[HN Gopher] Reverse engineering Ticketmaster's rotating barcodes
___________________________________________________________________
Reverse engineering Ticketmaster's rotating barcodes
Author : miki123211
Score : 970 points
Date : 2024-07-08 15:14 UTC (7 hours ago)
(HTM) web link (conduition.io)
(TXT) w3m dump (conduition.io)
| haburka wrote:
| Isn't this a bit like irresponsible disclosure? Since this may be
| considered a security vulnerability. Although it's all client
| side, I'm sure there's some basis for a lawsuit here.
| bangaladore wrote:
| It is my opinion that you do not need to responsibly disclose
| "security by obscurity"
|
| Additionally, what is irresponsible here? Its not like this
| gives you the capability to clone tickets without first having
| a ticket in the first place.
| AlotOfReading wrote:
| How is this a security vulnerability? It's displaying the exact
| bits Ticketmaster uses and explaining what those bits are.
| They're not circumventing security systems, just the
| requirement to use the app.
| efitz wrote:
| The app-based barcodes don't seem to be solving a security
| problem for customers - they seem to be for the purpose of
| ensuring that traditional scalping doesn't work, forcing ticket
| resale into a market that TicketMaster can profit from.
|
| I would consider it unethical to publish details of an
| unpatched vulnerability that allowed ticket forgery, but I
| don't think it's unethical to bypass DRM-like controls for
| personal convenience rather than commercial purposes.
|
| Of course opinions may differ on this.
| willcipriano wrote:
| Responsible disclosure is something you pay for, not something
| you are entitled to.
| jjcm wrote:
| It requires sniffing your own session credentials first, which
| I don't see as a security vulnerability.
|
| The only thing it allows you to do is sell your ticket, which
| is legal to do.
| Thaxll wrote:
| Everyone want Ticketmaster to die.
| criddell wrote:
| Except for a lot of performers and venue operators.
| Ticketmaster is paid well to be the bad guy. They often share
| the fees with both the performer and the venue.
| magnetowasright wrote:
| I'm sorry to be that guy but do you have literally any
| source for this?
|
| Might just be the musicians I like, or the fact that
| negativity is better for clicks, but I've never seen an
| artist saying they get any benefit from ticketmaster's fees
| and other such shenanigans; I've only seen artists and
| venues saying that they don't get any money or benefits at
| all from ticketmaster's racketeering.
| criddell wrote:
| From the Ticketmaster website:
|
| > ticket fees (which can include a service fee, order
| processing fee, and the occasional delivery fee) are
| determined by and shared between the parties who have a
| hand in making live events happen including venues,
| Ticketmaster, sports teams, leagues and promoters
|
| When the artist doesn't want their fans to be charged big
| fees - they have some say in it. Robert Smith of The Cure
| made a stand on this last year and got Ticketmaster to
| refund a bunch of money.
| rty32 wrote:
| > they have some say in it
|
| That's a very carefully crafted sentence. How much,
| exactly, do artists have a say? Do artists equally have
| the same amount of "say"?
|
| And why are we even discussing all these nonsense in the
| first place?
| 12_throw_away wrote:
| "Responsible disclosure" is poorly defined corporate
| wishcasting, and certainly not any sort of best practice or
| legal shield.
| Aachen wrote:
| The public prosecutor does not pursue cases where responsible
| aka coordinated vulnerability disclosure was applied. I'd say
| that's a legal shield of some kind at least, and it is
| generally also considered best practice in the industry.
| There's exceptions to everything but, in the general case,
| I'm not sure where you're getting these viewpoints from
| blincoln wrote:
| "The public prosecutor does not pursue cases where
| responsible aka coordinated vulnerability disclosure was
| applied."
|
| That seems like a pretty substantial claim to make without
| any sort of "in [country/state/province/etc.]"
| qualification, let alone a reference.
| Aachen wrote:
| https://www.om.nl/onderwerpen/cybercrime/coordinated-
| vulnera...
| coldpie wrote:
| Nah. Ticketmaster is unethical enough that spreading
| information that harms them or helps them go out of business is
| ethical.
| speed_spread wrote:
| If it runs on my CPU and shows up on my screen after I paid for
| it, it's mine and I can do whatever I want. Anybody who thinks
| otherwise can fuck off outright.
| warkdarrior wrote:
| That's exactly the same policy I apply to AGPL software. I
| paid for it ($0, as mandated by the developer) and it runs on
| my CPU.
| jcranmer wrote:
| I'm struggling to come up with a good basis for a lawsuit. CFAA
| abuse is the first thing that comes to mind, but this is a real
| stretch for that, and SCOTUS shut that stretching down a while
| ago. DMCA doesn't come into play, since this isn't
| circumventing any copyright protection schemes. So this kind of
| leaves you with some form of contract violation, but even that
| seems like a stretch here. Tortious interference or
| interference with prospective business? I mean, I don't see any
| events complaining about this (hell, Ticketmaster itself
| arguably has some contract liability issues with the fact that
| their technology relies on cell service which tends to be
| spotty in dense crowds). So you're kind of left with some
| individual contract liability issue, which is literally not
| worth the cost of litigation.
| cortesoft wrote:
| > There's no risk that your ticket won't get you in
|
| Isn't this not true? The risk with printable tickets is that a
| seller could sell it to multiple people, who all print it out,
| but then only the first person who uses it can get in?
|
| Even if the venue doesn't check to see if a ticket has already
| been used, only one person can sit in the actual seat.
| gruez wrote:
| >is that a seller could sell it to multiple people, who all
| print it out
|
| They can't "print it out" because it's a rotating code.
| SamBam wrote:
| > "The risk with printable tickets is..."
| 8organicbits wrote:
| Previous sentence:
|
| > If you bought the ticket off the event's official ticketing
| agency (not a sketchy reseller)
| TrackerFF wrote:
| Ticketmaster has a system for transferring tickets, if you want
| to buy or sell tickets.
|
| There could very well be a reason for someone to only sell a
| physical ticket, or not transfer it through ticketmaster, but I
| have yet to find anyone but scammers that want to do that.
|
| The reason is, just as you mention, that scammers will try to
| sell multiple tickets. Then one (or many) sucker turns up to
| the avenue, only to discover that the ticket has already been
| validated.
| Mehvix wrote:
| >Ticketmaster has a system for transferring tickets, if you
| want to buy or sell tickets
|
| Sure, and it is terrible.
|
| They can block you from transferring the ticket you bought,
| and can set a minimum resale price (effectively ensuring you
| cannot recoup anything)
|
| You should to own what you purchase, simple as.
| mschuster91 wrote:
| > This is a contradiction in TicketMaster's marketing. They can't
| have robust DRM on their tickets if those tickets can still be
| viewed offline.
|
| The "robust DRM" is called "ID cards". Here in Europe, it's
| become commonplace to tie soccer tickets to ID cards that are
| verified at the gates to keep hooligans (or those suspected of
| being hooligans, which is a status that is way WAY easier
| obtainable than one might reasonably assume) out, and high-class
| events that attract scalpers like a pile of dungs attracts flies
| have been doing that for even longer.
| gruez wrote:
| >They can't have robust DRM on their tickets if those tickets
| can still be viewed offline.
|
| https://en.wikipedia.org/wiki/Trusted_Computing
| 12_throw_away wrote:
| Huh, weird, a turns out an old, low-tech solution is much more
| secure than Ticketmaster's roll-your-own weird TOT-QR
| "security" (even considering the magic animation that that
| makes it "in a sense, alive")
|
| (Not that requiring ID doesn't raise the same and also other
| consumer rights issues)
| mschuster91 wrote:
| The thing is, unlike most of Europe, the US doesn't have a
| legal mandate for anyone to possess an ID card, and so in
| practice you got 50 states worth of driver's licenses,
| library cards, military or government employment IDs that can
| be used (or faked)... so you can't really use these for
| legitimately verifying anything unless you want to spend a
| lot of time and money to train your staff to spot fakes.
| Banks can do that but no one wants to do that for the goons
| that run security at venues for minimum wage.
| IncreasePosts wrote:
| Sure, but realistically no one is going to get a fake ID
| with a certain name on it so they can go to a concert with
| that person's tickets.
| ssl-3 wrote:
| The problem isn't scams.
|
| The problem is that Americans _are not required to have
| an ID_ -- at all. No federal law requires it, and there
| is none issued by default.
|
| (This is not the same as saying "Americans don't have to
| carry an ID" even though that is also true.)
| IncreasePosts wrote:
| Americans aren't required to have an ID, but that is only
| relevant to government related services. Private
| businesses like concert venues are within their rights to
| card you in some manner, and refuse admittance if you
| don't provide ID.
| ssl-3 wrote:
| Yes, that's all true.
|
| But none of that somehow makes this side of the pond the
| same as the other side of the pond.
|
| An idea that works in one place doesn't necessarily work
| in the other.
| BobaFloutist wrote:
| How hard is it to get access to a database to confirm that
| a scanned ID is valid, and corresponds to the name written
| on it?
| its_ethan wrote:
| Hopefully pretty hard.
| BobaFloutist wrote:
| Not a database you can trawl for your own uses, just
| something that if you scan an ID pops up
| validating(/rejecting) it and lists the associated name.
|
| I guess you could abuse that to turn partial IDs into
| more realistic ones? But that feels like a stretch. I
| can't see it being that useful for much more than
| confirming that an ID isn't a fake, which seems hard to
| abuse.
| mschuster91 wrote:
| Easy if you're government (every random cop on a traffic
| stop must be able to do that after all) but really REALLY
| hard for private entities.
|
| The exception is anything that is accepted by airports
| for international travel aka, for you Americans, only a
| passport - ICAO 9303 is _very_ detailed on how you can
| access the data stored on them. The specs and a basic
| understanding on how to communicate with smartcards are
| decent enough to get you to a readout in maybe a weekend
| worth of work. The authentication is either via a code
| derived from the MRZ or a dedicated access code printed
| on the document.
| londons_explore wrote:
| v2 of this will require an Android/iOS app which will make use of
| the platforms secure storage abilities for the key.
|
| On non-rooted devices, those are pretty much impervious to the
| user trying to inspect their contents.
| Aachen wrote:
| And this is why those companies love DRM'd (non-rooted) devices
| and try to detect when you broke this form of DRM: you can't
| get at your data, not even to make a backup of it; they're in
| full control. Also for security (can't grant root to malware if
| you don't have the permission to grant that), but also for
| everything else
| dmurray wrote:
| You could extract the barcode at all times in the future by
| setting the system clock (you can do this on non-rooted phones,
| and keep it that way at least if you do it in airplane mode).
