholars or [specialized] craftsmen. "Knowledge workers" if you will. Not as unlikable as the wise folk that live towards the edge of town, and not as at risk of getting tied to a post and lit on fire because the bishop believes we commune with unclean spirits.

pseudo0
0 replies
44m

Yeah, we are more like masons. We have useful skills that enable building impressive things, but at the end of the day we are building someone else's cathedral.

dylan604
4 replies
1h22m

The fact we have had less than benevolent wizards and shamans, why would we expect to have modern day equivalent of only benevolent coders? It's such a fairy tale level of expectation that it seems childish. Spending any energy in trying to make real world a fairy tale is just wasted.

GenerocUsername
2 replies
1h21m

It's okay to shame bad actors.

In fact, society would likely be better off if e brought back more public shaming

sudobash1
0 replies
1h11m

I think that this is predicated upon a reasonably well informed and educated public. And my estimation is that the general populous is not informed enough on cryptography to be in a position to shame Ticketmaster engineers.

Also, my impression is that there is already copious amounts of public shaming. Some social media sites seem largely devoted to that. And unfortunately, I don't think most people fully deserve the verdict that they get in the court of public opinion.

ants_everywhere
0 replies
41m

This is certainly not true. Can you name an existing or historical shame-based society that you would actually want to live in?

mattmaroon
0 replies
1h11m

We wouldn't. You might expect that on an indivudual level. But at a society level, I would expect any company that's doing things that are specifically allowed by our goverment (who did approve the Ticketmaster Live Nation Merger) to get their jobs filled just like any other. I think Ticketmaster is evil, another developer might not. That's fine, they're not killing people or dumping toxic chemicals into reservoirs, we can agree to disagree.

My outrage is directed entirely at the government agencies whose job it was to stop this, not the developers making a ticketing app.

mym1990
1 replies
1h30m

This is not only a truth of the world we currently inhabit, it has always been a truth, of all the worlds we have inhabited. Power and greed go hand in hand for a reason and the struggle to find the balance is, and will always be present.

joelfried
0 replies
1h23m

It was not true of this world 150 years ago that any person with sufficient learning could tap buttons to create an experience to be found in the hand of the majority of living humans.

I agree power and greed go hand in hand - absolute power corrupts, absolutely - but this bit? This is new.

yread
0 replies
47m

I personally think we are more like "plumbers but with JSON". I have principles and apply them but I don't expect the others to do that

lowdownbutter
0 replies
52m

"In effect, we conjure the spirits of the computer with our spells"

t. Introduction of SICP

TheCraiggers
0 replies
42m

Programmers being analogous to wizards or martial artists made more sense back when one used to need to train years or decades to become one.

With age comes wisdom.

There has been a lot of good that came from making coding more accessible; I'm not trying to gatekeep. But I do think that this is one instance where the outcome is worse. The martial arts masters still unquestionably exist among us. It's just that they're now surrounded by younger, less-wise people with guns. Both types can fight an army, but only one has the wisdom to know when it's better not to.

PUSH_AX
0 replies
1h11m

It’s interesting, the more we agree and hold strong, the higher the demand grows for engineers who would help some companies create their hellscape. The incentive will grow higher and higher until people break rank. And you start over.

noodlesUK
19 replies
2h3m

This sort of ticketing thing is a trivially solvable problem. It is solved at every airport in the entire world millions of times per day. You provide the name of each concertgoer when you buy a ticket, and they show up with their ticket and ID. You often need to show your ID at these kinds of venues to prove you're old enough to drink beer anyway.

cogman10
9 replies
1h59m

Yup.

I have to believe the reason the likes of ticket master isn't fixing this is because they are selling/auctioning/reserving some percentage of tickets to scalpers or "3rd party sellers".

Requiring ID is such an obvious solution that I have to believe these convoluted approaches are only there so the secondary market can exist and so ticket master can wash their hands when prices get out of control on that market.

oehpr
7 replies
1h42m

I have to presume that the driving impetus of all of this is that they're trying to avoid the actual requirement of checking the ID. Like, they want to improve the flow of traffic through admissions.

But I mean, obviously, any kind of system like this strikes me as the same sort of thing as DRM. That you can somehow protect the message from the person you're sharing the message to. How can you avoid reselling if you don't verify the original purchaser? It just seemes ridiculous on its face.

cogman10
4 replies
1h20m

So even if you don't want to do the ID thing, there are alternatives that you see all over the place (like venmo) Have a rotating QR code seeded with a unique to the user id. Then with ticket master, require a login to buy tickets. Register the tickets to the ID and then do the lookup with a combination of the ticket id, rotating qr code, and the user id.

That requires the admitter device to send the challenge back to HQ, but that shouldn't really be much of a challenge. Tickets then become linked to the user's account (perhaps you allow transfer).

This is effectively what Disney does with their ticketing system, along with at the gate them taking a picture of you so they can confirm "Yes, so and so looks like the photo".

But yeah, all of this is ridiculous on its face as the cheaper and easier solution is ticket plus ID. If you are worried about flow have signs up before check in that say "be sure to have your ID ready before you get to the counter".

The ticketmaster solutions are just bad/half assed.

That is to say, if ticketmater had just done TOPS like the article points out, you'd not need the headache they've created with needing a live internet connection to load your ticket.

KennyBlanken
2 replies
1h12m

You don't understand how people at their companies evaluate stuff like this.

Any solution that increases capital or operating expenditures for them or the venues (half of whom they own, if I remember correctly?) is a non-starter if it doesn't generate some increase in revenue.

