Software developers are the wizards and shamans of the modern age. We ought to use our powers with the austerity and integrity such power implies.
This is one of the most powerful truths underlying the world we currently inhabit. The sooner we can agree to behave accordingly, the better our prospects for ripping the reigns of society from the hands of those whose only animating principles are avarice and exploitation.
This sort of ticketing thing is a trivially solvable problem. It is solved at every airport in the entire world millions of times per day. You provide the name of each concertgoer when you buy a ticket, and they show up with their ticket and ID. You often need to show your ID at these kinds of venues to prove you're old enough to drink beer anyway.
Yup.
I have to believe the reason the likes of ticket master isn't fixing this is because they are selling/auctioning/reserving some percentage of tickets to scalpers or "3rd party sellers".
Requiring ID is such an obvious solution that I have to believe these convoluted approaches are only there so the secondary market can exist and so ticket master can wash their hands when prices get out of control on that market.
I have to presume that the driving impetus of all of this is that they're trying to avoid the actual requirement of checking the ID. Like, they want to improve the flow of traffic through admissions.
But I mean, obviously, any kind of system like this strikes me as the same sort of thing as DRM. That you can somehow protect the message from the person you're sharing the message to. How can you avoid reselling if you don't verify the original purchaser? It just seemes ridiculous on its face.
So even if you don't want to do the ID thing, there are alternatives that you see all over the place (like venmo) Have a rotating QR code seeded with a unique to the user id. Then with ticket master, require a login to buy tickets. Register the tickets to the ID and then do the lookup with a combination of the ticket id, rotating qr code, and the user id.
That requires the admitter device to send the challenge back to HQ, but that shouldn't really be much of a challenge. Tickets then become linked to the user's account (perhaps you allow transfer).
This is effectively what Disney does with their ticketing system, along with at the gate them taking a picture of you so they can confirm "Yes, so and so looks like the photo".
But yeah, all of this is ridiculous on its face as the cheaper and easier solution is ticket plus ID. If you are worried about flow have signs up before check in that say "be sure to have your ID ready before you get to the counter".
The ticketmaster solutions are just bad/half assed.
That is to say, if ticketmater had just done TOPS like the article points out, you'd not need the headache they've created with needing a live internet connection to load your ticket.
You don't understand how people at their companies evaluate stuff like this.
Any solution that increases capital or operating expenditures for them or the venues (half of whom they own, if I remember correctly?) is a non-starter if it doesn't generate some increase in revenue.
They will not do anything they don't have to do if it means any impact to their bottom line whatsoever.
We see it as "pennies per transaction."
They see it as "we sell 500M tickets per year so five cents per transaction is $25M/year in lost net."
Well that's where I'd argue they are negatively impacting their bottom line.
These rotating barcodes on the other hand are far from perfect. I experienced this first-hand last year when I attended another very popular concert where they used a similar rotating-QR-code-ticket system. Numerous people including myself and my friends were floundering at the entry gate citing a bevy of broken barcode problems. ...
The venue was so crowded that cell-towers and WiFi were overloaded. Internet access was spottier than a Dalmatian with chickenpox.
That is impact to their bottom line. They have admittees waiting at the gate blocking other people from getting in cutting into their concession sales.
If they'd used a bog standard TOPS system (like the op suggests) that would not be an issue at all. But instead because they have the dumb system where you reach out to the ticket master servers to get your code, they've created their own nightmare.
I experienced this first-hand last year when I attended another very popular concert where they used a similar rotating-QR-code-ticket system. Numerous people including myself and my friends were floundering at the entry gate citing a bevy of broken barcode problems.
That's a different system. The article makes it clear that the Ticketmaster system works offline if you have opened it on the mobile app. Which they don't want to install.
Disney is collecting pictures of everyone face's. That's pretty creepy.
Yup exactly. Some events are pretty bad at opening the doors early. The Brooklyn Nets seem to open 30 minutes before the game, so they need to get 20,000 people through 20 metal detectors in 30 minutes. Every second extra they add to the process is a second you don't have to buy a $25 drink, and that's how they make their money.
We check IDs for flights because airline yield management demands that there be no resale, or business travelers would be traveling on leisure fares.
We check IDs for flights because airline yield management demands that there be no resale, or business travelers would be traveling on leisure fares.
Sorry, what? Surely business travelers pay more just by virtue of traveling by business class? Or, if travel through business portals was consistently significantly more expensive than just buying the ticket directly on the airline's website, businesses would just start buying tickets directly from the airline's website?
Is there something about how ticket fares are calculated and paid that I don't understand?
Yeah I agree, they are not incentivized to fix scaling/bots because they get a fee every time a ticket is sold. It is in their best interest for the ticket to be sold as many times as possible.
People often buy tickets without knowing exactly which of their friends are going to attend with them. This is not true of airplane tickets.
One ID for the entire order would be fine. You can buy 4 tickets, and go into the concert with your 3 friends. It often works this way even with no ID involved, I buy two tickets, add them both to my wallet, scan them both when my GF and I go to the show.
You COULD still scalp tickets if the person who bought them from you is going to walk in with you. But the scalper would have to eat the cost of one ticket to do it, and it's probably onerous enough to severly reduce the impact of scalping.
Would be awesome if it were true for airplane tickets
But also, the hell with this. I'm still sour enough about the TSA without the concept of, "I'll buy tickets for me and three of my friends then see who wants to go," becoming impossible or gated by ticket transfer fees.