|
| The Android docs mention a "secure timer" in the hardware
| security module, but I'm not sure that it can be used to
| prevent this.
|
| https://developer.android.com/reference/android/security/key...
| jszymborski wrote:
| Truly a noble cause.
| ikesau wrote:
| Really good post! I also found this quote which distilled their
| position in the 404media coverage of the situation.
|
| > "What I can say for sure is that TicketMaster and AXS have had
| every opportunity to support scam-free third party ticket resale
| and delivery platforms if they wished: By documenting their
| ticket QR code cryptography, and by exposing apps and APIs which
| would allow verification and rotation of ticket secrets,"
| Conduition told me in an email. "But they intentionally choose
| not to do so, and then they act all surprised-pikachu when 3rd
| party resale scams proliferate. They're opting to play legal
| whack-a-mole with scammers instead of fixing the problem directly
| with better technology, because they make more money as a resale
| monopoly than as an open and secure ecosystem."
|
| from https://www.404media.co/scalpers-are-working-with-hackers-
| to...
| yard2010 wrote:
| Don't get me wrong. But blockchain already exists, no need to
| re-invent it
| dymk wrote:
| Not all cryptography is blockchain
| chazeon wrote:
| Another case of abusing ToTK, an excellent technology that
| promised convenience, security, and offline access. Similarly,
| Duo builds their stuff off ToTK and then fending off (or makes it
| very, very hard) you from using a third-party ToTK authenticator
| with their sites. This company just jettisons the fine promise of
| available offline that was made by ToTK.
| Arch-TK wrote:
| TOTP?
| xnx wrote:
| Tears of the Kingdom?
| frizlab wrote:
| How about the "Add to Apple Wallet" option? He did not talk about
| that _at all_ , but AFAIK the ticket would be fully available
| offline and not in Ticketmaster app, no? It's actually an elegant
| solution IMHO.
| abofh wrote:
| They mentioned avoiding google wallet, so we can assume
| android, and that apple wallet wasn't considered for not being
| an option for them.
| tkems wrote:
| I just added a ticket to my Google Wallet for a concert last
| night and it was very similar to the Ticketmaster/LiveNation
| app. The PDF417 barcode changed and had an animation around it.
| My guess is that it is the same or very similar on Apple
| devices.
| rareitem wrote:
| So items inside google/apple wallet don't need to be
| 'static'?
| padthai wrote:
| No, I have flight tickets autoupdate when there is a delay.
| reddalo wrote:
| I've only seen the flight data change, not the code
| itself.
| xp84 wrote:
| The barcode is just another field in there, so it can be
| updated the same as anything. Passkit is very simple. For
| the barcode part you just tell it type of code (from the
| available types) and value to encode.
| tkems wrote:
| With Google Wallet (the only one I have at the moment), it
| is not static for the ticket. It has a NFC and barcode
| option. The barcode changes every 15 seconds for me.
| divbzero wrote:
| Yes, it is available offline if you "Add to Apple Wallet".
|
| The ticket in Apple Wallet is still revocable if you transfer
| the ticket to someone else using Ticketmaster's website,
| probably through an update that Ticketmaster pushes to the
| wallet [1].
|
| [1]:
| https://developer.apple.com/library/archive/documentation/Us...
| jyrkesh wrote:
| Just recently dealt with this for a big Ticketmaster event.
| The Apple ID has to match the email address on the
| Ticketmaster account, or the ticket will show as Void in the
| Apple Wallet.
|
| But it does solve the offline issue that the blog author was
| experiencing.
| nedt wrote:
| This sucks because obviously I'd give them a different
| email address - just like everyone else. For example with
| the ,,login with apple"
| TeeWEE wrote:
| The barcode in apple wallet also auto-updates.
| arscan wrote:
| I recently purchased tickets via SeatGeek and was provided a link
| to one of these barcodes, which accepted as a querystring
| parameter an access token that seemingly had a long expiration
| attached to it. It was hosted on "downloadmytickets.com", which
| doesn't look legitimate and caused me to do this same type of
| analysis to see how it all worked. Whether or not this was a way
| to bypass the "security" to enable sale via third parties, or
| just a very untrustworthy-looking official domain, I don't know.
| But in the end it worked fine at the venue. Definitely more
| stress involved than I would have liked though.
| noodlesUK wrote:
| This sort of ticketing thing is a trivially solvable problem. It
| is solved at every airport in the entire world millions of times
| per day. You provide the name of each concertgoer when you buy a
| ticket, and they show up with their ticket and ID. You often need
| to show your ID at these kinds of venues to prove you're old
| enough to drink beer anyway.
| cogman10 wrote:
| Yup.
|
| I have to believe the reason the likes of ticket master isn't
| fixing this is because they are selling/auctioning/reserving
| some percentage of tickets to scalpers or "3rd party sellers".
|
| Requiring ID is such an obvious solution that I have to believe
| these convoluted approaches are only there so the secondary
| market can exist and so ticket master can wash their hands when
| prices get out of control on that market.
| oehpr wrote:
| I have to presume that the driving impetus of all of this is
| that they're trying to avoid the actual requirement of
| checking the ID. Like, they want to improve the flow of
| traffic through admissions.
|
| But I mean, obviously, any kind of system like this strikes
| me as the same sort of thing as DRM. That you can somehow
| protect the message from the person you're sharing the
| message to. How can you avoid reselling if you don't verify
| the original purchaser? It just seemes ridiculous on its
| face.
| jrockway wrote:
| Yup exactly. Some events are pretty bad at opening the
| doors early. The Brooklyn Nets seem to open 30 minutes
| before the game, so they need to get 20,000 people through
| 20 metal detectors in 30 minutes. Every second extra they
| add to the process is a second you don't have to buy a $25
| drink, and that's how they make their money.
|
| We check IDs for flights because airline yield management
| demands that there be no resale, or business travelers
| would be traveling on leisure fares.
| BobaFloutist wrote:
| >We check IDs for flights because airline yield
| management demands that there be no resale, or business
| travelers would be traveling on leisure fares.
|
| Sorry, what? Surely business travelers pay more just by
| virtue of traveling by business class? Or, if travel
| through business portals was consistently significantly
| more expensive than just buying the ticket directly on
| the airline's website, businesses would just start buying
| tickets directly from the airline's website?
|
| Is there something about how ticket fares are calculated
| and paid that I don't understand?
| qazxcvbnmlp wrote:
| Business travelers != travelers in business class.
|
| Airlines use a fair number of techniques to price
| discriminate between leisure and business passengers.
| drewg123 wrote:
| Last minute / next day fares have traditionally been far
| more expensive than 3 week advance, and that was intended
| to impact business travel more than leisure. If there was
| a 3rd party marketplace for airline tickets, last minute
| tickets would not be nearly as expensive and the airlines
| would make far less money.
|
| Consider an example where we have a business traveler
| "Bob" and a leisure traveler "Larry". Bob needs to get to
| LAX tomorrow to put out a fire at a client site. Larry
| has a trip booked to LAX tomorrow, but can't go because
| he's sick. Larry has paid $500 for the trip 3 weeks ago.
|
| Today: Larry cancels his trip, and maybe, if he's lucky,
| gets an airline credit for the original price of the trip
| that expires in a year and which may be hard to use for
| his next trip. When he cancels, a seat opens up on the
| plane, and the airline sells it to Bob for $1200.
|
| If resale was permitted: Larry auctions off his ticket at
| an airline ticket reseller. He gets $700 from Bob. So if
| resale was permitted, Bob's business saves $500, and
| Larry makes $200, and the airline looses $1200-$1700. You
| can see why they hate resale.
| yellowapple wrote:
| Okay, but how many business flights are actually last-
| minute like that? Whenever I've flown for work reasons
| the tickets were bought at least a week in advance, and
| usually 3+ weeks in advance.
|
| Likewise, there are plenty of non-business flights booked
| last-minute like that, too - like, as a personal example,
| needing to book a same-night flight to help a family
| member drive cross-country with her kids and personal
| belongings so she could get out of a dangerous personal
| situation.
|
| All this being to say: if price differentiation between
| in-advance v. last-minute bookings is actually intended
| to make business travel cost more than leisure travel,
| I'm thoroughly skeptical of that intent being fulfilled
| in practice. Seems more likely that it's simply a matter
| of things costing more when they're more scarce (as seats
| on an airplane would become as it gets closer and closer
| to the departure time), and that just so happens to
| impact business travelers more than leisure travelers.
| lesuorac wrote:
| Yeah, I don't think that's right either. They don't check
| your ID at the gate, it's just TSA that checks your id
| (if you have one).
| donalhunt wrote:
| Depends on the departure and arrival city. It is common
| for ID to be checked at the gate for international
| flights because airlines are held responsible for
| transporting passengers that don't have the correct
| paperwork / visitor permits for the destination country.
| IncreasePosts wrote:
| Yes, and the airlines don't (generally) let you change
| the name on a ticket.
| yellowapple wrote:
| > or business travelers would be traveling on leisure
| fares.
|
| Don't they already do that anyway? Every time I've gotten
| on a plane for work purposes, there was no
| differentiation between "business traveler" v. "leisure
| traveler" as far as the ticket purchasing process was
| concerned. Hell, in the most recent case it was even with
| my own credit card (for which I submitted an expense
| report to be reimbursed) - so for all the airline knew, I
| was just taking a week-long vacation to Colorado Springs
| (in that case) instead of being there for work.
| jrockway wrote:
| The rates are typically different if you stay a Saturday
| night. Business travelers go home on Friday night. (SFO-
| NYC on Friday night was always a tough flight to book. I
| usually stayed the extra night so I could fly 1st or
| Business for less money.)
|
| If you could buy someone else's ticket on the secondary
| market, then you could do a split ticket thing where you
| both stay Saturday night but neither of you actually do.
|
| Everyone should change their name to Pat Smith and end
| this scam once and for all.
| cogman10 wrote:
| So even if you don't want to do the ID thing, there are
| alternatives that you see all over the place (like venmo)
| Have a rotating QR code seeded with a unique to the user
| id. Then with ticket master, require a login to buy
| tickets. Register the tickets to the ID and then do the
| lookup with a combination of the ticket id, rotating qr
| code, and the user id.
|
| That requires the admitter device to send the challenge
| back to HQ, but that shouldn't really be much of a
| challenge. Tickets then become linked to the user's account
| (perhaps you allow transfer).
|
| This is effectively what Disney does with their ticketing
| system, along with at the gate them taking a picture of you
| so they can confirm "Yes, so and so looks like the photo".
|
| But yeah, all of this is ridiculous on its face as the
| cheaper and easier solution is ticket plus ID. If you are
| worried about flow have signs up before check in that say
| "be sure to have your ID ready before you get to the
| counter".