They will not do anything they don't have to do if it means any impact to their bottom line whatsoever.

We see it as "pennies per transaction."

They see it as "we sell 500M tickets per year so five cents per transaction is $25M/year in lost net."

cogman10
1 replies
1h6m

Well that's where I'd argue they are negatively impacting their bottom line.

These rotating barcodes on the other hand are far from perfect. I experienced this first-hand last year when I attended another very popular concert where they used a similar rotating-QR-code-ticket system. Numerous people including myself and my friends were floundering at the entry gate citing a bevy of broken barcode problems. ...

The venue was so crowded that cell-towers and WiFi were overloaded. Internet access was spottier than a Dalmatian with chickenpox.

That is impact to their bottom line. They have admittees waiting at the gate blocking other people from getting in cutting into their concession sales.

If they'd used a bog standard TOPS system (like the op suggests) that would not be an issue at all. But instead because they have the dumb system where you reach out to the ticket master servers to get your code, they've created their own nightmare.

lmz
0 replies
21m

I experienced this first-hand last year when I attended another very popular concert where they used a similar rotating-QR-code-ticket system. Numerous people including myself and my friends were floundering at the entry gate citing a bevy of broken barcode problems.

That's a different system. The article makes it clear that the Ticketmaster system works offline if you have opened it on the mobile app. Which they don't want to install.

monksy
0 replies
48m

Disney is collecting pictures of everyone face's. That's pretty creepy.

jrockway
1 replies
1h25m

Yup exactly. Some events are pretty bad at opening the doors early. The Brooklyn Nets seem to open 30 minutes before the game, so they need to get 20,000 people through 20 metal detectors in 30 minutes. Every second extra they add to the process is a second you don't have to buy a $25 drink, and that's how they make their money.

We check IDs for flights because airline yield management demands that there be no resale, or business travelers would be traveling on leisure fares.

BobaFloutist
0 replies
27m

We check IDs for flights because airline yield management demands that there be no resale, or business travelers would be traveling on leisure fares.

Sorry, what? Surely business travelers pay more just by virtue of traveling by business class? Or, if travel through business portals was consistently significantly more expensive than just buying the ticket directly on the airline's website, businesses would just start buying tickets directly from the airline's website?

Is there something about how ticket fares are calculated and paid that I don't understand?

makestuff
0 replies
48m

Yeah I agree, they are not incentivized to fix scaling/bots because they get a fee every time a ticket is sold. It is in their best interest for the ticket to be sold as many times as possible.

tqi
2 replies
1h36m

People often buy tickets without knowing exactly which of their friends are going to attend with them. This is not true of airplane tickets.

mattmaroon
0 replies
1h6m

One ID for the entire order would be fine. You can buy 4 tickets, and go into the concert with your 3 friends. It often works this way even with no ID involved, I buy two tickets, add them both to my wallet, scan them both when my GF and I go to the show.

You COULD still scalp tickets if the person who bought them from you is going to walk in with you. But the scalper would have to eat the cost of one ticket to do it, and it's probably onerous enough to severly reduce the impact of scalping.

actionfromafar
0 replies
1h29m

Would be awesome if it were true for airplane tickets

storyinmemo
2 replies
1h39m

But also, the hell with this. I'm still sour enough about the TSA without the concept of, "I'll buy tickets for me and three of my friends then see who wants to go," becoming impossible or gated by ticket transfer fees.

toomuchtodo
0 replies
1h20m

Airlines are preventing a secondary market. Unfavorable for your use case, but also prevents scalping airline tickets (while allowing airlines to attempt to maximize revenue). There are always tradeoffs and compromise.

To hack around this, I've used Southwest Airlines; I can buy tickets for folks and if they can't travel, we cancel the ticket(s) and keep the travel funds banked for another time. I hope this is potentially helpful information.

https://simpleflying.com/why-airlines-dont-allow-name-change...

swores
0 replies
1h26m

Even allowing that but requiring your valid ID must be taken into the venue by yourself (or by your friends eg if you get sick and can't go) would be a big improvement, meaning ticket scalps would have to actually go or have someone on their team go along with every ticket they resell.

wombat-man
0 replies
1h58m

Hell, you just scan your ID at TSA nowadays. They don't need your ticket.

lilyball
0 replies
22m

Flying requires an ID. Attending a concert should not. Any solution that is solved by "simple, just require an ID" is not a solution.

__MatrixMan__
0 replies
1h15m

That requires a single source of truth for which names go with which tickets. Which is going to be a problem if tickets need to be transferred in contexts where users don't have internet access (but they do have local connectivity between devices) or in contexts where the venue doesn't have internet access. Or in cases where the single source of truth might be vulnerable to attack or doesn't have the resources to handle the load at certain times.

I don't have the solution explicitly, but it seems like it ought to be possible to do this such that PII need not be collected. Tickets could be cryptographic proofs that a chain of custody exists and meets certain criteria. The proofs could be constructed at transfer time and verified at admission, no servers in the loop anywhere. Yeah, we'll come up against the CAP theorem eventually, but we might find that the imposed constraints are workable.

haburka
17 replies
2h36m

Isn’t this a bit like irresponsible disclosure? Since this may be considered a security vulnerability. Although it’s all client side, I’m sure there’s some basis for a lawsuit here.

Thaxll
3 replies
2h25m

Everyone want Ticketmaster to die.

criddell
2 replies
1h54m

Except for a lot of performers and venue operators. Ticketmaster is paid well to be the bad guy. They often share the fees with both the performer and the venue.

magnetowasright
1 replies
1h8m

I'm sorry to be that guy but do you have literally any source for this?