Airlines are preventing a secondary market. Unfavorable for your use case, but also prevents scalping airline tickets (while allowing airlines to attempt to maximize revenue). There are always tradeoffs and compromise.
To hack around this, I've used Southwest Airlines; I can buy tickets for folks and if they can't travel, we cancel the ticket(s) and keep the travel funds banked for another time. I hope this is potentially helpful information.
https://simpleflying.com/why-airlines-dont-allow-name-change...
Even allowing that but requiring your valid ID must be taken into the venue by yourself (or by your friends eg if you get sick and can't go) would be a big improvement, meaning ticket scalps would have to actually go or have someone on their team go along with every ticket they resell.
Hell, you just scan your ID at TSA nowadays. They don't need your ticket.
Flying requires an ID. Attending a concert should not. Any solution that is solved by "simple, just require an ID" is not a solution.
That requires a single source of truth for which names go with which tickets. Which is going to be a problem if tickets need to be transferred in contexts where users don't have internet access (but they do have local connectivity between devices) or in contexts where the venue doesn't have internet access. Or in cases where the single source of truth might be vulnerable to attack or doesn't have the resources to handle the load at certain times.
I don't have the solution explicitly, but it seems like it ought to be possible to do this such that PII need not be collected. Tickets could be cryptographic proofs that a chain of custody exists and meets certain criteria. The proofs could be constructed at transfer time and verified at admission, no servers in the loop anywhere. Yeah, we'll come up against the CAP theorem eventually, but we might find that the imposed constraints are workable.
Isn’t this a bit like irresponsible disclosure? Since this may be considered a security vulnerability. Although it’s all client side, I’m sure there’s some basis for a lawsuit here.
Everyone want Ticketmaster to die.
Except for a lot of performers and venue operators. Ticketmaster is paid well to be the bad guy. They often share the fees with both the performer and the venue.
I'm sorry to be that guy but do you have literally any source for this?
Might just be the musicians I like, or the fact that negativity is better for clicks, but I've never seen an artist saying they get any benefit from ticketmaster's fees and other such shenanigans; I've only seen artists and venues saying that they don't get any money or benefits at all from ticketmaster's racketeering.
From the Ticketmaster website:
ticket fees (which can include a service fee, order processing fee, and the occasional delivery fee) are determined by and shared between the parties who have a hand in making live events happen including venues, Ticketmaster, sports teams, leagues and promoters
When the artist doesn't want their fans to be charged big fees - they have some say in it. Robert Smith of The Cure made a stand on this last year and got Ticketmaster to refund a bunch of money.
"Responsible disclosure" is poorly defined corporate wishcasting, and certainly not any sort of best practice or legal shield.
The public prosecutor does not pursue cases where responsible aka coordinated vulnerability disclosure was applied. I'd say that's a legal shield of some kind at least, and it is generally also considered best practice in the industry. There's exceptions to everything but, in the general case, I'm not sure where you're getting these viewpoints from
"The public prosecutor does not pursue cases where responsible aka coordinated vulnerability disclosure was applied."
That seems like a pretty substantial claim to make without any sort of "in [country/state/province/etc.]" qualification, let alone a reference.
If it runs on my CPU and shows up on my screen after I paid for it, it's mine and I can do whatever I want. Anybody who thinks otherwise can fuck off outright.
That's exactly the same policy I apply to AGPL software. I paid for it ($0, as mandated by the developer) and it runs on my CPU.
Responsible disclosure is something you pay for, not something you are entitled to.
It requires sniffing your own session credentials first, which I don't see as a security vulnerability.
The only thing it allows you to do is sell your ticket, which is legal to do.
I'm struggling to come up with a good basis for a lawsuit. CFAA abuse is the first thing that comes to mind, but this is a real stretch for that, and SCOTUS shut that stretching down a while ago. DMCA doesn't come into play, since this isn't circumventing any copyright protection schemes. So this kind of leaves you with some form of contract violation, but even that seems like a stretch here. Tortious interference or interference with prospective business? I mean, I don't see any events complaining about this (hell, Ticketmaster itself arguably has some contract liability issues with the fact that their technology relies on cell service which tends to be spotty in dense crowds). So you're kind of left with some individual contract liability issue, which is literally not worth the cost of litigation.
The app-based barcodes don’t seem to be solving a security problem for customers - they seem to be for the purpose of ensuring that traditional scalping doesn’t work, forcing ticket resale into a market that TicketMaster can profit from.
I would consider it unethical to publish details of an unpatched vulnerability that allowed ticket forgery, but I don’t think it’s unethical to bypass DRM-like controls for personal convenience rather than commercial purposes.
Of course opinions may differ on this.
Nah. Ticketmaster is unethical enough that spreading information that harms them or helps them go out of business is ethical.
It is my opinion that you do not need to responsibly disclose "security by obscurity"
Additionally, what is irresponsible here? Its not like this gives you the capability to clone tickets without first having a ticket in the first place.
How is this a security vulnerability? It's displaying the exact bits Ticketmaster uses and explaining what those bits are. They're not circumventing security systems, just the requirement to use the app.
With regards to the end of the article.
Can I work for a bad company and still be a good person?
No.
I'm glad we cleared that up. Now all that remains is a good, measurable definition of what a bad company is.
You're trying to get quantitative about a qualitative problem.
The problem is that "bad company" is such a nebulous concept as to be useless, as the JSON license showed with their "shall not use this software for evil" clause.