|
| The ticketmaster solutions are just bad/half assed.
|
| That is to say, if ticketmater had just done TOPS like the
| article points out, you'd not need the headache they've
| created with needing a live internet connection to load
| your ticket.
| KennyBlanken wrote:
| You don't understand how people at their companies
| evaluate stuff like this.
|
| Any solution that increases capital or operating
| expenditures for them or the venues (half of whom they
| own, if I remember correctly?) is a non-starter if it
| doesn't generate some increase in revenue.
|
| They will not do anything they don't _have_ to do if it
| means _any_ impact to their bottom line _whatsoever_.
|
| We see it as "pennies per transaction."
|
| They see it as "we sell 500M tickets per year so five
| cents per transaction is $25M/year in lost net."
| cogman10 wrote:
| Well that's where I'd argue they are negatively impacting
| their bottom line.
|
| > These rotating barcodes on the other hand are far from
| perfect. I experienced this first-hand last year when I
| attended another very popular concert where they used a
| similar rotating-QR-code-ticket system. Numerous people
| including myself and my friends were floundering at the
| entry gate citing a bevy of broken barcode problems. ...
|
| > The venue was so crowded that cell-towers and WiFi were
| overloaded. Internet access was spottier than a Dalmatian
| with chickenpox.
|
| That is impact to their bottom line. They have admittees
| waiting at the gate blocking other people from getting in
| cutting into their concession sales.
|
| If they'd used a bog standard TOPS system (like the op
| suggests) that would not be an issue at all. But instead
| because they have the dumb system where you reach out to
| the ticket master servers to get your code, they've
| created their own nightmare.
| lmz wrote:
| > I experienced this first-hand last year when I attended
| another very popular concert where they used a similar
| rotating-QR-code-ticket system. Numerous people including
| myself and my friends were floundering at the entry gate
| citing a bevy of broken barcode problems.
|
| That's a _different_ system. The article makes it clear
| that the Ticketmaster system works offline if you have
| opened it on the mobile app. Which they don 't want to
| install.
| TylerE wrote:
| You don't even have to use the app. You can just visit
| the ticketmaster website and add it to apple wallet
| straight from there. Can do it months in advance, too.
| monksy wrote:
| Disney is collecting pictures of everyone faces. That's
| pretty creepy.
| makestuff wrote:
| Yeah I agree, they are not incentivized to fix scaling/bots
| because they get a fee every time a ticket is sold. It is in
| their best interest for the ticket to be sold as many times
| as possible.
| wombat-man wrote:
| Hell, you just scan your ID at TSA nowadays. They don't need
| your ticket.
| dawnerd wrote:
| Or just scan your face with the new Digital ID rolling out.
| It's actually quite nice.
| storyinmemo wrote:
| But also, the hell with this. I'm still sour enough about the
| TSA without the concept of, "I'll buy tickets for me and three
| of my friends then see who wants to go," becoming impossible or
| gated by ticket transfer fees.
| swores wrote:
| Even allowing that but requiring your valid ID must be taken
| into the venue by yourself (or by your friends eg if you get
| sick and can't go) would be a big improvement, meaning ticket
| scalps would have to actually go or have someone on their
| team go along with every ticket they resell.
| toomuchtodo wrote:
| Airlines are preventing a secondary market. Unfavorable for
| your use case, but also prevents scalping airline tickets
| (while allowing airlines to attempt to maximize revenue).
| There are always tradeoffs and compromise.
|
| To hack around this, I've used Southwest Airlines; I can buy
| tickets for folks and if they can't travel, we cancel the
| ticket(s) and keep the travel funds banked for another time.
| I hope this is potentially helpful information.
|
| https://simpleflying.com/why-airlines-dont-allow-name-
| change...
| tqi wrote:
| People often buy tickets without knowing exactly which of their
| friends are going to attend with them. This is not true of
| airplane tickets.
| actionfromafar wrote:
| Would be awesome if it were true for airplane tickets
| mattmaroon wrote:
| One ID for the entire order would be fine. You can buy 4
| tickets, and go into the concert with your 3 friends. It
| often works this way even with no ID involved, I buy two
| tickets, add them both to my wallet, scan them both when my
| GF and I go to the show.
|
| You COULD still scalp tickets if the person who bought them
| from you is going to walk in with you. But the scalper would
| have to eat the cost of one ticket to do it, and it's
| probably onerous enough to severly reduce the impact of
| scalping.
| miki123211 wrote:
| That's how trains work (here).
|
| Every ticket must have one name and surname on it, no
| matter how many passengers it covers. That person must be
| traveling on the ticket.
|
| You're usually asked for some kind of photo anyway because
| of discounts, which a very significant percentage of train
| riders are entitled to.
|
| I think this is because tickets must be both printable and
| verifiable offline in case the train gets into a spot with
| no connectivity when the inspector is inspecting tickets.
| 0cf8612b2e1e wrote:
| What if you need to arrive separately? Especially for a big
| event with tens of thousands of people, can be easier to
| meet up inside the venue on everyone's timeline.
| mattmaroon wrote:
| Then you should have thought of that when you bought the
| tickets I guess. Any change to the system to fight
| scalping is going to inconvenience regular users too.
|
| As a frequent concert goer, I'd happily have to arrive
| with my group if it meant no Ticketmaster.
| dbbk wrote:
| Yes this exists, it's called lead booker tickets
| __MatrixMan__ wrote:
| That requires a single source of truth for which names go with
| which tickets. Which is going to be a problem if tickets need
| to be transferred in contexts where users don't have internet
| access (but they do have local connectivity between devices) or
| in contexts where the venue doesn't have internet access. Or in
| cases where the single source of truth might be vulnerable to
| attack or doesn't have the resources to handle the load at
| certain times.
|
| I don't have the solution explicitly, but it seems like it
| ought to be possible to do this such that PII need not be
| collected. Tickets could be cryptographic proofs that a chain
| of custody exists and meets certain criteria. The proofs could
| be constructed at transfer time and verified at admission, no
| servers in the loop anywhere. Yeah, we'll come up against the
| CAP theorem eventually, but we might find that the imposed
| constraints are workable.
| immibis wrote:
| > Which is going to be a problem if tickets need to be
| transferred in contexts where users don't have internet
| access (but they do have local connectivity between devices)
| or in contexts where the venue doesn't have internet access.
|
| You know as well as I do that TicketMaster won't allow any of
| that, because it means they miss out on selling another
| ticket.
| lilyball wrote:
| Flying requires an ID. Attending a concert should not. Any
| solution that is solved by "simple, just require an ID" is not
| a solution.
| itishappy wrote:
| > Flying requires an ID. Attending a concert should not.
|
| Why though? Not disagreeing per say because I'd have thought
| so too, but upon reflection...
|
| I assume the main reason airlines require an ID is safety and
| security. We maintain a denied parties list and use identity
| verification to make it as difficult as possible to fly a
| plane into a crowded venue. Border control is another issue,
| but there's plenty of intra-country or intra-state flights
| where this isn't an issue.
|
| Ticketmaster sells unverified access to crowded venues.
| jmb99 wrote:
| Is your argument that people should be unable to attend
| concerts/etc without presenting ID? I for one am not a fan
| of that idea
| jasomill wrote:
| I assume the main reason airlines require ID (for domestic
| flights) is to prevent ticket resale, and that "security"
| is just a convenient scapegoat. And I'm not alone[1].
|
| [1] https://www.schneier.com/crypto-
| gram/archives/2003/0815.html...
| llsf wrote:
| The issue is most likely about throughput. You want to let fans
| enter the venue as quick as possible. Most venues have lots of
| gates, but still the latency at each gate has to be a handful
| of seconds per ticket. Having to validate both ticket and ID
| would easily double or triple that time.
| crftr wrote:
| Today's digital entry experience is far from frictionless.
| Might as well add a scan of the PDF417 barcode on the back of
| the latest state ID cards.
|
| I just went to a MLB game yesterday, and the digital process
| was: - Open ticket app - scan
| ticket 1 - scan ticket 2
|
| I imagine this could have been: - Open
| ticket app - scan PDF417 - scan ticket 1
| - scan ticket 2
| reddalo wrote:
| Italy solved this. Five years ago, a new law enforced ID-
| checking when you enter any big events (like concerts with an
| audience larger than 5000 people).
|
| Tickets have your name on it, and you can only change the name
| or resell them through the official seller (so, third party
| resellers are out of the game). Also, every reselling
| transaction is registered and can be inspected by the Italian
| Rightsholder Agency (SIAE).
| bagels wrote:
| This improves the security over airline tickets.
|
| There was a recent story of someone taking pictures of other
| people's boarding passes, and using that to board the plane.
|
| With this ticketmaster scheme, unless the person has access to
| the secret keys, the pass would only be valid for a few
| seconds, likely defeating this attack against boarding passes.
|
| https://www.nbcdfw.com/news/local/texas-news/texas-man-board...
| Zopieux wrote:
| How often has this been a problem though? How about not
| keeping your boarding pass, or ticket, or credit card for
| that matter, visible for the world? Just put it in your
| wallet, I don't know.
|
| This is security FUD. Stop solving problems that do not exist
| to the point where it makes the news when they do happen,
| once a century.
|
| This DRM scheme concretely creates millions of small
| annoyances to millions of people and wasting our time as a
| society.
| bagels wrote:
| It also happens that pranksters can cancel your travel if
| your boarding passes make it on to Twitter or other social
| media. It's not a non-problem like you make it out to be.
|
| Sure, it won't happen to you or me, because we know it is a
| risk to expose these documents, but that is not true of
| most people.
|
| Maybe the DRM is not worth it. I actually think it's
| obnoxious for concert tickets (I recently had to deal with
| this system, and I was not thrilled about installing an app
| from a company that I think is using unfair business
| practices).
| dawnerd wrote:
| Airlines are starting to use rotating barcodes as well. Heck
| some are even switching to purely facial recognition.
| johnflan wrote:
| I'm not sure that would fly in Europe. And I personally don't
| want to hand over my id to use a ticket
| nedt wrote:
| I wouldn't bring my ID to a concert. I don't have my wallet
| with me and even if I would they wouldn't like me to have a
| backpack. I'm coming as light and minimal as possible and also
| would hate to lose my ID jumping around at a concert.
| MattGrommes wrote:
| Some venues do this already and the scalpers buy an additional
| ticket to burn on themselves so they can get their customer in
| the gate. It just goes into the cost of doing business. I agree
| this is probably one of the best ways to stop scalpers but it's
| not foolproof.