Might just be the musicians I like, or the fact that negativity is better for clicks, but I've never seen an artist saying they get any benefit from ticketmaster's fees and other such shenanigans; I've only seen artists and venues saying that they don't get any money or benefits at all from ticketmaster's racketeering.

criddell
0 replies
28m

From the Ticketmaster website:

ticket fees (which can include a service fee, order processing fee, and the occasional delivery fee) are determined by and shared between the parties who have a hand in making live events happen including venues, Ticketmaster, sports teams, leagues and promoters

When the artist doesn't want their fans to be charged big fees - they have some say in it. Robert Smith of The Cure made a stand on this last year and got Ticketmaster to refund a bunch of money.

12_throw_away
3 replies
2h22m

"Responsible disclosure" is poorly defined corporate wishcasting, and certainly not any sort of best practice or legal shield.

Aachen
2 replies
2h0m

The public prosecutor does not pursue cases where responsible aka coordinated vulnerability disclosure was applied. I'd say that's a legal shield of some kind at least, and it is generally also considered best practice in the industry. There's exceptions to everything but, in the general case, I'm not sure where you're getting these viewpoints from

blincoln
1 replies
1h41m

"The public prosecutor does not pursue cases where responsible aka coordinated vulnerability disclosure was applied."

That seems like a pretty substantial claim to make without any sort of "in [country/state/province/etc.]" qualification, let alone a reference.

speed_spread
1 replies
2h6m

If it runs on my CPU and shows up on my screen after I paid for it, it's mine and I can do whatever I want. Anybody who thinks otherwise can fuck off outright.

warkdarrior
0 replies
41m

That's exactly the same policy I apply to AGPL software. I paid for it ($0, as mandated by the developer) and it runs on my CPU.

willcipriano
0 replies
2h31m

Responsible disclosure is something you pay for, not something you are entitled to.

jjcm
0 replies
2h30m

It requires sniffing your own session credentials first, which I don't see as a security vulnerability.

The only thing it allows you to do is sell your ticket, which is legal to do.

jcranmer
0 replies
2h5m

I'm struggling to come up with a good basis for a lawsuit. CFAA abuse is the first thing that comes to mind, but this is a real stretch for that, and SCOTUS shut that stretching down a while ago. DMCA doesn't come into play, since this isn't circumventing any copyright protection schemes. So this kind of leaves you with some form of contract violation, but even that seems like a stretch here. Tortious interference or interference with prospective business? I mean, I don't see any events complaining about this (hell, Ticketmaster itself arguably has some contract liability issues with the fact that their technology relies on cell service which tends to be spotty in dense crowds). So you're kind of left with some individual contract liability issue, which is literally not worth the cost of litigation.

efitz
0 replies
2h31m

The app-based barcodes don’t seem to be solving a security problem for customers - they seem to be for the purpose of ensuring that traditional scalping doesn’t work, forcing ticket resale into a market that TicketMaster can profit from.

I would consider it unethical to publish details of an unpatched vulnerability that allowed ticket forgery, but I don’t think it’s unethical to bypass DRM-like controls for personal convenience rather than commercial purposes.

Of course opinions may differ on this.

coldpie
0 replies
2h11m

Nah. Ticketmaster is unethical enough that spreading information that harms them or helps them go out of business is ethical.

bangaladore
0 replies
2h32m

It is my opinion that you do not need to responsibly disclose "security by obscurity"

Additionally, what is irresponsible here? Its not like this gives you the capability to clone tickets without first having a ticket in the first place.

AlotOfReading
0 replies
2h31m

How is this a security vulnerability? It's displaying the exact bits Ticketmaster uses and explaining what those bits are. They're not circumventing security systems, just the requirement to use the app.

phoronixrly
11 replies
1h58m

With regards to the end of the article.

Can I work for a bad company and still be a good person?

No.

https://apenwarr.ca/log/20201121

probably_wrong
7 replies
1h30m

I'm glad we cleared that up. Now all that remains is a good, measurable definition of what a bad company is.

munk-a
3 replies
1h27m

You're trying to get quantitative about a qualitative problem.

probably_wrong
0 replies
1h19m

The problem is that "bad company" is such a nebulous concept as to be useless, as the JSON license showed with their "shall not use this software for evil" clause.

No matter which company you choose, someone somewhere will find a justification for why they are actually not bad. Weapons dealer? Protecting your nation. Destroying local businesses? "They are just adding efficiency to the market". Kill someone with bad practices? "Still safer than the alternative". Ticketmaster? "The scalpers are giving a subvention for those who cannot afford the real price".

Setting up a straw "bad company" and knocking it down doesn't help anyone on the real problem of people working for unethical companies.

its_ethan
0 replies
1h19m

That's their point. They're poking fun at how the OP is speaking in absolutes about something subjective/ opinion based.

blowski
0 replies
1h21m

So if you think a company is bad you shouldn’t work for them. Perhaps many of the people working for TicketMaster don’t think they’re a bad company.

rozap
0 replies
52m

It's not hard if you remove the self delusion. Removing the self delusion is maybe tricky for the individual, but it's easy for people around the individual to see. Societal tools like shame are generally used to encourage people in the right direction, but we don't do a great job of this in America, because money tends to override everything else and I don't think we have good structures around expressing non-monetary values like honor.