No matter which company you choose, someone somewhere will find a justification for why they are actually not bad. Weapons dealer? Protecting your nation. Destroying local businesses? "They are just adding efficiency to the market". Kill someone with bad practices? "Still safer than the alternative". Ticketmaster? "The scalpers are giving a subvention for those who cannot afford the real price".
Setting up a straw "bad company" and knocking it down doesn't help anyone on the real problem of people working for unethical companies.
That's their point. They're poking fun at how the OP is speaking in absolutes about something subjective/ opinion based.
So if you think a company is bad you shouldn’t work for them. Perhaps many of the people working for TicketMaster don’t think they’re a bad company.
It's not hard if you remove the self delusion. Removing the self delusion is maybe tricky for the individual, but it's easy for people around the individual to see. Societal tools like shame are generally used to encourage people in the right direction, but we don't do a great job of this in America, because money tends to override everything else and I don't think we have good structures around expressing non-monetary values like honor.
Especially on the west coast, we're so passive in our shaming of people that it probably doesn't translate to action. There are people who work at Evil companies like Facebook, etc, who are otherwise nice, but I find myself not including them or turned off to them as friends because this sort of contradiction is hard to square in my brain. Of course I wouldn't communicate to this, being a passive PNW raised wimp, and it's not even super explicit in my mind, it's really more of a bad vibe than anything else. I imagine over time if enough people act like I do, it doesn't actually translate to different decisions from the individual in question, but instead translates to them waking up one day feeling distant and unfulfilled, which is probably the worst of all outcomes. They still work for Bad Company, but are also sad about it, and there's a general sense of malaise pervading life that's hard to pinpoint.
*Obviously this all ignores the people who don't have a choice of employment. But here I'm generally referring to software people who have high pay and career mobility. Things get murkier when the conversation is opened up to people who are just trying to survive.
It's like porn. You know it when you see it and also there's quite a lot of it.
If you're asking the above question, it means you already think the company is bad according to your own morals.
Does this extend to where you live and pay taxes?
And pretty much every company is bad. But this is a wrong answer because the question is actually nonsense.
The answer to "What happens when you move faster than light" is not "nothing", it is undefined because the question is invalid. Asking if a person or a company is good or bad isn't a question that can ever have a well-defined answer: the answers we give are rounded according to our own values. To get more specific, not all of us have a huge amount of choice in who we work for.
If apenwarr believes I want to be a good person they should hire me at Tailscale. What's that, they won't? They don't have openings, or I'm not qualified? I guess they're the bad person because now I have to work for a bad company or lose my income. And if I lose my income, my co-habitants lose their housing, and my donations to good causes dry up. Do I just not do enough good for apenwarr? They must be a paragon of virtue. Surely they don't eat meat, or even associate with meat-eaters. Surely they don't fly in airplanes.
I think we should make an exception for saboteurs.
I agree with the bad implement but the opening complaining that "old way of printable tickets was great why change it" have so many problems.
Scalpers are the problem that you have to accept. At the time of purchase, there's no way to tell the difference between a legit purchaser and a scalper or even someone who bought it and simply can't go and needs to resell.
IDs, ticket limiters, CCs, etc, etc. All methods can be circumvented by someone dedicated enough. You can only make it "not scalable" but the tickets still need to be transferable, securely.
Unless we're willing to go ID checking at the gate, there's not going to be a true solution.
Buying something at a low price and selling it at a high price is arbitrage 101 and is free money.
The "true solution" is to sell tickets at their actual market price instead of pretending that the face value of concert tickets isn't increasing due to a larger population and greater demand.
IOW the true solution to scamming is to raise prices so high that only the extremely wealthy can afford them, regardless of how accessible the actual concert/act/group/promoter wants the show to be.
The "real" solution here would be for Ticketmaster (or whoever) to actually make a ticket non-transferrable somehow, and then allow for tickets to be transferred directly through the original website for at most the original ticket price, and refund me the money.
For example, if I have a $200 ticket and I can't make it and want to sell it, I can post up a link to the original ticket seller's website (in this case Ticketmaster) where someone else can go buy it, and, if they do, I get a refund of the amount they paid. I can say how much I'm willing to accept (full price, $150, whatever) and someone can go buy "my" ticket, potentially at a loss if I'm willing to accept it. Ticketmaster can make money on these tickets by charging a non-refundable processing fee or whatever to everyone (the original buyer and any subsequent re-buyers). They make a tidy profit, everyone gets what they want.
The only complications are
1. making the tickets non-transferrable but also work offline is a difficult technology problem 2. Ticketmaster is an unregulated monopoly and thus has no incentive to behave in the best interests of the market or its customers when they could rake in millions more by screwing everyone except the scalpers
Can’t someone hack your system by selling access to the link you mentioned for $500? Thus getting you the refund Ticketmaster knows about, and the private payment from the desperate buyer. Also, credit card processing fees used to be refunded when you refunded a transaction, but now I think some processors have now decided to start keeping the fees, because why not. Another 3% margin to apply at each sale (though that can be included in the transfer fee you suggest)
Can’t someone hack your system by selling access to the link you mentioned for $500?
Not if they index the resales on their website and make them searchable.
People could still perform arbitrage by snapping up any resales significantly under the original price and reselling them at the original price, but at that point they're not making that much money and people are paying less than the original price, so the impact is just that you can't get a discounted resale. Which still sucks, but it sucks a lot less.
Buying something at a low price and selling it at a high price is arbitrage 101 and is free money.