| muppetman wrote:
| No, it's not. At my work here we'll all go online to try and
| get tickets to a big gig. One of us might get in, so that
| person will get ~8 tickets or whatever the maximum is. And then
| we split them between us, transfering over cash etc. If we have
| a few left over we'll sell them to friends for the ticket
| value.
|
| But none of us have any intention of lining up with the others
| to get in. We want to go with our partners, our own friends
| etc.
|
| I want Bob, Terry or Bazzy to by able to buy tickets for me (or
| me for Bob, Terry or Bazza) but I do not want to have to meet
| up with Bob, Terry and Bazza and stand in line with them all to
| get in.
|
| So yea, it's not trivial. I wish it was, I farkin' hate
| scalpers.
| cbsmith wrote:
| Yeah, except NO.
|
| A lot of people think live event ticketing is the same problem
| as airplane tickets, but they really aren't. As an example,
| there are rules about requiring identification for commercial
| flight. There are rules _against_ requiring identification for
| live events.
| londons_explore wrote:
| Isn't this vulnerable to ticket 'selling' by simply sharing the
| username and password of the ticketmaster account?
|
| it's not like a ticketmaster account is 'worth' anything, so the
| seller can simply set up a new one for their next purchase.
| pxx wrote:
| actually, aged ticketmaster accounts are worth something!
| people will buy them for a few dozen dollars, as they get
| priority in ticket queues.
| blincoln wrote:
| Setting up separate accounts for every ticket purchase seems
| like a LOT of overhead (especially scalpers buying many tickets
| at once and piecemealing them out), and is easy to defeat, e.g.
| require out of band auth via the phone number associated with
| the account before logging in for the first time on a new
| device.
| rty32 wrote:
| Based on the highly questionable PS/Xbox accounts sold on
| eBay, I think that's just what scalpers could do as part of
| their everyday job.
| Closi wrote:
| Well you can transfer the ticket to someone else for free
| anyway, so not really an issue.
|
| Or you can transfer it to another name and print it out - just
| the name on Ticketmaster's system has to match some ID you have
| in the print scenario.
| phoronixrly wrote:
| With regards to the end of the article.
|
| > Can I work for a bad company and still be a good person?
|
| > No.
|
| https://apenwarr.ca/log/20201121
| probably_wrong wrote:
| I'm glad we cleared that up. Now all that remains is a good,
| measurable definition of what a bad company is.
| munk-a wrote:
| You're trying to get quantitative about a qualitative
| problem.
| blowski wrote:
| So if you think a company is bad you shouldn't work for
| them. Perhaps many of the people working for TicketMaster
| don't think they're a bad company.
| its_ethan wrote:
| That's their point. They're poking fun at how the OP is
| speaking in absolutes about something subjective/ opinion
| based.
| probably_wrong wrote:
| The problem is that "bad company" is such a nebulous
| concept as to be useless, as the JSON license showed with
| their "shall not use this software for evil" clause.
|
| No matter which company you choose, someone somewhere will
| find a justification for why they are actually not bad.
| Weapons dealer? Protecting your nation. Destroying local
| businesses? "They are just adding efficiency to the
| market". Kill someone with bad practices? "Still safer than
| the alternative". Ticketmaster? "The scalpers are giving a
| subvention for those who cannot afford the real price".
|
| Setting up a straw "bad company" and knocking it down
| doesn't help anyone on the real problem of people working
| for unethical companies.
| __MatrixMan__ wrote:
| It's like porn. You know it when you see it and also there's
| quite a lot of it.
| rozap wrote:
| It's not hard if you remove the self delusion. Removing the
| self delusion is maybe tricky for the individual, but it's
| easy for people around the individual to see. Societal tools
| like shame are generally used to encourage people in the
| right direction, but we don't do a great job of this in
| America, because money tends to override everything else and
| I don't think we have good structures around expressing non-
| monetary values like honor.
|
| Especially on the west coast, we're so passive in our shaming
| of people that it probably doesn't translate to action. There
| are people who work at Evil companies like Facebook, etc, who
| are otherwise nice, but I find myself not including them or
| turned off to them as friends because this sort of
| contradiction is hard to square in my brain. Of course I
| wouldn't communicate to this, being a passive PNW raised
| wimp, and it's not even super explicit in my mind, it's
| really more of a bad vibe than anything else. I imagine over
| time if enough people act like I do, it doesn't actually
| translate to different decisions from the individual in
| question, but instead translates to them waking up one day
| feeling distant and unfulfilled, which is probably the worst
| of all outcomes. They still work for Bad Company, but are
| _also_ sad about it, and there 's a general sense of malaise
| pervading life that's hard to pinpoint.
|
| *Obviously this all ignores the people who don't have a
| choice of employment. But here I'm generally referring to
| software people who have high pay and career mobility. Things
| get murkier when the conversation is opened up to people who
| are just trying to survive.
| ilrwbwrkhv wrote:
| Yup. I was just discussing this in another comment that
| Facebook's emotional manipulation of users without consent
| is ethical wrong. Some people are replying with eh,
| everybody does it and for 20,000 dollars people will jump
| to Facebook.
|
| I think the Leetcode grinding, TC optimizing crowd with no
| real moral judgment which is the majority in tech right now
| is another reason why things are falling apart. They will
| happily work for the KKK if they get a larger RSU package.
|
| Your point about them being at least "sad" about it, is a
| start I guess.
| phoronixrly wrote:
| Wait, is the KKK bad? What is your good measurable
| definition for it being bad? /s
| joquarky wrote:
| Postmodernism has stripped away fulfillment with the
| promise of higher pay if you just grind harder.
|
| If you no longer feel pride in your work, then money
| takes over. In my search, no employer cares about this
| anymore because the newer generations are only here to
| grind for gold.
| __MatrixMan__ wrote:
| I won't try to define postmodernism, but I'm pretty sure
| a significant part of it has to do with abandoning
| traditional modes of operation and freestyling a bit with
| your worldview.
|
| I don't question that the problems you're describing are
| problematic, but what do they have to do with
| postmodernism? It seems like in the cases you're
| describing, the postmodern approach would be to call into
| question whether the abstractions in use ("value" in this
| case) are applicable, and to instead march to the beat of
| your own drum in some way.
| TremendousJudge wrote:
| If you're asking the above question, it means you already
| think the company is bad according to your own morals.
| __MatrixMan__ wrote:
| I ask myself if my company is bad all the time. They don't
| get a perfect score, but I feel better about this one than
| any of the previous ones (that's why I'm here and not
| there). If the answer is ever a resounding yes, I'll leave
| this one too.
|
| When most of the relevant work around you is in some way
| related to ICBM's, you either sell your soul early, or you
| end up with habits like this. By my reckoning, about 80% of
| technology companies are bad.
| joquarky wrote:
| As one grows older, they may find that not everything in
| reality can be quantified or put into words.
|
| And trying to objectify value judgements is another whole
| area of contention that inevitably leads to itself.
| pompino wrote:
| > Now all that remains is a good, measurable definition of
| what a bad company is.
|
| Lets re-invent religion.
| digging wrote:
| And pretty much every company is bad. But this is a wrong
| answer because the question is actually nonsense.
|
| The answer to "What happens when you move faster than light" is
| not "nothing", it is undefined because the question is invalid.
| Asking if a person or a company is good or bad isn't a question
| that can ever have a well-defined answer: the answers we give
| are rounded according to our own values. To get more specific,
| not all of us have a huge amount of choice in who we work for.
|
| If apenwarr believes I want to be a good person they should
| hire me at Tailscale. What's that, they won't? They don't have
| openings, or I'm not qualified? I guess _they 're_ the bad
| person because now I have to work for a bad company or lose my
| income. And if I lose my income, my co-habitants lose their
| housing, and my donations to good causes dry up. Do I just not
| do _enough_ good for apenwarr? They must be a paragon of
| virtue. Surely they don 't eat meat, or even associate with
| meat-eaters. Surely they don't fly in airplanes.
| immibis wrote:
| > Asking if a person or a company is good or bad isn't a
| question that can ever have a well-defined answer: the
| answers we give are rounded according to our own values.
|
| Counterexample:
|
| Was Hitler bad?
| joquarky wrote:
| Due to chaotic effects of causality, most of us would not
| exist if any significant event from that long ago had
| happened differently.
| IncreasePosts wrote:
| That really depends if you ask a neo nazi or not.
| digging wrote:
| If the answer is yes, does that mean a junior web dev who
| implements user tracking on a shopping portal is equivalent
| to Hitler? Or is every who does less evil than Hitler "not
| a bad person"?
|
| I don't think it's _useful_ to say "Hitler was bad."
| Hitler did a lot of specific evil acts that are more useful
| to analyze. If anything, it's counterproductive to say
| "Hitler was bad," because lots of people do bad things and
| then say "well, at least I'm not Hitler."
| pompino wrote:
| Good/Bad are consensus votes. Its hard to escape their use
| just because of how deeply ingrained the programming is. We
| just think it makes "sense" and is "obvious" because its a
| meme that is already in our head. There is nothing
| inherently evil or good about any past/present/future
| animal on this planet.
| __MatrixMan__ wrote:
| It doesn't need a well defined evaluation scheme. You're the
| one asking the question, you can provide your own scheme, and
| come up with your own answer. Whether you're honest with
| yourself in this process is up to you.
|
| It's still useful to point out that IF you think your company
| is bad THEN you should do something about that. It
| establishes that "I was just following orders that I know are
| wrong" isn't a valid excuse (e.g. like if you end up in court
| for something you did on the job).
| __MatrixMan__ wrote:
| I think we should make an exception for saboteurs.
| hinkley wrote:
| And whistle blowers. And double agents.
| sethammons wrote:
| Does this extend to where you live and pay taxes?
| irjustin wrote:
| I agree with the bad implement but the opening complaining that
| "old way of printable tickets was great why change it" have so
| many problems.
|
| Scalpers are the problem that you have to accept. At the time of
| purchase, there's no way to tell the difference between a legit
| purchaser and a scalper or even someone who bought it and simply
| can't go and needs to resell.
|
| IDs, ticket limiters, CCs, etc, etc. All methods can be
| circumvented by someone dedicated enough. You can only make it
| "not scalable" but the tickets still need to be transferable,
| securely.
|
| Unless we're willing to go ID checking at the gate, there's not
| going to be a true solution.
| Y_Y wrote:
| That's because there isn't a difference between a "legit
| purchaser" and a scalper except their intentions, which you
| can't get from amy kind of barcode.
| jjmarr wrote:
| Buying something at a low price and selling it at a high price
| is arbitrage 101 and is free money.