Especially on the west coast, we're so passive in our shaming of people that it probably doesn't translate to action. There are people who work at Evil companies like Facebook, etc, who are otherwise nice, but I find myself not including them or turned off to them as friends because this sort of contradiction is hard to square in my brain. Of course I wouldn't communicate to this, being a passive PNW raised wimp, and it's not even super explicit in my mind, it's really more of a bad vibe than anything else. I imagine over time if enough people act like I do, it doesn't actually translate to different decisions from the individual in question, but instead translates to them waking up one day feeling distant and unfulfilled, which is probably the worst of all outcomes. They still work for Bad Company, but are also sad about it, and there's a general sense of malaise pervading life that's hard to pinpoint.

*Obviously this all ignores the people who don't have a choice of employment. But here I'm generally referring to software people who have high pay and career mobility. Things get murkier when the conversation is opened up to people who are just trying to survive.

__MatrixMan__
0 replies
1h24m

It's like porn. You know it when you see it and also there's quite a lot of it.

TremendousJudge
0 replies
21m

If you're asking the above question, it means you already think the company is bad according to your own morals.

sethammons
0 replies
22m

Does this extend to where you live and pay taxes?

digging
0 replies
59m

And pretty much every company is bad. But this is a wrong answer because the question is actually nonsense.

The answer to "What happens when you move faster than light" is not "nothing", it is undefined because the question is invalid. Asking if a person or a company is good or bad isn't a question that can ever have a well-defined answer: the answers we give are rounded according to our own values. To get more specific, not all of us have a huge amount of choice in who we work for.

If apenwarr believes I want to be a good person they should hire me at Tailscale. What's that, they won't? They don't have openings, or I'm not qualified? I guess they're the bad person because now I have to work for a bad company or lose my income. And if I lose my income, my co-habitants lose their housing, and my donations to good causes dry up. Do I just not do enough good for apenwarr? They must be a paragon of virtue. Surely they don't eat meat, or even associate with meat-eaters. Surely they don't fly in airplanes.

__MatrixMan__
0 replies
54m

I think we should make an exception for saboteurs.

irjustin
11 replies
1h55m

I agree with the bad implement but the opening complaining that "old way of printable tickets was great why change it" have so many problems.

Scalpers are the problem that you have to accept. At the time of purchase, there's no way to tell the difference between a legit purchaser and a scalper or even someone who bought it and simply can't go and needs to resell.

IDs, ticket limiters, CCs, etc, etc. All methods can be circumvented by someone dedicated enough. You can only make it "not scalable" but the tickets still need to be transferable, securely.

Unless we're willing to go ID checking at the gate, there's not going to be a true solution.

jjmarr
9 replies
1h41m

Buying something at a low price and selling it at a high price is arbitrage 101 and is free money.

The "true solution" is to sell tickets at their actual market price instead of pretending that the face value of concert tickets isn't increasing due to a larger population and greater demand.

danudey
2 replies
1h29m

IOW the true solution to scamming is to raise prices so high that only the extremely wealthy can afford them, regardless of how accessible the actual concert/act/group/promoter wants the show to be.

The "real" solution here would be for Ticketmaster (or whoever) to actually make a ticket non-transferrable somehow, and then allow for tickets to be transferred directly through the original website for at most the original ticket price, and refund me the money.

For example, if I have a $200 ticket and I can't make it and want to sell it, I can post up a link to the original ticket seller's website (in this case Ticketmaster) where someone else can go buy it, and, if they do, I get a refund of the amount they paid. I can say how much I'm willing to accept (full price, $150, whatever) and someone can go buy "my" ticket, potentially at a loss if I'm willing to accept it. Ticketmaster can make money on these tickets by charging a non-refundable processing fee or whatever to everyone (the original buyer and any subsequent re-buyers). They make a tidy profit, everyone gets what they want.

The only complications are

1. making the tickets non-transferrable but also work offline is a difficult technology problem 2. Ticketmaster is an unregulated monopoly and thus has no incentive to behave in the best interests of the market or its customers when they could rake in millions more by screwing everyone except the scalpers

xp84
1 replies
41m

Can’t someone hack your system by selling access to the link you mentioned for $500? Thus getting you the refund Ticketmaster knows about, and the private payment from the desperate buyer. Also, credit card processing fees used to be refunded when you refunded a transaction, but now I think some processors have now decided to start keeping the fees, because why not. Another 3% margin to apply at each sale (though that can be included in the transfer fee you suggest)

BobaFloutist
0 replies
20m

Can’t someone hack your system by selling access to the link you mentioned for $500?

Not if they index the resales on their website and make them searchable.

People could still perform arbitrage by snapping up any resales significantly under the original price and reselling them at the original price, but at that point they're not making that much money and people are paying less than the original price, so the impact is just that you can't get a discounted resale. Which still sucks, but it sucks a lot less.

its_ethan
1 replies
1h25m

Buying something at a low price and selling it at a high price is arbitrage 101 and is free money.

A bit of a nit pick, but this isn't "free money" unless you have a guarantee that someone will actually buy at the higher price. You could buy low, be unable to sell, and end up eating the "buy low" cost.

sell tickets at their actual market price

How do you know what their actual market price is? You have to open it up to a market, where supply/demand get to play out.

IIRC some ticketing company tried doing something to this effect by scaling prices in realtime based on how many people were also trying to buy. I believe it was widely criticized as unfair/exploitive.