A bit of a nit pick, but this isn't "free money" unless you have a guarantee that someone will actually buy at the higher price. You could buy low, be unable to sell, and end up eating the "buy low" cost.
sell tickets at their actual market price
How do you know what their actual market price is? You have to open it up to a market, where supply/demand get to play out.
IIRC some ticketing company tried doing something to this effect by scaling prices in realtime based on how many people were also trying to buy. I believe it was widely criticized as unfair/exploitive.
So you're back to square one then, where you have to set some price.
I mean, it may very well have been criticized, but how is it any less fair than the alternative? As for being exploitative, that's kind of the point. The company figures for most shows it's leaving money on the table for scalpers to take. The other side of it is that if a show bombs the ticket prices can be reduced to encourage people to come.
To be honest, it seems overall a better solution.
People will scream (including in this thread) that it’s “unfair” that ‘only the wealthy can afford them then’ but their beef is with scarcity and thus with reality. It’s always “unfair” to the 10,001st person who wants to attend the concert with 10,000 capacity. Today it’s a weird lottery with 6 different fan and credit-cardmember presales, which each sell out immediately, and the “backstop” at the end which is the ability to buy expensive scalped tickets.
There are finite tickets but unbounded demand. A lottery means you can slightly adjust the distribution of poor vs rich, but in practice today it still advantages those comfortable enough to sit around refreshing their computers at the right moment, instead of working. And lots of opportunists will snap up those tickets you are hoping poor people will get, to sell them to the wealthy.
In my opinion for in-demand shows it should just be a Dutch auction (all of the highest 10,000 bids win, awarded at some fixed cutoff date before the event). If not enough bids are received, the concert isn’t sold out, so then the rest go on sale for the lowest bid.
It's only free money if there's no risk, and if there's no transaction cost to acquiring at the lower price. If there's no risk in buying something low and attempting to sell it high, then that thing is mispriced.
The "true solution" is to sell tickets at their actual market price
That is *a* solution but it isn't *the* solution. The fact that many smart people are not choosing that solution is an indicator that there are some factors to the problem that you aren't considering.
The reason they don't do that is to have an organic fan base of poor people who drive up the prices for the rich people. If you eliminate the poor people, the rich people aren't going to take the band forward. They'll move on to whatever the next shiny thing is. You need a hardcore fan base of poor people to support and grow your valuation.
That's because there isn't a difference between a "legit purchaser" and a scalper except their intentions, which you can't get from amy kind of barcode.
How about the “Add to Apple Wallet” option? He did not talk about that at all, but AFAIK the ticket would be fully available offline and not in Ticketmaster app, no? It’s actually an elegant solution IMHO.
I just added a ticket to my Google Wallet for a concert last night and it was very similar to the Ticketmaster/LiveNation app. The PDF417 barcode changed and had an animation around it. My guess is that it is the same or very similar on Apple devices.
So items inside google/apple wallet don't need to be 'static'?
With Google Wallet (the only one I have at the moment), it is not static for the ticket. It has a NFC and barcode option. The barcode changes every 15 seconds for me.
No, I have flight tickets autoupdate when there is a delay.
Yes, it is available offline if you “Add to Apple Wallet”.
The ticket in Apple Wallet is still revocable if you transfer the ticket to someone else using Ticketmaster’s website, probably through an update that Ticketmaster pushes to the wallet [1].
[1]: https://developer.apple.com/library/archive/documentation/Us...
They mentioned avoiding google wallet, so we can assume android, and that apple wallet wasn't considered for not being an option for them.
The barcode in apple wallet also auto-updates.
A few months ago I went to Las Vegas to watch U2 at the Sphere. When I learned that I needed to open the app or website in order to get in I panicked in fear of the shitty internet that is common in massive events, so I opened my tickets since I left the hotel. Unless this stuff works completely offline, it is a terrible idea.
As the article notes, this ticket system does in fact work offline.
Well, as it also notes, it works offline if you remember to open the ticket before you get there, and they don't (or at least didn't used to) give you sufficient warning. I found out that's how it works the hard way when it was new by having to walk a half mile back from the venue to get service to load the tickets.
There's also the chance the ticketmaster app won't work properly later even if you did do it. I've had other apps shit the bed for no apparent reason in offline mode before. I add them to my wallet now just in case.
Sure, I'm just reacting because TOTP is like the textbook example of a system designed to work without interactive access to a networked resource. The whole as TM designed it has crappy affordances, but you could fix that without breaking the design.
There's no way that I trust the developers of a company like Ticketmaster to install their app on my device.
What is the worst that can happen? I have it installed on my iPhone and deny whatever permissions it asks for.
I have enough confidence in the sandbox that "installing an app" is basically never an issue (though I don't out of the principle that most things companies have apps for just shouldn't be apps).
You don't trust your OS to sandbox it? With a threat model like that, I wouldn't use any apps other than the browser
I used to work or a mobile event app company that made a lot of the big festival/conference apps. Everything was built to function locally from a sqlite file on your phone that was constantly updated when you did have coverage.
It was 100% expected that you would have no cell signal the entire event and we built in as many mitigations as we could think of.
This was 2013ish, I think there are a lot more mesh network devices that can relay signal nowadays but I'm not involved anymore in that stuff.
It was the best on-call I've ever had because.. nobody had cell signal while the event was on to complain about something.
This person complains that people didn't have network access on their phones when they were at the gate. I can only assume that they waited till they were at the gate to install/use the app so it never got its offline data.