|
| The "true solution" is to sell tickets at their actual market
| price instead of pretending that the face value of concert
| tickets isn't increasing due to a larger population and greater
| demand.
| coldpie wrote:
| > The "true solution" is to sell tickets at their actual
| market price
|
| That is *a* solution but it isn't *the* solution. The fact
| that many smart people are not choosing that solution is an
| indicator that there are some factors to the problem that you
| aren't considering.
| danudey wrote:
| IOW the true solution to scamming is to raise prices so high
| that only the extremely wealthy can afford them, regardless
| of how accessible the actual concert/act/group/promoter wants
| the show to be.
|
| The "real" solution here would be for Ticketmaster (or
| whoever) to actually make a ticket non-transferrable somehow,
| and then allow for tickets to be transferred directly through
| the original website for _at most_ the original ticket price,
| and refund me the money.
|
| For example, if I have a $200 ticket and I can't make it and
| want to sell it, I can post up a link to the original ticket
| seller's website (in this case Ticketmaster) where someone
| else can go buy it, and, if they do, I get a refund of the
| amount they paid. I can say how much I'm willing to accept
| (full price, $150, whatever) and someone can go buy "my"
| ticket, potentially at a loss if I'm willing to accept it.
| Ticketmaster can make money on these tickets by charging a
| non-refundable processing fee or whatever to everyone (the
| original buyer and any subsequent re-buyers). They make a
| tidy profit, everyone gets what they want.
|
| The only complications are
|
| 1. making the tickets non-transferrable but also work offline
| is a difficult technology problem 2. Ticketmaster is an
| unregulated monopoly and thus has no incentive to behave in
| the best interests of the market or its customers when they
| could rake in millions more by screwing everyone except the
| scalpers
| xp84 wrote:
| Can't someone hack your system by selling access to the
| link you mentioned for $500? Thus getting you the refund
| Ticketmaster knows about, and the private payment from the
| desperate buyer. Also, credit card processing fees used to
| be refunded when you refunded a transaction, but now I
| think some processors have now decided to start keeping the
| fees, because why not. Another 3% margin to apply at each
| sale (though that can be included in the transfer fee you
| suggest)
| BobaFloutist wrote:
| >Can't someone hack your system by selling access to the
| link you mentioned for $500?
|
| Not if they index the resales on their website and make
| them searchable.
|
| People could still perform arbitrage by snapping up any
| resales significantly under the original price and
| reselling them at the original price, but at that point
| they're not making that much money and people are paying
| less than the original price, so the impact is just that
| you can't get a discounted resale. Which still sucks, but
| it sucks a lot less.
| its_ethan wrote:
| > Buying something at a low price and selling it at a high
| price is arbitrage 101 and is free money.
|
| A bit of a nit pick, but this isn't "free money" unless you
| have a guarantee that someone will actually buy at the higher
| price. You could buy low, be unable to sell, and end up
| eating the "buy low" cost.
|
| > sell tickets at their actual market price
|
| How do you know what their actual market price is? You have
| to open it up to a market, where supply/demand get to play
| out.
|
| IIRC some ticketing company tried doing something to this
| effect by scaling prices in realtime based on how many people
| were also trying to buy. I believe it was widely criticized
| as unfair/exploitive.
|
| So you're back to square one then, where you have to set some
| price.
| fluoridation wrote:
| I mean, it may very well have been criticized, but how is
| it any less fair than the alternative? As for being
| exploitative, that's kind of the point. The company figures
| for most shows it's leaving money on the table for scalpers
| to take. The other side of it is that if a show bombs the
| ticket prices can be reduced to encourage people to come.
|
| To be honest, it seems overall a better solution.
| tptacek wrote:
| It's only free money if there's no risk, and if there's no
| transaction cost to acquiring at the lower price. If there's
| no risk in buying something low and attempting to sell it
| high, then that thing is mispriced.
| xp84 wrote:
| People will scream (including in this thread) that it's
| "unfair" that 'only the wealthy can afford them then' but
| their beef is with scarcity and thus with reality. It's
| always "unfair" to the 10,001st person who wants to attend
| the concert with 10,000 capacity. Today it's a weird lottery
| with 6 different fan and credit-cardmember presales, which
| each sell out immediately, and the "backstop" at the end
| which is the ability to buy expensive scalped tickets.
|
| There are finite tickets but unbounded demand. A lottery
| means you can slightly adjust the distribution of poor vs
| rich, but in practice today it still advantages those
| comfortable enough to sit around refreshing their computers
| at the right moment, instead of working. And lots of
| opportunists will snap up those tickets you are hoping poor
| people will get, to sell them to the wealthy.
|
| In my opinion for in-demand shows it should just be a Dutch
| auction (all of the highest 10,000 bids win, awarded at some
| fixed cutoff date before the event). If not enough bids are
| received, the concert isn't sold out, so then the rest go on
| sale for the lowest bid.
| miki123211 wrote:
| A dutch auction is really hard because different tickets
| have different prices, different people have different
| requirements about where they want to sit (a committed
| disabled fan may be willing to pay any price, but they
| can't do standing only) and there are many different price
| tiers.
|
| A better idea is an airline-style dynamic pricing system
| that considers different variables, current demand,
| projected demand, type of seat etc. If it looks like the
| show is about to begin and there are still lots of tickets
| left unsold, be like Ryanair and sell them at a massive
| discount. If there are more people on your page than there
| are seats available, make the price go up until that
| changes.
| jjmarr wrote:
| The simplest way of implementing dynamic pricing is a
| resale market, where the price of tickets changes based
| on supply and demand.
| bubblethink wrote:
| The reason they don't do that is to have an organic fan base
| of poor people who drive up the prices for the rich people.
| If you eliminate the poor people, the rich people aren't
| going to take the band forward. They'll move on to whatever
| the next shiny thing is. You need a hardcore fan base of poor
| people to support and grow your valuation.
| compiler-guy wrote:
| Buying a single-use item at any price and then selling it on
| at any price to multiple people is fraud.
|
| Fiddling with the prices does absolutely nothing to fix that
| problem, because it isn't a problem with price, but a problem
| with developing an unduplicatable token.
|
| Ticketmaster is evil, and most resellers are fine, but some
| are evil and that's a problem this at least attempts to
| solve.
| kristjansson wrote:
| The market sets a clearing price for the ticket as commodity
| (i.e. for a single event). However, the iterated game that is
| the spectator-performer relationship, the seller may
| _strongly_ prefer yielding some of their benefit to the buyer
| in exchange for long term EV, positive PR, or just plain old
| goodwill.
|
| The problem is maintaining a mutually-beneficial but
| economically suboptimal equilibria.
| miki123211 wrote:
| As far as I understand, this can't be done due to PR.
|
| "evil scalpers are exploiting this poor artist by charging
| outrageous prices and preventing many fans from going" is a
| far better look than "evil artist is exploiting their poor
| fans by charging outrageous prices and preventing many fans
| from going."
|
| To prevent scalping, you'd need a _massive_ price increase,
| and very few artists are willing to be the first to do this.
| ihumanable wrote:
| It's interesting how the real problem here is that our
| economic system has no way to sell a product at what the
| seller will bear, only what the buyer will bear.
|
| I think this is a fascinating feature, a lot of artists would
| be more than happy to make $X for a show so that their fans
| can come see them. The problem ends up that a free market has
| no mechanism for that, the artist can sell the tickets such
| that they end up with $X but then you get things like
| scalpers who don't want to see the show but do want money and
| act like artificial demand. They know that regardless of what
| the seller wants there are buyers that will pay $X+N and want
| to capture that $N.
|
| The scalper provides no value to the market, but they get $N,
| which seems like a market failure to me. The fans lose $N,
| the artist still only gets $X and they also get reputation
| damage because fans are upset that things cost $X+N.
|
| And that's just the end of it. The artist literally can not
| perform for their fans at a venue for $X even if that's what
| they want, there's just no mechanism in the free market to
| make that function correctly. I find market failures like
| this fascinating because it really shows the limits of how
| "free" markets operate. The only person that isn't free to do
| what they'd like is the producer of the good being sold, they
| literally can't sell it for less than the market will bear.
|
| And I suppose this plays out for every part of the market, if
| I can produce apples and make a profit for $1 a bushel and
| that's plenty of money for me, I don't want any more, tough
| shit. Arbitrage will make sure that people pay more for those
| apples. If people are willing to pay $5 a bushel then someone
| will snap up my cheap apples, mark them up and make a bunch
| of money for doing nothing. Even if I were willing to do all
| the distribution myself, if the person conducting arbitrage
| adds no value to the system (the common argument being that
| they deserve the money for finding cheap apples and
| connecting people that demand apples with a supply of
| apples), it just can't happen. The incentive to make that
| free money means everyone loses, I don't get to give people
| cheap apples, people don't get to enjoy cheap apples,
| everyone is worse off except for the person doing arbitrage.
| orangecat wrote:
| _The scalper provides no value to the market_
|
| The scalper allows the devoted fan who is gladly willing to
| pay $X+N to actually get a ticket rather than having to
| wake up at 6am and repeatedly refresh the site and probably
| still not get one.
|
| _I find market failures like this fascinating because it
| really shows the limits of how "free" markets operate._
|
| How would central planning handle this better? There are
| more people who want to buy a ticket at $X than there are
| seats available; lots of people are going to be unhappy
| regardless of how they get distributed.
| Symbiote wrote:
| > Scalpers are the problem that you have to accept.
|
| Several European countries ban reselling tickets for more than
| the original cost.
| 999900000999 wrote:
| >Software developers are the wizards and shamans of the modern
| age. We ought to use our powers with the austerity and integrity
| such power implies. You're using them to exclude people from
| entertainment events.
|
| I can definitely think of worse things programmers are doing
| aside from making it mildly difficult to see Taylor Swift .
|
| I have personal qualms with working in certain industries because
| of this, but Ticketmaster ultimately provides a luxury. You don't
| need to see a concert, and if you have such an issue with their
| business practices you can do something else with your Friday
| night .
|
| I've actually never had an issue with Ticketmaster. At a point a
| certain other ticket provider just blocked me without any
| explanation, and I had to go down to the box office to buy
| tickets. That sucked, but compare to airlines who do weird things
| like print off tickets without the actual seat number,
| Ticketmaster doesn't bother me too much.
| digging wrote:
| > Ticketmaster ultimately provides a luxury. You don't need to
| see a concert
|
| I don't agree. Entertainment/recreation is a need. Music is an
| important part of the human experience, and seeing it live,
| with other fans, is really valuable to some people. And the
| fact is, the value a person places on the experience is totally
| orthogonal to their ability to use/afford Ticketmaster. And
| it's not just about Taylor Swift - even local shows can be
| difficult to access without quarrelsome online portals. (But
| also, someone being obsessed with Taylor Swift isn't a
| personality flaw.)