So you're back to square one then, where you have to set some price.

fluoridation
0 replies
52m

I mean, it may very well have been criticized, but how is it any less fair than the alternative? As for being exploitative, that's kind of the point. The company figures for most shows it's leaving money on the table for scalpers to take. The other side of it is that if a show bombs the ticket prices can be reduced to encourage people to come.

To be honest, it seems overall a better solution.

xp84
0 replies
33m

People will scream (including in this thread) that it’s “unfair” that ‘only the wealthy can afford them then’ but their beef is with scarcity and thus with reality. It’s always “unfair” to the 10,001st person who wants to attend the concert with 10,000 capacity. Today it’s a weird lottery with 6 different fan and credit-cardmember presales, which each sell out immediately, and the “backstop” at the end which is the ability to buy expensive scalped tickets.

There are finite tickets but unbounded demand. A lottery means you can slightly adjust the distribution of poor vs rich, but in practice today it still advantages those comfortable enough to sit around refreshing their computers at the right moment, instead of working. And lots of opportunists will snap up those tickets you are hoping poor people will get, to sell them to the wealthy.

In my opinion for in-demand shows it should just be a Dutch auction (all of the highest 10,000 bids win, awarded at some fixed cutoff date before the event). If not enough bids are received, the concert isn’t sold out, so then the rest go on sale for the lowest bid.

tptacek
0 replies
1h6m

It's only free money if there's no risk, and if there's no transaction cost to acquiring at the lower price. If there's no risk in buying something low and attempting to sell it high, then that thing is mispriced.

coldpie
0 replies
1h37m

The "true solution" is to sell tickets at their actual market price

That is *a* solution but it isn't *the* solution. The fact that many smart people are not choosing that solution is an indicator that there are some factors to the problem that you aren't considering.

bubblethink
0 replies
16m

The reason they don't do that is to have an organic fan base of poor people who drive up the prices for the rich people. If you eliminate the poor people, the rich people aren't going to take the band forward. They'll move on to whatever the next shiny thing is. You need a hardcore fan base of poor people to support and grow your valuation.

Y_Y
0 replies
1h51m

That's because there isn't a difference between a "legit purchaser" and a scalper except their intentions, which you can't get from amy kind of barcode.

frizlab
7 replies
2h5m

How about the “Add to Apple Wallet” option? He did not talk about that at all, but AFAIK the ticket would be fully available offline and not in Ticketmaster app, no? It’s actually an elegant solution IMHO.

tkems
3 replies
1h53m

I just added a ticket to my Google Wallet for a concert last night and it was very similar to the Ticketmaster/LiveNation app. The PDF417 barcode changed and had an animation around it. My guess is that it is the same or very similar on Apple devices.

rareitem
2 replies
1h52m

So items inside google/apple wallet don't need to be 'static'?

tkems
0 replies
1h48m

With Google Wallet (the only one I have at the moment), it is not static for the ticket. It has a NFC and barcode option. The barcode changes every 15 seconds for me.

padthai
0 replies
1h49m

No, I have flight tickets autoupdate when there is a delay.

divbzero
0 replies
1h35m

Yes, it is available offline if you “Add to Apple Wallet”.

The ticket in Apple Wallet is still revocable if you transfer the ticket to someone else using Ticketmaster’s website, probably through an update that Ticketmaster pushes to the wallet [1].

[1]: https://developer.apple.com/library/archive/documentation/Us...

abofh
0 replies
2h0m

They mentioned avoiding google wallet, so we can assume android, and that apple wallet wasn't considered for not being an option for them.

TeeWEE
0 replies
16m

The barcode in apple wallet also auto-updates.

725686
7 replies
1h27m

A few months ago I went to Las Vegas to watch U2 at the Sphere. When I learned that I needed to open the app or website in order to get in I panicked in fear of the shitty internet that is common in massive events, so I opened my tickets since I left the hotel. Unless this stuff works completely offline, it is a terrible idea.

tptacek
2 replies
1h7m

As the article notes, this ticket system does in fact work offline.

mattmaroon
1 replies
1h2m

Well, as it also notes, it works offline if you remember to open the ticket before you get there, and they don't (or at least didn't used to) give you sufficient warning. I found out that's how it works the hard way when it was new by having to walk a half mile back from the venue to get service to load the tickets.

There's also the chance the ticketmaster app won't work properly later even if you did do it. I've had other apps shit the bed for no apparent reason in offline mode before. I add them to my wallet now just in case.

tptacek
0 replies
22m

Sure, I'm just reacting because TOTP is like the textbook example of a system designed to work without interactive access to a networked resource. The whole as TM designed it has crappy affordances, but you could fix that without breaking the design.

dylan604
2 replies
1h20m

There's no way that I trust the developers of a company like Ticketmaster to install their app on my device.

jen20
0 replies
38m

What is the worst that can happen? I have it installed on my iPhone and deny whatever permissions it asks for.

I have enough confidence in the sandbox that "installing an app" is basically never an issue (though I don't out of the principle that most things companies have apps for just shouldn't be apps).

NavinF
0 replies
42m

You don't trust your OS to sandbox it? With a threat model like that, I wouldn't use any apps other than the browser

swozey
0 replies
1h14m

I used to work or a mobile event app company that made a lot of the big festival/conference apps. Everything was built to function locally from a sqlite file on your phone that was constantly updated when you did have coverage.

It was 100% expected that you would have no cell signal the entire event and we built in as many mitigations as we could think of.

This was 2013ish, I think there are a lot more mesh network devices that can relay signal nowadays but I'm not involved anymore in that stuff.