Always open your event apps before getting to the event. Sometimes they're completely bare bones and have to reach out and pull that apps specific database so its sure you have the latest. Most of the event apps are a template that is modified for each event and just has different assets/sqlite.
I hate TM and ridiculous fees as much as anyone, but this article is overly hyperbolic.
There's a section named "Pirating Tickets", that just explains how to re-create a barcode that you already paid for. You're not using this to rob anyone of anything.
And at the end, "Have fun refactoring your ticket verification system". Why? There are no vulnerabilities here. A rotating barcode (even if following a known pattern) is still more secure than a static barcode on a piece of paper.
It's piracy in a way that's analogous to ripping like Netflix content. You are breaking away from DRM which is piracy. They also cite the potential to have multiple tokens valid per one ticket which would let multiple people get in with the same ticket.
I'd argue that a few extra people sneaking in on the same ticket (assuming this is even possible) is more like sharing your Netflix credentials than ripping Netflix content and having it be shareable with the entire world.
You're also walking into a stadium/concert in plain view of security cameras, so the stakes and deniability are different as well.
Not a lawyer, but "subverting DRM" (even if it's trivial or really stupidly designed) can be a crime in and of itself in the US under the DMCA. There are a bunch of exceptions to this, so I have no idea if OP's work is actually illegal.
This way you can sell and have the ticket completely off of ticketmaster. That is a vulnerability. It lets users do something they explicitly don't want to allow.
Assuming that you can actually do that.
If the seller re-opens the TM app and it generates a new token and invalidates the old one, then that's not the case.
Piracy here just means you can use it to sell your ticket without using their platform, which is analogous to just sending someone the PDF or handing over the piece of paper as always.
While this has the upside of breaking you free from TM's obnoxious practices, it also obviously opens up for scalpers and all.
This is a contradiction in TicketMaster’s marketing. They can’t have robust DRM on their tickets if those tickets can still be viewed offline.
The "robust DRM" is called "ID cards". Here in Europe, it's become commonplace to tie soccer tickets to ID cards that are verified at the gates to keep hooligans (or those suspected of being hooligans, which is a status that is way WAY easier obtainable than one might reasonably assume) out, and high-class events that attract scalpers like a pile of dungs attracts flies have been doing that for even longer.
Huh, weird, a turns out an old, low-tech solution is much more secure than Ticketmaster's roll-your-own weird TOT-QR "security" (even considering the magic animation that that makes it "in a sense, alive")
(Not that requiring ID doesn't raise the same and also other consumer rights issues)
The thing is, unlike most of Europe, the US doesn't have a legal mandate for anyone to possess an ID card, and so in practice you got 50 states worth of driver's licenses, library cards, military or government employment IDs that can be used (or faked)... so you can't really use these for legitimately verifying anything unless you want to spend a lot of time and money to train your staff to spot fakes. Banks can do that but no one wants to do that for the goons that run security at venues for minimum wage.
Sure, but realistically no one is going to get a fake ID with a certain name on it so they can go to a concert with that person's tickets.
How hard is it to get access to a database to confirm that a scanned ID is valid, and corresponds to the name written on it?
They can’t have robust DRM on their tickets if those tickets can still be viewed offline.
There’s no risk that your ticket won’t get you in
Isn’t this not true? The risk with printable tickets is that a seller could sell it to multiple people, who all print it out, but then only the first person who uses it can get in?
Even if the venue doesn’t check to see if a ticket has already been used, only one person can sit in the actual seat.
is that a seller could sell it to multiple people, who all print it out
They can't "print it out" because it's a rotating code.
"The risk with printable tickets is..."
Ticketmaster has a system for transferring tickets, if you want to buy or sell tickets.
There could very well be a reason for someone to only sell a physical ticket, or not transfer it through ticketmaster, but I have yet to find anyone but scammers that want to do that.
The reason is, just as you mention, that scammers will try to sell multiple tickets. Then one (or many) sucker turns up to the avenue, only to discover that the ticket has already been validated.
Ticketmaster has a system for transferring tickets, if you want to buy or sell tickets
Sure, and it is terrible.
They can block you from transferring the ticket you bought, and can set a minimum resale price (effectively ensuring you cannot recoup anything)
You should to own what you purchase, simple as.
Previous sentence:
If you bought the ticket off the event’s official ticketing agency (not a sketchy reseller)
It's baffling that you have to carry a mobile phone to access a show. What if you run out of battery? Or if you accidentally break the screen just before entering the venue? The more the technology evolves the more we find horrible uses for it. People should fight back by refraining from purchasing tickets from them, I know is not easy for people to miss their favorite artist but until a monopoly is broken there is no other effective way to prevent them from doing what they want.
You can still print the ticket on paper. Tho nowadays that means a trip to a FedEx store for me, since I refuse to keep buying inkjets I only use a couple times a year.
Laser printers have solved this - I don’t expect to change the toner for a decade.
I refuse to keep buying inkjets I only use a couple times a year.
Laser printers are the solution, and Brother laser printers seem to remain the most highly-regarded.
Software developers are the wizards and shamans of the modern age. We ought to use our powers with the austerity and integrity such power implies. You’re using them to exclude people from entertainment events.
I can definitely think of worse things programmers are doing aside from making it mildly difficult to see Taylor Swift .
I have personal qualms with working in certain industries because of this, but Ticketmaster ultimately provides a luxury. You don't need to see a concert, and if you have such an issue with their business practices you can do something else with your Friday night .