| 999900000999 wrote:
| You can find a bar with a band playing. I suggest Kingston
| Mines if you're in the Chicago area.
|
| Ticketmaster doesn't own have a monopoly on music. You can
| vote with your wallet.
| ssl-3 wrote:
| "Fed up with high prices and long lines and ticketing
| SNAFUs for big shows with your favorite artists?"
|
| "Clearly, the best answer to this is to forget about all of
| the music you think you like. Just forget all about it."
|
| "Instead, go to the bar and see a band. It doesn't matter
| if you like the music or not; after all, we know that every
| live music performance is exactly the same as any other!"
| 999900000999 wrote:
| Honestly you might even have a better time vs paying for
| seats where you can't even see the act.
|
| https://help.ticketmaster.com/hc/en-
| us/articles/978498452737....
|
| I go to a lot of concerts. Ticketmaster covers half of
| the shows I go to. They're not that much worse than
| others who also tack on fees amounting to 20% of the
| purchase price.
|
| I'm not opposed to basic regulation, but let's not act
| like Ticketmaster is some uniquely evil company.
| ssl-3 wrote:
| Nope.
|
| I'm going to keep going to see Big Rock Shows because
| that's what I enjoy the most. And I'm going to keep
| getting GA tickets (what seats?), because I am nowhere
| near old enough to stay out of the pit once my pant legs
| start flapping from a grotesquely overbuilt PA.
|
| And in my neck of the woods, bands at bars can't scratch
| that itch.
|
| So that means paying (and complaining about)
| Ticketmaster.
| digging wrote:
| > even local shows can be difficult to access without
| quarrelsome online portals
|
| Not all of them, but online ticket is a convenience and
| then a trap. It isn't going to be outcompeted by me "voting
| with my wallet." That just betrays an ignorance of
| situation.
| mightyham wrote:
| I agree that experiencing music is a fundamental part of
| human life, but experiencing specific musicians at specific
| venues is not. It is very easy to find free live music
| without Ticketmaster or online portals.
| digging wrote:
| > It is very easy to find free live music without
| Ticketmaster or online portals.
|
| Oh okay, nevermind then. Heck, I just found some under my
| couch. How does Ticketmaster even make any money?!
| HillRat wrote:
| You're not considering the stagehands and artists who have to
| live under Live Nation's vertical monopoly. I was chatting with
| a former tour guy the other day, someone who's been a tech for
| major touring bands since the '80s, and he mentioned that he
| had to quit the business because Live Nation had driven wages
| down below poverty level while bringing in random unskilled
| labor to do highly-technical stage setups. (He quit after
| almost losing a hand to a large piece of unsecured stage
| equipment.) The enshittification of modern life is an
| inconvenience to most of us, but life and livelihood to many
| others.
| RScholar wrote:
| > Software developers are the wizards and shamans of the modern
| age. We ought to use our powers with the austerity and integrity
| such power implies.
|
| This is one of the most powerful truths underlying the world we
| currently inhabit. The sooner we can agree to behave accordingly,
| the better our prospects for ripping the reigns of society from
| the hands of those whose only animating principles are avarice
| and exploitation.
| mym1990 wrote:
| This is not only a truth of the world we currently inhabit, it
| has always been a truth, of all the worlds we have inhabited.
| Power and greed go hand in hand for a reason and the struggle
| to find the balance is, and will always be present.
| joelfried wrote:
| It was not true of this world 150 years ago that any person
| with sufficient learning could tap buttons to create an
| experience to be found in the hand of the majority of living
| humans.
|
| I agree power and greed go hand in hand - absolute power
| corrupts, absolutely - but this bit? This is new.
| toomuchtodo wrote:
| https://www.amazon.com/New-Kingmakers-Developers-Conquered-W...
| ("The New Kingmakers: How Developers Conquered the World")
|
| https://web.archive.org/web/20200915000000*/https://try.newr...
| [pdf]
| dylan604 wrote:
| The fact we have had less than benevolent wizards and shamans,
| why would we expect to have modern day equivalent of only
| benevolent coders? It's such a fairy tale level of expectation
| that it seems childish. Spending any energy in trying to make
| real world a fairy tale is just wasted.
| GenerocUsername wrote:
| It's okay to shame bad actors.
|
| In fact, society would likely be better off if e brought back
| more public shaming
| sudobash1 wrote:
| I think that this is predicated upon a reasonably well
| informed and educated public. And my estimation is that the
| general populous is not informed enough on cryptography to
| be in a position to shame Ticketmaster engineers.
|
| Also, my impression is that there is already copious
| amounts of public shaming. Some social media sites seem
| largely devoted to that. And unfortunately, I don't think
| most people fully deserve the verdict that they get in the
| court of public opinion.
| ants_everywhere wrote:
| This is certainly not true. Can you name an existing or
| historical shame-based society that you would actually want
| to live in?
| mattmaroon wrote:
| We wouldn't. You might expect that on an indivudual level.
| But at a society level, I would expect any company that's
| doing things that are specifically allowed by our goverment
| (who did approve the Ticketmaster Live Nation Merger) to get
| their jobs filled just like any other. I think Ticketmaster
| is evil, another developer might not. That's fine, they're
| not killing people or dumping toxic chemicals into
| reservoirs, we can agree to disagree.
|
| My outrage is directed entirely at the government agencies
| whose job it was to stop this, not the developers making a
| ticketing app.
| ryandrake wrote:
| Ultimately developers type the code in and hit "deploy."
| They have to share at least a fraction of the blame and
| accept at least a fraction of the outrage. Without them,
| the product wouldn't exist.
|
| There's a lot of blame to be spread around though. The
| developers themselves, their management chain all the way
| up to the decision makers, shareholders that demand ever
| increasing profits, governments who provide the legal
| framework and allow these huge, destructive companies.
| Everyone should get their share of the blame.
| dylan604 wrote:
| It's nice to think that might be true, but there are
| always plenty more devs willing to work on anything for a
| paycheck than there are devs with strict morals. There's
| a lot of egos, but at the end of the day, no matter who
| you are, you are _not_ irreplaceable.
| mattmaroon wrote:
| I still don't blame the developers, I blame government. It's
| not the job of rank and file workers to police companies. I
| wouldn't work for LN, but I'm not going to blame someone else
| for doing so. We've all gotta feed our families. (I realize
| there's a line somewhere, you wouldn't excuse a prison guard at
| Auschwitz the same way, but I can't get too worked up about a
| developer making a ticketing app even if I hate the ticketing
| company.)
|
| Developed countries long ago came to the conclusion that
| companies should not be allowed to have monopolies because it
| is bad for society as a whole, and it's hard to think of a
| current monopoly as egregious as this one. There is absolutely
| no reason one company should have exclusive rights to 85% of
| large venues, also be an evebt promoter, and also be the ticket
| seller.
|
| Anything their developers do is not the real issue, a society
| that allows this to happen in the first place is.
| ilrwbwrkhv wrote:
| I mean would you say that developers who work for Facebook
| have crossed that line?
| photonbeam wrote:
| Depends on when they joined
| mattmaroon wrote:
| No. Not even close.
| NavinF wrote:
| ...by doing what? FB is one of the largest employers of
| people on this site. If you ran a poll, I'd expect the
| majority to answer "no" to your question. Of the people who
| answered "yes", I bet the majority would still accept an
| offer from FB if it was just 20k more than the next best
| offer.
| ilrwbwrkhv wrote:
| One small example: In 2012 Facebook emotionally
| manipulated people in the name of science without
| anybody's consent by controlling positive / negative
| posts on their news feed.
|
| Right? Wrong? Discuss.
| NavinF wrote:
| https://xkcd.com/1390/
|
| I don't see the issue. Every social media site does this,
| FB was just naive enough to share their research
| ilrwbwrkhv wrote:
| And this just proved my point. During the Nazi regime,
| everyone was hating the jews. And everyone was doing
| fascism.
|
| Now to bring this to a close, people like you, who will
| jump companies for 20_000 and have lost the ability to
| see a clear ethical violation will be holding the guns
| and guarding the gas chambers when the next Hitler comes
| along. Meditate on this.
|
| Also this XKCD is dumb. Previously the feed was
| chronological post of friends which was definitely more
| ethical. But of course that didn't make people addicted
| enough.
| mattmaroon wrote:
| If that proved your point, you didn't have a point. If
| you can't see the difference between genocide and lack of
| informed consent on a social network algorithm experiment
| you can't be helped.
|
| I'm all for moral relativism, but there's no future in
| which Facebook's current actions aren't at least
| reasonably debatable, and no past in which Auschwitz was.
|
| If you wanted an example of where the line gets blurry
| (it does sometimes, just not in either of these) I'd go
| with pharmaceuticals.
| immibis wrote:
| One thing I have learned from the internet is that if you
| mention the Nazis or the Jews, you lose, good day sir,
| even if you are right.
|
| People are illogical.
| mattmaroon wrote:
| Yeah I was only trying to give an extreme example of
| someone being unethical working an immoral job,
| contrasting that with, say, working for Ticketmaster,
| which, as much as I despise them, is hard to equate with
| the Holocaust, given that one killed millions of
| civilians and one just costs me a little money. I should
| have known better.
|
| They seem very different to me and anymore, I almost
| think that's a valid test of the reasonable person
| standard.
| gowld wrote:
| Did you get informed consent from me regarding the
| methods by which you constructed your comment? Or are you
| manipulating my emotions unethically?
| NavinF wrote:
| > people like you, who will jump companies for 20_000
|
| ???
|
| I said I don't find A/B tests unethical. Literally every
| tech company runs A/B tests just like that one. Why would
| I ask for 20k more?
|
| > Previously the feed was chronological post of friends
|
| Yeah, before they measured the impact of a good
| recommendation algorithm.
| mattmaroon wrote:
| And back when you could log into Facebook and see a feed
| of all of your friends' posts quickly. Facebook
| eventually got to the point where for most people the
| feed would have been much longer than the time they
| wanted to spend on site, and so showing them just the
| most recent few is somewhat random. Much better for
| engagement to show them posts they like.
| pfisherman wrote:
| The issue is the lack of informed consent. This is pretty
| basic ethical conduct of research stuff.
| Jensson wrote:
| I have never seen a social media site ask for consent for
| A/B testing their new things. Everyone does this, I am
| pretty sure even the big news sites that wrote those
| headlines also does this without asking. The only thing
| facebook did differently was calling it research rather
| than A/B testing.
| sethammons wrote:
| I can't put any facebook developer in the same bucket as
| a guard at a concentration camp.