It was the best on-call I've ever had because.. nobody had cell signal while the event was on to complain about something.

This person complains that people didn't have network access on their phones when they were at the gate. I can only assume that they waited till they were at the gate to install/use the app so it never got its offline data.

Always open your event apps before getting to the event. Sometimes they're completely bare bones and have to reach out and pull that apps specific database so its sure you have the latest. Most of the event apps are a template that is modified for each event and just has different assets/sqlite.

lakerz16
6 replies
1h14m

I hate TM and ridiculous fees as much as anyone, but this article is overly hyperbolic.

There's a section named "Pirating Tickets", that just explains how to re-create a barcode that you already paid for. You're not using this to rob anyone of anything.

And at the end, "Have fun refactoring your ticket verification system". Why? There are no vulnerabilities here. A rotating barcode (even if following a known pattern) is still more secure than a static barcode on a piece of paper.

CYR1X
2 replies
58m

It's piracy in a way that's analogous to ripping like Netflix content. You are breaking away from DRM which is piracy. They also cite the potential to have multiple tokens valid per one ticket which would let multiple people get in with the same ticket.

lakerz16
1 replies
37m

I'd argue that a few extra people sneaking in on the same ticket (assuming this is even possible) is more like sharing your Netflix credentials than ripping Netflix content and having it be shareable with the entire world.

You're also walking into a stadium/concert in plain view of security cameras, so the stakes and deniability are different as well.

giaour
0 replies
20m

Not a lawyer, but "subverting DRM" (even if it's trivial or really stupidly designed) can be a crime in and of itself in the US under the DMCA. There are a bunch of exceptions to this, so I have no idea if OP's work is actually illegal.

CephalopodMD
1 replies
40m

This way you can sell and have the ticket completely off of ticketmaster. That is a vulnerability. It lets users do something they explicitly don't want to allow.

lakerz16
0 replies
32m

Assuming that you can actually do that.

If the seller re-opens the TM app and it generates a new token and invalidates the old one, then that's not the case.

guhcampos
0 replies
28m

Piracy here just means you can use it to sell your ticket without using their platform, which is analogous to just sending someone the PDF or handing over the piece of paper as always.

While this has the upside of breaking you free from TM's obnoxious practices, it also obviously opens up for scalpers and all.

mschuster91
5 replies
2h17m

This is a contradiction in TicketMaster’s marketing. They can’t have robust DRM on their tickets if those tickets can still be viewed offline.

The "robust DRM" is called "ID cards". Here in Europe, it's become commonplace to tie soccer tickets to ID cards that are verified at the gates to keep hooligans (or those suspected of being hooligans, which is a status that is way WAY easier obtainable than one might reasonably assume) out, and high-class events that attract scalpers like a pile of dungs attracts flies have been doing that for even longer.

12_throw_away
3 replies
2h6m

Huh, weird, a turns out an old, low-tech solution is much more secure than Ticketmaster's roll-your-own weird TOT-QR "security" (even considering the magic animation that that makes it "in a sense, alive")

(Not that requiring ID doesn't raise the same and also other consumer rights issues)

mschuster91
2 replies
2h4m

The thing is, unlike most of Europe, the US doesn't have a legal mandate for anyone to possess an ID card, and so in practice you got 50 states worth of driver's licenses, library cards, military or government employment IDs that can be used (or faked)... so you can't really use these for legitimately verifying anything unless you want to spend a lot of time and money to train your staff to spot fakes. Banks can do that but no one wants to do that for the goons that run security at venues for minimum wage.

IncreasePosts
0 replies
2h0m

Sure, but realistically no one is going to get a fake ID with a certain name on it so they can go to a concert with that person's tickets.

BobaFloutist
0 replies
13m

How hard is it to get access to a database to confirm that a scanned ID is valid, and corresponds to the name written on it?

cortesoft
5 replies
2h19m

There’s no risk that your ticket won’t get you in

Isn’t this not true? The risk with printable tickets is that a seller could sell it to multiple people, who all print it out, but then only the first person who uses it can get in?

Even if the venue doesn’t check to see if a ticket has already been used, only one person can sit in the actual seat.

gruez
1 replies
2h10m

is that a seller could sell it to multiple people, who all print it out

They can't "print it out" because it's a rotating code.

SamBam
0 replies
1h36m

"The risk with printable tickets is..."
TrackerFF
1 replies
1h3m

Ticketmaster has a system for transferring tickets, if you want to buy or sell tickets.

There could very well be a reason for someone to only sell a physical ticket, or not transfer it through ticketmaster, but I have yet to find anyone but scammers that want to do that.

The reason is, just as you mention, that scammers will try to sell multiple tickets. Then one (or many) sucker turns up to the avenue, only to discover that the ticket has already been validated.

Mehvix
0 replies
35m

Ticketmaster has a system for transferring tickets, if you want to buy or sell tickets

Sure, and it is terrible.

They can block you from transferring the ticket you bought, and can set a minimum resale price (effectively ensuring you cannot recoup anything)

You should to own what you purchase, simple as.

8organicbits
0 replies
2h10m

Previous sentence:

If you bought the ticket off the event’s official ticketing agency (not a sketchy reseller)
liendolucas
3 replies
25m

It's baffling that you have to carry a mobile phone to access a show. What if you run out of battery? Or if you accidentally break the screen just before entering the venue? The more the technology evolves the more we find horrible uses for it. People should fight back by refraining from purchasing tickets from them, I know is not easy for people to miss their favorite artist but until a monopoly is broken there is no other effective way to prevent them from doing what they want.

chuckadams
2 replies
17m

You can still print the ticket on paper. Tho nowadays that means a trip to a FedEx store for me, since I refuse to keep buying inkjets I only use a couple times a year.

omega3
0 replies
5m

Laser printers have solved this - I don’t expect to change the toner for a decade.

jcranmer
0 replies
1m

I refuse to keep buying inkjets I only use a couple times a year.