I've actually never had an issue with Ticketmaster. At a point a certain other ticket provider just blocked me without any explanation, and I had to go down to the box office to buy tickets. That sucked, but compare to airlines who do weird things like print off tickets without the actual seat number, Ticketmaster doesn't bother me too much.
Ticketmaster ultimately provides a luxury. You don't need to see a concert
I don't agree. Entertainment/recreation is a need. Music is an important part of the human experience, and seeing it live, with other fans, is really valuable to some people. And the fact is, the value a person places on the experience is totally orthogonal to their ability to use/afford Ticketmaster. And it's not just about Taylor Swift - even local shows can be difficult to access without quarrelsome online portals. (But also, someone being obsessed with Taylor Swift isn't a personality flaw.)
You can find a bar with a band playing. I suggest Kingston Mines if you're in the Chicago area.
Ticketmaster doesn't own have a monopoly on music. You can vote with your wallet.
You’re not considering the stagehands and artists who have to live under Live Nation’s vertical monopoly. I was chatting with a former tour guy the other day, someone who’s been a tech for major touring bands since the ‘80s, and he mentioned that he had to quit the business because Live Nation had driven wages down below poverty level while bringing in random unskilled labor to do highly-technical stage setups. (He quit after almost losing a hand to a large piece of unsecured stage equipment.) The enshittification of modern life is an inconvenience to most of us, but life and livelihood to many others.
Isn't this vulnerable to ticket 'selling' by simply sharing the username and password of the ticketmaster account?
it's not like a ticketmaster account is 'worth' anything, so the seller can simply set up a new one for their next purchase.
actually, aged ticketmaster accounts are worth something! people will buy them for a few dozen dollars, as they get priority in ticket queues.
Setting up separate accounts for every ticket purchase seems like a LOT of overhead (especially scalpers buying many tickets at once and piecemealing them out), and is easy to defeat, e.g. require out of band auth via the phone number associated with the account before logging in for the first time on a new device.
Fantastic article. Really easy to understand.
Side note: this is actually a great advertisement for server side rendering! If they didn't do all this client side rendering, exposing data in JSON APIs, then I doubt this reverse engineering would have been possible.
Except then I'd need to have a good data connection at the venue, and the odds of that are infinitesimally small.
I see what you mean. The barcode wouldn't work offline.
It seems like that didn't matter at the venue though? The spotty internet connection not allowing the code to load was the first part of the article wasn't it?
I remember a time when printable tickets were ubiquitous. One could print off tickets after buying them online or even (gasp) in-person, and bring these paper tickets to get entry into the event when you arrive
I go to 1-2 concerts a month so I'm well aware of how scummy TM is, but the problem with PDF tickets is that people sell fakes or sell the same ticket multiple times. I know multiple people who've been scammed this way. I get not wanting to use your phone for everything, but the changing barcode isn't just technology for the sake of technology, it's actually there to solve a problem.
PDF tickets work even if your phone loses internet connection
So do the digital barcodes if you add them to your phones wallet.
TM even sends you an email before every event that says:
> If you haven't already, download the Ticketmaster app or sign into your Ticketmaster account via mobile web. From My Events, tap view then add tickets to your phone's wallet for easy access at entry.
TM's help page for the Mobile Entry tickets also says (https://help.ticketmaster.com/hc/en-us/articles/978659778561...)
> We encourage you to download your tickets to your digital wallet before you leave for your event. This ensures that you can always access your tickets.
If you bought the ticket off the event’s official ticketing agency (not a sketchy reseller), you know for sure that they’re real.
The problem is that that isn't how the real world works. Ignoring the massive scalping problem currently happening (that TM is complicit in) sometimes plans change or people learn about events after the initial sale. Personally, any time I have to buy or sell through a reseller, I use StubHub, but I know plenty of people who don't want to use them as they charge high fees and they aren't much better than TM from a moral stand point.
Also, I get the impression that if TM locked all tickets so that they could only be resold on TM, the author of this article would have a problem with that.
Exactly all of this.
I found the article really interesting from a tech perspective.
And I have no love for TicketMaster, but the migration from paper/PDF tickets to scannable changing QR codes is inevitable, precisely to combat scammers.
TicketMaster does a lot of bad things, but this doesn't seem to be one of them. And learning to download the digital tickets in advance -- either to the app or your Apple wallet -- is just a thing you learn to do, the same way you learn to download a bunch of podcasts before your airline flight that charges for (or doesn't have) WiFi. (And if your ticket was a PDF, you'd similarly be stuck if you couldn't get internet at the venue and hadn't downloaded it in advance.)
v2 of this will require an Android/iOS app which will make use of the platforms secure storage abilities for the key.
On non-rooted devices, those are pretty much impervious to the user trying to inspect their contents.
And this is why those companies love DRM'd (non-rooted) devices and try to detect when you broke this form of DRM: you can't get at your data, not even to make a backup of it; they're in full control. Also for security (can't grant root to malware if you don't have the permission to grant that), but also for everything else
Another case of abusing ToTK, an excellent technology that promised convenience, security, and offline access. Similarly, Duo builds their stuff off ToTK and then fending off (or makes it very, very hard) you from using a third-party ToTK authenticator with their sites. This company just jettisons the fine promise of available offline that was made by ToTK.
TOTP?