| gowld wrote:
| Because a concentration camp guard would be jailed or
| killed for refusing service, but a FB dev would lose a
| few $thousand in opportunity?
| toolz wrote:
| Working at a faang level company is associated with a
| large enough increase in income that it could support a
| handful of families in developing countries. I don't know
| what purpose it serves to downplay just how substantial
| that amount of money is.
| pfisherman wrote:
| Textbook case of unethical conduct of research. The key
| here is lack of informed consent by the study
| participants.
|
| The APA put out a press release about this study violated
| their code of ethics.
|
| https://www.apa.org/news/press/releases/2014/06/informed-
| con...
| bentcorner wrote:
| I think that was wrong. At the same time, drawing lines
| of good/bad at the boundaries of the people working at
| facebook is, imo, not useful.
| reddalo wrote:
| > I still don't blame the developers, I blame government.
|
| Yes, but I think they still have some responsibility, even if
| they say "I was just following orders!" [1]
|
| [1] https://en.wikipedia.org/wiki/Superior_orders
| toolz wrote:
| Everyone bears some responsibility if you've ever
| interacted with any entity that profits off of TM or helps
| TM make profit. I don't find it's particularly useful to
| spend any thought on what people with minuscule
| responsibility should do differently. It's just bike-
| shedding when there are important problems to solve.
| vjerancrnjak wrote:
| Even government software has issues (Vienna). I paid a
| EUR100+ fine for not having a ticket, even though I spent
| time going through the purchase flow. I have 100s of tickets
| purchased. Live agent and support agent just shrugged and
| told me I don't know how to use the app, washed their hands
| of any responsibility or need for understanding.
|
| It's like there's no way to make the software human and
| humans in the loop have a crutch to lean on to not behave as
| a human. When I contacted the dev team directly, they
| shrugged too. No refund.
|
| To me it feels like software is the place where society can
| just exercise its cruelty and indifference, or maybe it is a
| reflection of society, it's probably just like humans are.
| What we think software should behave like is not human.
|
| I had more pleasant experiences with London/UK train ticket
| edge cases and felt like the system is built to deal with
| user/server errors.
| dzhiurgis wrote:
| That's just reflection of your culture. I.e. I come from
| Eastern Europe where cheating is so engrained and "i made
| an oopsie" would never fly. Beurocracy is face to face and
| takes ages
|
| Now living in NZ I get tons of slack for something like
| "verify youre local for free museum entry" or "get your
| passport by post". Life is so much easier when societal
| trust is high.
| ryandrake wrote:
| "Developers are blameless" is a uniquely HN take, for obvious
| site demographic reasons.
|
| I see a worthwhile product as a stool with at least three
| legs: Technical feasibility, business viability, and ethical
| acceptability. Take one leg away and the stool should fail.
| Yet, HN commenters endlessly discuss/debate the first two and
| largely ignore the third. I think we all have a duty to work
| on projects that are ethically sound (defining that is a
| whole other discussion). There are plenty of companies out
| there and plenty of products to work on--it's not like we
| have to pick an evil one in order to survive and "feed our
| families."
| jgeada wrote:
| Yeah, but only one of those legs controls the money. At
| least in the US, no money means no food, no shelter, no
| healthcare, etc, so it is not a viable choice for most. So
| rightfully most of the blame should be assigned to those
| that control the money: management and executives. Rarely
| hear of required ethics guidelines and handwringing about
| ethics from the MBA types.
|
| I'll accept a share of developer blame in places with
| strong unions and the ability for workers to strike.
| mattmaroon wrote:
| And the developer job market has changed. We can act like
| everyone can just go get a job that pays well somewhere
| else, but I've got friends who are very senior developers
| who've been laid off and had a hard time finding a good
| job in recent years.
|
| The market isn't what it once was and while overall still
| good, we do all have bills to pay.
| ryandrake wrote:
| I guess I'd turn it around and ask those developers: Are
| there any projects you _wouldn 't_ do, no matter how much
| you needed the money, because you found them ethically
| unacceptable? If the answer is yes, then they actually
| agree with me, and we're maybe just discussing where the
| evilness threshold line should be drawn. I don't know
| many actual people who would say "No, I would willingly
| work on absolutely any project, no matter how harmful or
| depraved it is, as long as I get paid," but then again
| maybe I don't know enough truly desperate people.
| mattmaroon wrote:
| Sure, but the issue is, someone might not think ticket
| master is evil. And I'd argue the things they do that
| should at least be illegal (in my view) have nothing to do
| with developers.
|
| Take away their exclusive rights (on both sides of the
| business) to 80+% of large live music venues and they're
| just another ticket platform.
| efitz wrote:
| There should be more choices rather than "find another
| company". The problem is that it is an economically valid
| argument to say "if I don't, someone else will".
|
| I believe that professions should have codes of ethics, and
| people should be expected to adhere to those codes of
| ethics. Right now there is no licensing or apprenticeship
| or registration associated with the profession of "software
| developer". There are some organizations that issue
| professional certifications in adjacent areas (MCSE, CISSP,
| etc.) that have codes of ethics associated with them, but I
| rarely see disciplinary action associated with them, and in
| any case employability is not linked to these
| certifications.
|
| Conversely, lawyers have bar associations that evaluate
| complaints and can withdraw permission to practice.
|
| Doctors have the Hippocratic Oath, but I'm not sure that
| it's enforced for medical licensure. However doctors do
| have medical licensing boards and licenses can be revoked.
|
| Pilots have revocable licenses but I'm not sure they have a
| code of ethics.
|
| Civil engineers have codes of ethics and licensure, but
| licensure revocation appears associated with legal
| malpractice, not ethical malpractice.
|
| In any case, there are societal mechanisms that could be
| used to associate codes of ethics with software developers,
| if we as a profession and a society chose to, which I'm not
| optimistic will happen.
| PUSH_AX wrote:
| It's interesting, the more we agree and hold strong, the higher
| the demand grows for engineers who would help some companies
| create their hellscape. The incentive will grow higher and
| higher until people break rank. And you start over.
| fmbb wrote:
| I dont think it's a truth.
|
| Shamans and wizards (never heard this used to describe anyone
| in history but let's assume it's just any kind of supposed
| magic user) were people at the top tier of their societies in
| terms of political power. Not kings or chieftains, but above
| everyone else.
|
| Programmers are just making a living selling their labor power
| like every other office drone in the world. We're one of the
| most common lines of work out there.
|
| If you want the mysticism angle, we are like those kids they
| used to catch "witches".
| namaria wrote:
| Are there any documented examples of societies where
| "magics", "shamans" or "wizards" were at the top of the
| hierarchy? I gotta say, I'm an avid reader of Ancient History
| and Anthropology and the closest I can think of is the
| Priest-Kings of Sumeria and your garden variety theocracy and
| the latter is much more of a priestly bureeacracy than
| anything else...
| dgb23 wrote:
| Perhaps not at the top in terms of day to day decision
| making and wealth, but the first that came to mind would be
| celtic druids and bards.
| pseudo0 wrote:
| Yeah, we are more like masons. We have useful skills that
| enable building impressive things, but at the end of the day
| we are building someone else's cathedral.
| sethammons wrote:
| I think you don't know what you think you know. My mom is a
| shaman type. These types often live at the outskirts of
| society where no well-to-do person would like to be seen.
| Zero political power but enough utility to keep at an arm's
| distance -- further if possible while not needed.
| rangerelf wrote:
| > Shamans and wizards (never heard this used to describe
| anyone in history but let's assume it's just any kind of
| supposed magic user) were people at the top tier of their
| societies in terms of political power. Not kings or
| chieftains, but above everyone else.
|
| I don't know where you came by such a notion; Shamans,
| "Wizards", witches, "wise women/men", are usually shunned
| from society such that they tend to live near the outskirts
| of towns or cities, nobody really wants to live close to
| them; and when "bad things happen" tend to be the first ones
| to get blamed for it; then they also are commonly used as
| scapegoats for whatever political, economic or religious
| effort some corrupt officials try to push.
|
| That doesn't sound very societal top-tier to me.
|
| We're definitely not witches or wizards, at most we are
| scholars or [specialized] craftsmen. "Knowledge workers" if
| you will. Not as unlikable as the wise folk that live towards
| the edge of town, and not as at risk of getting tied to a
| post and lit on fire because the bishop believes we commune
| with unclean spirits.
| TeMPOraL wrote:
| > _and not as at risk of getting tied to a post and lit on
| fire because the bishop believes we commune with unclean
| spirits_
|
| We're on our way to get there, though, with that "can't
| solve social problems with technology" infectious meme, and
| the other one that makes the public blame programmers for
| socially-problematic tech, while ignoring or praising the
| business people who imagined, commissioned, and decided to
| deploy those technologies.
| butlike wrote:
| Perhaps they were referring to a time when nomadic people
| started settling into "villages," before organize religion
| solidified?
| ballenf wrote:
| Agreed. We're the blacksmiths making armor and swords and
| horseshoes.
| lowdownbutter wrote:
| "In effect, we conjure the spirits of the computer with our
| spells"
|
| t. Introduction of SICP
| yread wrote:
| I personally think we are more like "plumbers but with JSON". I
| have principles and apply them but I don't expect the others to
| do that
| gowld wrote:
| architect+builder+plumber.
|
| The suits at TM couldn't build the app+backend, even if they
| could hire someone to maintain and replace parts of it.
| TheCraiggers wrote:
| Programmers being analogous to wizards or martial artists made
| more sense back when one used to need to train years or decades
| to become one.
|
| With age comes wisdom.
|
| There has been a lot of good that came from making coding more
| accessible; I'm not trying to gatekeep. But I do think that
| this is one instance where the outcome is worse. The martial
| arts masters still unquestionably exist among us. It's just
| that they're now surrounded by younger, less-wise people with
| guns. Both types can fight an army, but only one has the wisdom
| to know when it's better not to.
| ilrwbwrkhv wrote:
| Yes I think there is truth to this. Something I have seen
| lately with Rust for example, is because the language is
| harder to learn, the discourse, tutorials, libraries are all
| much higher quality.
| leptons wrote:
| >Programmers being analogous to wizards or martial artists
| made more sense back when one used to need to train years or
| decades to become one.
|
| You can be a shitty wizard with only one year of training,
| same goes for programmers.
| akira2501 wrote:
| > The sooner we can agree to behave accordingly
|
| People don't code out of a sense of duty, they do so to earn
| money, so there is no mechanism to enforce "behavior."
|
| > our prospects for ripping the reigns of society
|
| There are too many industries that take the mantle of improving
| society on their back. This is a mistake. There is no natural
| representative mechanism that ensures your actions are aligned
| to required outcomes.