Laser printers are the solution, and Brother laser printers seem to remain the most highly-regarded.

999900000999
3 replies
1h55m

Software developers are the wizards and shamans of the modern age. We ought to use our powers with the austerity and integrity such power implies. You’re using them to exclude people from entertainment events.

I can definitely think of worse things programmers are doing aside from making it mildly difficult to see Taylor Swift .

I have personal qualms with working in certain industries because of this, but Ticketmaster ultimately provides a luxury. You don't need to see a concert, and if you have such an issue with their business practices you can do something else with your Friday night .

I've actually never had an issue with Ticketmaster. At a point a certain other ticket provider just blocked me without any explanation, and I had to go down to the box office to buy tickets. That sucked, but compare to airlines who do weird things like print off tickets without the actual seat number, Ticketmaster doesn't bother me too much.

digging
1 replies
1h34m

Ticketmaster ultimately provides a luxury. You don't need to see a concert

I don't agree. Entertainment/recreation is a need. Music is an important part of the human experience, and seeing it live, with other fans, is really valuable to some people. And the fact is, the value a person places on the experience is totally orthogonal to their ability to use/afford Ticketmaster. And it's not just about Taylor Swift - even local shows can be difficult to access without quarrelsome online portals. (But also, someone being obsessed with Taylor Swift isn't a personality flaw.)

999900000999
0 replies
14m

You can find a bar with a band playing. I suggest Kingston Mines if you're in the Chicago area.

Ticketmaster doesn't own have a monopoly on music. You can vote with your wallet.

HillRat
0 replies
1h4m

You’re not considering the stagehands and artists who have to live under Live Nation’s vertical monopoly. I was chatting with a former tour guy the other day, someone who’s been a tech for major touring bands since the ‘80s, and he mentioned that he had to quit the business because Live Nation had driven wages down below poverty level while bringing in random unskilled labor to do highly-technical stage setups. (He quit after almost losing a hand to a large piece of unsecured stage equipment.) The enshittification of modern life is an inconvenience to most of us, but life and livelihood to many others.

londons_explore
2 replies
1h59m

Isn't this vulnerable to ticket 'selling' by simply sharing the username and password of the ticketmaster account?

it's not like a ticketmaster account is 'worth' anything, so the seller can simply set up a new one for their next purchase.

pxx
0 replies
1h57m

actually, aged ticketmaster accounts are worth something! people will buy them for a few dozen dollars, as they get priority in ticket queues.

blincoln
0 replies
1h43m

Setting up separate accounts for every ticket purchase seems like a LOT of overhead (especially scalpers buying many tickets at once and piecemealing them out), and is easy to defeat, e.g. require out of band auth via the phone number associated with the account before logging in for the first time on a new device.

james2doyle
2 replies
1h34m

Fantastic article. Really easy to understand.

Side note: this is actually a great advertisement for server side rendering! If they didn't do all this client side rendering, exposing data in JSON APIs, then I doubt this reverse engineering would have been possible.

shaftway
1 replies
1h30m

Except then I'd need to have a good data connection at the venue, and the odds of that are infinitesimally small.

james2doyle
0 replies
1h19m

I see what you mean. The barcode wouldn't work offline.

It seems like that didn't matter at the venue though? The spotty internet connection not allowing the code to load was the first part of the article wasn't it?

superfrank
1 replies
1h31m

I remember a time when printable tickets were ubiquitous. One could print off tickets after buying them online or even (gasp) in-person, and bring these paper tickets to get entry into the event when you arrive

I go to 1-2 concerts a month so I'm well aware of how scummy TM is, but the problem with PDF tickets is that people sell fakes or sell the same ticket multiple times. I know multiple people who've been scammed this way. I get not wanting to use your phone for everything, but the changing barcode isn't just technology for the sake of technology, it's actually there to solve a problem.

PDF tickets work even if your phone loses internet connection

So do the digital barcodes if you add them to your phones wallet.

TM even sends you an email before every event that says:

> If you haven't already, download the Ticketmaster app or sign into your Ticketmaster account via mobile web. From My Events, tap view then add tickets to your phone's wallet for easy access at entry.

TM's help page for the Mobile Entry tickets also says (https://help.ticketmaster.com/hc/en-us/articles/978659778561...)

> We encourage you to download your tickets to your digital wallet before you leave for your event. This ensures that you can always access your tickets.

If you bought the ticket off the event’s official ticketing agency (not a sketchy reseller), you know for sure that they’re real.

The problem is that that isn't how the real world works. Ignoring the massive scalping problem currently happening (that TM is complicit in) sometimes plans change or people learn about events after the initial sale. Personally, any time I have to buy or sell through a reseller, I use StubHub, but I know plenty of people who don't want to use them as they charge high fees and they aren't much better than TM from a moral stand point.

Also, I get the impression that if TM locked all tickets so that they could only be resold on TM, the author of this article would have a problem with that.

crazygringo
0 replies
1h17m

Exactly all of this.

I found the article really interesting from a tech perspective.

And I have no love for TicketMaster, but the migration from paper/PDF tickets to scannable changing QR codes is inevitable, precisely to combat scammers.