A $COACH_COMPANY in the UK has recently announced that they are moving to only app-purchased tickets. Except tickets purchased directly from the driver, which is VERY expensive.
Well, F.U. $COACH_COMPANY. I don't want to have to install your app for that, but I guess I won't have any other option if I need to get to the airport.
What I find really interesting is that there are so many scams that that the rejection of tickets is common enough to go unnoticed. Someone testing out their new "F-ticketmaster" ticket generation tool is free to test it in the real world. If it doesn't work they will simply be turned away the door like so many others who have been scammed. Nobody would notice the test.
But if each ticket is for a particular seat, would ticketmaster notice if too people came with tickets for the same seat? I bet not. I bet they just trust their ticketing system to be foolproof. If anything they might just reject the second ticket without any way to know which was authentic.
Off topic (though the post does go into it a bit): Ticketmaster's current form is entirely due to a failure of government. Decades from now, case studies will be written on how one company managed to have a monopoly on an industry that is so not a natural monopoly.
I now know everything I would need to duplicate TicketMaster’s barcodes
Until they change their encoding.
Requiring the installation of a proprietary app to do anything should be forbidden.
They can’t have robust DRM on their tickets if those tickets can still be viewed offline.
Of course they can. All they need is a secret key embedded somewhere that the app can access but you can't. It's just a happy circumstance that they used a simple protocol in which the key is easily extracted. But they could have used a proper PKI protocol instead, which would have made it much harder, if not impossible, to hack.
super entertaining read! many thanks.
Truly a noble cause.
Really good post! I also found this quote which distilled their position in the 404media coverage of the situation.
“What I can say for sure is that TicketMaster and AXS have had every opportunity to support scam-free third party ticket resale and delivery platforms if they wished: By documenting their ticket QR code cryptography, and by exposing apps and APIs which would allow verification and rotation of ticket secrets,” Conduition told me in an email. “But they intentionally choose not to do so, and then they act all surprised-pikachu when 3rd party resale scams proliferate. They're opting to play legal whack-a-mole with scammers instead of fixing the problem directly with better technology, because they make more money as a resale monopoly than as an open and secure ecosystem.”
from https://www.404media.co/scalpers-are-working-with-hackers-to...
I recently purchased tickets via SeatGeek and was provided a link to one of these barcodes, which accepted as a querystring parameter an access token that seemingly had a long expiration attached to it. It was hosted on “downloadmytickets.com”, which doesn’t look legitimate and caused me to do this same type of analysis to see how it all worked. Whether or not this was a way to bypass the “security” to enable sale via third parties, or just a very untrustworthy-looking official domain, I don’t know. But in the end it worked fine at the venue. Definitely more stress involved than I would have liked though.
One things this articles kind of misses: You need that unique token... Ok, you can get it in some way.. But ticketmaster should keep it private, then, even if you know the algorithm. You still cant do a lot without the token......
So he reversed engineered it, but its still secure: You need the token.
What's the deal with PDF417? Why did they choose it over QR?
A system like that could work in an entirely disconnected mode where the "ticket" device has a cryptographic token whose signature can be checked at the door without either side having internet access. The weakness of that system is that you can't "revoke" or sell tickets. Such revocation would be possible though if either the ticket or the validator device is internet connected.
I saw the New York Red Bulls play not long ago and had to use Ticketmaster's system for the first time. I travel with a tablet, not a smartphone, and I was expecting trouble. Turns out the only trouble I had was that they didn't want to let me in with a tablet but they did when I explained my ticket was on my tablet. It did require an internet connection but Red Bull Arena has great WiFi so that was no problem.
I can't buy a ticket in my country, because my phone number is foreign. Can I use this to have someone buy it for me and transfer it to me?
I still don't blame the developers, I blame government. It's not the job of rank and file workers to police companies. I wouldn't work for LN, but I'm not going to blame someone else for doing so. We've all gotta feed our families. (I realize there's a line somewhere, you wouldn't excuse a prison guard at Auschwitz the same way, but I can't get too worked up about a developer making a ticketing app even if I hate the ticketing company.)
Developed countries long ago came to the conclusion that companies should not be allowed to have monopolies because it is bad for society as a whole, and it's hard to think of a current monopoly as egregious as this one. There is absolutely no reason one company should have exclusive rights to 85% of large venues, also be an evebt promoter, and also be the ticket seller.
Anything their developers do is not the real issue, a society that allows this to happen in the first place is.
I mean would you say that developers who work for Facebook have crossed that line?
...by doing what? FB is one of the largest employers of people on this site. If you ran a poll, I'd expect the majority to answer "no" to your question. Of the people who answered "yes", I bet the majority would still accept an offer from FB if it was just 20k more than the next best offer.
One small example: In 2012 Facebook emotionally manipulated people in the name of science without anybody's consent by controlling positive / negative posts on their news feed.
Right? Wrong? Discuss.
https://xkcd.com/1390/
I don't see the issue. Every social media site does this, FB was just naive enough to share their research
And this just proved my point. During the Nazi regime, everyone was hating the jews. And everyone was doing fascism.
Now to bring this to a close, people like you, who will jump companies for 20_000 and have lost the ability to see a clear ethical violation will be holding the guns and guarding the gas chambers when the next Hitler comes along. Meditate on this.
Also this XKCD is dumb. Previously the feed was chronological post of friends which was definitely more ethical. But of course that didn't make people addicted enough.
If that proved your point, you didn’t have a point. If you can’t see the difference between genocide and lack of informed consent on a social network algorithm experiment you can’t be helped.
I’m all for moral relativism, but there’s no future in which Facebook’s current actions aren’t at least reasonably debatable, and no past in which Auschwitz was.
If you wanted an example of where the line gets blurry (it does sometimes, just not in either of these) I’d go with pharmaceuticals.
One thing I have learned from the internet is that if you mention the Nazis or the Jews, you lose, good day sir, even if you are right.
People are illogical.
Did you get informed consent from me regarding the methods by which you constructed your comment? Or are you manipulating my emotions unethically?
The issue is the lack of informed consent. This is pretty basic ethical conduct of research stuff.
I can't put any facebook developer in the same bucket as a guard at a concentration camp.
Because a concentration camp guard would be jailed or killed for refusing service, but a FB dev would lose a few $thousand in opportunity?
Textbook case of unethical conduct of research. The key here is lack of informed consent by the study participants.
The APA put out a press release about this study violated their code of ethics.
https://www.apa.org/news/press/releases/2014/06/informed-con...
Depends on when they joined
No. Not even close.
I dont think it’s a truth.
Shamans and wizards (never heard this used to describe anyone in history but let’s assume it’s just any kind of supposed magic user) were people at the top tier of their societies in terms of political power. Not kings or chieftains, but above everyone else.
Programmers are just making a living selling their labor power like every other office drone in the world. We’re one of the most common lines of work out there.
If you want the mysticism angle, we are like those kids they used to catch “witches”.
Are there any documented examples of societies where "magics", "shamans" or "wizards" were at the top of the hierarchy? I gotta say, I'm an avid reader of Ancient History and Anthropology and the closest I can think of is the Priest-Kings of Sumeria and your garden variety theocracy and the latter is much more of a priestly bureeacracy than anything else...
Perhaps not at the top in terms of day to day decision making and wealth, but the first that came to mind would be celtic druids and bards.
I think you don't know what you think you know. My mom is a shaman type. These types often live at the outskirts of society where no well-to-do person would like to be seen. Zero political power but enough utility to keep at an arm's distance -- further if possible while not needed.
I don't know where you came by such a notion; Shamans, "Wizards", witches, "wise women/men", are usually shunned from society such that they tend to live near the outskirts of towns or cities, nobody really wants to live close to them; and when "bad things happen" tend to be the first ones to get blamed for it; then they also are commonly used as scapegoats for whatever political, economic or religious effort some corrupt officials try to push.
That doesn't sound very societal top-tier to me.
We're definitely not witches or wizards, at most we are scholars or [specialized] craftsmen. "Knowledge workers" if you will. Not as unlikable as the wise folk that live towards the edge of town, and not as at risk of getting tied to a post and lit on fire because the bishop believes we commune with unclean spirits.
Yeah, we are more like masons. We have useful skills that enable building impressive things, but at the end of the day we are building someone else's cathedral.
The fact we have had less than benevolent wizards and shamans, why would we expect to have modern day equivalent of only benevolent coders? It's such a fairy tale level of expectation that it seems childish. Spending any energy in trying to make real world a fairy tale is just wasted.
It's okay to shame bad actors.
In fact, society would likely be better off if e brought back more public shaming
I think that this is predicated upon a reasonably well informed and educated public. And my estimation is that the general populous is not informed enough on cryptography to be in a position to shame Ticketmaster engineers.
Also, my impression is that there is already copious amounts of public shaming. Some social media sites seem largely devoted to that. And unfortunately, I don't think most people fully deserve the verdict that they get in the court of public opinion.
This is certainly not true. Can you name an existing or historical shame-based society that you would actually want to live in?
We wouldn't. You might expect that on an indivudual level. But at a society level, I would expect any company that's doing things that are specifically allowed by our goverment (who did approve the Ticketmaster Live Nation Merger) to get their jobs filled just like any other. I think Ticketmaster is evil, another developer might not. That's fine, they're not killing people or dumping toxic chemicals into reservoirs, we can agree to disagree.
My outrage is directed entirely at the government agencies whose job it was to stop this, not the developers making a ticketing app.
This is not only a truth of the world we currently inhabit, it has always been a truth, of all the worlds we have inhabited. Power and greed go hand in hand for a reason and the struggle to find the balance is, and will always be present.
It was not true of this world 150 years ago that any person with sufficient learning could tap buttons to create an experience to be found in the hand of the majority of living humans.
I agree power and greed go hand in hand - absolute power corrupts, absolutely - but this bit? This is new.
I personally think we are more like "plumbers but with JSON". I have principles and apply them but I don't expect the others to do that
https://www.amazon.com/New-Kingmakers-Developers-Conquered-W... ("The New Kingmakers: How Developers Conquered the World")
https://web.archive.org/web/20200915000000*/https://try.newr... [pdf]
"In effect, we conjure the spirits of the computer with our spells"
t. Introduction of SICP
Programmers being analogous to wizards or martial artists made more sense back when one used to need to train years or decades to become one.
With age comes wisdom.
There has been a lot of good that came from making coding more accessible; I'm not trying to gatekeep. But I do think that this is one instance where the outcome is worse. The martial arts masters still unquestionably exist among us. It's just that they're now surrounded by younger, less-wise people with guns. Both types can fight an army, but only one has the wisdom to know when it's better not to.
It’s interesting, the more we agree and hold strong, the higher the demand grows for engineers who would help some companies create their hellscape. The incentive will grow higher and higher until people break rank. And you start over.