TicketMaster does a lot of bad things, but this doesn't seem to be one of them. And learning to download the digital tickets in advance -- either to the app or your Apple wallet -- is just a thing you learn to do, the same way you learn to download a bunch of podcasts before your airline flight that charges for (or doesn't have) WiFi. (And if your ticket was a PDF, you'd similarly be stuck if you couldn't get internet at the venue and hadn't downloaded it in advance.)

londons_explore
1 replies
2h16m

v2 of this will require an Android/iOS app which will make use of the platforms secure storage abilities for the key.

On non-rooted devices, those are pretty much impervious to the user trying to inspect their contents.

Aachen
0 replies
2h9m

And this is why those companies love DRM'd (non-rooted) devices and try to detect when you broke this form of DRM: you can't get at your data, not even to make a backup of it; they're in full control. Also for security (can't grant root to malware if you don't have the permission to grant that), but also for everything else

chazeon
1 replies
2h7m

Another case of abusing ToTK, an excellent technology that promised convenience, security, and offline access. Similarly, Duo builds their stuff off ToTK and then fending off (or makes it very, very hard) you from using a third-party ToTK authenticator with their sites. This company just jettisons the fine promise of available offline that was made by ToTK.

Arch-TK
0 replies
1h44m

TOTP?

torcete
0 replies
1m

A $COACH_COMPANY in the UK has recently announced that they are moving to only app-purchased tickets. Except tickets purchased directly from the driver, which is VERY expensive.

Well, F.U. $COACH_COMPANY. I don't want to have to install your app for that, but I guess I won't have any other option if I need to get to the airport.

sandworm101
0 replies
24m

What I find really interesting is that there are so many scams that that the rejection of tickets is common enough to go unnoticed. Someone testing out their new "F-ticketmaster" ticket generation tool is free to test it in the real world. If it doesn't work they will simply be turned away the door like so many others who have been scammed. Nobody would notice the test.

But if each ticket is for a particular seat, would ticketmaster notice if too people came with tickets for the same seat? I bet not. I bet they just trust their ticketing system to be foolproof. If anything they might just reject the second ticket without any way to know which was authentic.

mattmaroon
0 replies
1h25m

Off topic (though the post does go into it a bit): Ticketmaster's current form is entirely due to a failure of government. Decades from now, case studies will be written on how one company managed to have a monopoly on an industry that is so not a natural monopoly.

marcodiego
0 replies
1h39m

I now know everything I would need to duplicate TicketMaster’s barcodes

Until they change their encoding.

Requiring the installation of a proprietary app to do anything should be forbidden.

lisper
0 replies
15m

They can’t have robust DRM on their tickets if those tickets can still be viewed offline.

Of course they can. All they need is a secret key embedded somewhere that the app can access but you can't. It's just a happy circumstance that they used a simple protocol in which the key is easily extracted. But they could have used a proper PKI protocol instead, which would have made it much harder, if not impossible, to hack.

kls0e
0 replies
1h14m

super entertaining read! many thanks.

jszymborski
0 replies
2h14m

Truly a noble cause.

ikesau
0 replies
2h13m

Really good post! I also found this quote which distilled their position in the 404media coverage of the situation.

“What I can say for sure is that TicketMaster and AXS have had every opportunity to support scam-free third party ticket resale and delivery platforms if they wished: By documenting their ticket QR code cryptography, and by exposing apps and APIs which would allow verification and rotation of ticket secrets,” Conduition told me in an email. “But they intentionally choose not to do so, and then they act all surprised-pikachu when 3rd party resale scams proliferate. They're opting to play legal whack-a-mole with scammers instead of fixing the problem directly with better technology, because they make more money as a resale monopoly than as an open and secure ecosystem.”

from https://www.404media.co/scalpers-are-working-with-hackers-to...

arscan
0 replies
2h4m

I recently purchased tickets via SeatGeek and was provided a link to one of these barcodes, which accepted as a querystring parameter an access token that seemingly had a long expiration attached to it. It was hosted on “downloadmytickets.com”, which doesn’t look legitimate and caused me to do this same type of analysis to see how it all worked. Whether or not this was a way to bypass the “security” to enable sale via third parties, or just a very untrustworthy-looking official domain, I don’t know. But in the end it worked fine at the venue. Definitely more stress involved than I would have liked though.

TeeWEE
0 replies
15m

One things this articles kind of misses: You need that unique token... Ok, you can get it in some way.. But ticketmaster should keep it private, then, even if you know the algorithm. You still cant do a lot without the token......

So he reversed engineered it, but its still secure: You need the token.

RicoElectrico
0 replies
32m

What's the deal with PDF417? Why did they choose it over QR?

PaulHoule
0 replies
0m

A system like that could work in an entirely disconnected mode where the "ticket" device has a cryptographic token whose signature can be checked at the door without either side having internet access. The weakness of that system is that you can't "revoke" or sell tickets. Such revocation would be possible though if either the ticket or the validator device is internet connected.

I saw the New York Red Bulls play not long ago and had to use Ticketmaster's system for the first time. I travel with a tablet, not a smartphone, and I was expecting trouble. Turns out the only trouble I had was that they didn't want to let me in with a tablet but they did when I explained my ticket was on my tablet. It did require an internet connection but Red Bull Arena has great WiFi so that was no problem.

LordShredda
0 replies
20m

I can't buy a ticket in my country, because my phone number is foreign. Can I use this to have someone buy it for me and transfer it to me?