|
| This should probably be left to congress. If you're concerned
| that they won't do it then that should immediately suggest the
| appropriate course of action to you.
|
| > of those whose only animating principles are avarice and
| exploitation.
|
| Short term thinking cannot lead to long term rewards without
| abject manipulation of the marketplace.
| survirtual wrote:
| Congress is useless, along with the rest of the planetary
| corporate-fascist oligarch facsimiles of democracy.
|
| If software engineers united behind true ideals of freedom,
| we could automate the entire stack of "leadership" and raise
| the floor of society.
|
| Open source implementations of:
|
| Universal cryptographic identification
|
| Decentralized voluntary anonymous voting, verifiable by every
| voter
|
| Sovereign algorithmic monetary policy
|
| Liquid representation
|
| Complete digitization of all necessary information to audit
| any authorities, at any time
|
| Full release of privacy for any "public official" -- service
| to society should be a burden, not a privilege
|
| This, and much, much more can ALL be done with software. An
| entirely new paradigm of society, with freedom unalienably
| encoded into the fabric of the social machine.
|
| Our rights digitized, our privacy, speech, and pursuit of
| happiness made into software.
|
| I would say software may have an impact, and the thinking of
| this impact extends far beyond the next quarter of profits.
| This mindset can extend into a multi-planetary society and
| beyond. A continuously evolving, open source mechanism of
| human governance.
| akira2501 wrote:
| > If software engineers united behind true ideals of
| freedom
|
| You'd have better luck trying to remove jealousy from the
| human heart. If you can suggest a mechanism for actually
| making this happen, enforcing it in the face of economic
| incentives, and measuring it's actual impact then I'll take
| the ride with you. Until then it is an absolute fools
| errand.
|
| > we could automate the entire stack of "leadership" and
| raise the floor of society.
|
| Autonomous societies have been tried before. They have no
| mechanism to correctly align their long term objectives so
| none of them have ever lasted. Planning to build another
| one based on nothing other than assumption is flawed.
|
| > with freedom unalienably encoded into the fabric of the
| social machine.
|
| Guns exist. The social machine is secondary to force. You
| have no plan for this.
|
| > This mindset can extend into a multi-planetary society
| and beyond.
|
| Older people sell younger people pure unadulterated
| fantasies in order to extract cheap labor from them.
| survirtual wrote:
| > If you can suggest a mechanism for actually making this
| happen, enforcing it in the face of economic incentives,
| and measuring it's actual impact then I'll take the ride
| with you.
|
| :)
| koromak wrote:
| This is a wild take. Software developers do the dirty work.
| We're one step below wall street.
| anamax wrote:
| Ah yes, The Roads Must Roll.
|
| It's worth remembering that folks who can be bought, can be
| bought off and spend a lot of time enjoying their riches while
| true believers are somewhat more difficult to convince and
| don't take any time off.
|
| That's important because all of the big evils have been
| perpetrated by true believers in pursuit of their "one true
| way." (Yes, some large evils have been perpetrated by folks
| chasing money. I'm talking about things like wholesale
| slaughter of as many people as they could lay their hands on.)
| kccqzy wrote:
| I cannot agree more. And this is exactly why the old Google
| motto of "don't be evil" was so important. And the decline of
| Google is highly correlated with the removal of this motto from
| its culture.
|
| I sincerely hope all tech companies can take a page from old
| Google and truly instill an innate rejection of evil among all
| software engineers.
| marcodiego wrote:
| > I now know everything I would need to duplicate TicketMaster's
| barcodes
|
| Until they change their encoding.
|
| Requiring the installation of a proprietary app to do anything
| should be forbidden.
| james2doyle wrote:
| Fantastic article. Really easy to understand.
|
| Side note: this is actually a great advertisement for server side
| rendering! If they didn't do all this client side rendering,
| exposing data in JSON APIs, then I doubt this reverse engineering
| would have been possible.
| shaftway wrote:
| Except then I'd need to have a good data connection at the
| venue, and the odds of that are infinitesimally small.
| james2doyle wrote:
| I see what you mean. The barcode wouldn't work offline.
|
| It seems like that didn't matter at the venue though? The
| spotty internet connection not allowing the code to load was
| the first part of the article wasn't it?
| superfrank wrote:
| > I remember a time when printable tickets were ubiquitous. One
| could print off tickets after buying them online or even (gasp)
| in-person, and bring these paper tickets to get entry into the
| event when you arrive
|
| I go to 1-2 concerts a month so I'm well aware of how scummy TM
| is, but the problem with PDF tickets is that people sell fakes or
| sell the same ticket multiple times. I know multiple people
| who've been scammed this way. I get not wanting to use your phone
| for everything, but the changing barcode isn't just technology
| for the sake of technology, it's actually there to solve a
| problem.
|
| > PDF tickets work even if your phone loses internet connection
|
| So do the digital barcodes if you add them to your phones wallet.
|
| TM even sends you an email before every event that says:
|
| >> If you haven't already, download the Ticketmaster app or sign
| into your Ticketmaster account via mobile web. From My Events,
| tap view then add tickets to your phone's wallet for easy access
| at entry.
|
| TM's help page for the Mobile Entry tickets also says
| (https://help.ticketmaster.com/hc/en-us/articles/978659778561...)
|
| >> We encourage you to download your tickets to your digital
| wallet before you leave for your event. This ensures that you can
| always access your tickets.
|
| > If you bought the ticket off the event's official ticketing
| agency (not a sketchy reseller), you know for sure that they're
| real.
|
| The problem is that that isn't how the real world works. Ignoring
| the massive scalping problem currently happening (that TM is
| complicit in) sometimes plans change or people learn about events
| after the initial sale. Personally, any time I have to buy or
| sell through a reseller, I use StubHub, but I know plenty of
| people who don't want to use them as they charge high fees and
| they aren't much better than TM from a moral stand point.
|
| Also, I get the impression that if TM locked all tickets so that
| they could only be resold on TM, the author of this article would
| have a problem with that.
| crazygringo wrote:
| Exactly all of this.
|
| I found the article really interesting from a tech perspective.
|
| And I have no love for TicketMaster, but the migration from
| paper/PDF tickets to scannable changing QR codes is inevitable,
| precisely to combat scammers.
|
| TicketMaster does a lot of bad things, but this doesn't seem to
| be one of them. And learning to download the digital tickets in
| advance -- either to the app or your Apple wallet -- is just a
| thing you learn to do, the same way you learn to download a
| bunch of podcasts before your airline flight that charges for
| (or doesn't have) WiFi. (And if your ticket was a PDF, you'd
| similarly be stuck if you couldn't get internet at the venue
| and hadn't downloaded it in advance.)
| somerandomqaguy wrote:
| >So do the digital barcodes if you add them to your phones
| wallet.
|
| ??? Last I heard the adding the barcode to the phone's wallet
| did not work, or at least not reliably. Some older folks I know
| struggled with it, and I specifically help setup the ticket
| master app and download the barcode. They mentioned that the
| app eventually logged them off when they got on site and had to
| struggle with poor wifi. Eventually got it to work but IIRC it
| took several minutes before they had a stable enough connection
| for it.
|
| Does it need an actually Google/Apple wallet or something
| setup?
| ssl-3 wrote:
| Yes, "phone's wallet" actually means Google Wallet or Apple
| Wallet.
|
| Stuff I add there works for me instantly every time, even
| with crowded venues and zero connectivity -- as long as I get
| it ready in advance.
|
| (Not that I am defending this. I'd rather carry a paper
| ticket, since paper is more durable and far less complex than
| a phone is.)
| 725686 wrote:
| A few months ago I went to Las Vegas to watch U2 at the Sphere.
| When I learned that I needed to open the app or website in order
| to get in I panicked in fear of the shitty internet that is
| common in massive events, so I opened my tickets since I left the
| hotel. Unless this stuff works completely offline, it is a
| terrible idea.
| dylan604 wrote:
| There's no way that I trust the developers of a company like
| Ticketmaster to install their app on my device.
| NavinF wrote:
| You don't trust your OS to sandbox it? With a threat model
| like that, I wouldn't use any apps other than the browser
| immibis wrote:
| Maybe you are using a fully open phone, but mine has an OS
| made by Google and almost every app tracks my location
| without my consent.
| nahikoa wrote:
| For the past 9 years, Android has allowed users to
| disable location permission per app. More recently, you
| can choose to share "noisy" location, which just provides
| an approximation of your location.
| pompino wrote:
| Google will never stop spying themselves but will give
| you the ability to stop their competitors from spying on
| you. Heh..
| NavinF wrote:
| I'm an app dev. How exactly would I track your location
| without your consent?
| dylan604 wrote:
| From the AppStore:
|
| Data Linked To You:
|
| Purchases, Location, Search History, Usage Data, Financial
| Info, Contact Info, Identifiers, Sensitive Info.
|
| Nope Nope Nope.
| NavinF wrote:
| That explains nothing. I'm pretty sure it's talking about
| info that you type into form fields in the app. Same
| reason FB "links" your health info even though it has no
| access to the health info stored by your OS.
|
| The same applies if you use their website. It'll still
| ask for that info with a web form.
| dylan604 wrote:
| > Same reason FB
|
| ...is not installed on any of my devices
| jimbobthrowawy wrote:
| If anyone is in the situation that they need to put an
| untrustworthy app on their android device, the "work
| profile" feature can segment it off further.
|
| Insular is an app that lets you create and manage one of
| these profiles on the device itself:
| https://gitlab.com/secure-system/Insular
| _puk wrote:
| I mean, that horse has already bolted..
|
| https://www.nytimes.com/2024/05/31/business/ticketmaster-
| hac...
| jen20 wrote:
| What is the worst that can happen? I have it installed on my
| iPhone and deny whatever permissions it asks for.
|
| I have enough confidence in the sandbox that "installing an
| app" is basically never an issue (though I don't out of the
| principle that most things companies have apps for just
| shouldn't be apps).
| dylan604 wrote:
| > What is the worst that can happen?
|
| I don't know the worst, but juice is not worth the squeeze
| in my opinion. If you recall, Ticketmaster was just
| recently hacked, so the worst pretty much happened in that
| any data they had collected on their users is potentially
| been leaked. So if they can't protect that data, then I'm
| not participating in giving them data.
| xp84 wrote:
| Sure, but the data you give them is pretty much a
| condition of attending their shows, not whether you use
| their app, Chrome, or a PC in the library to buy the
| ticket. Regardless, they will get some contact and basic
| financial info for you unless you avoid all their
| concerts (which is certainly a principled and defensible
| choice!)
| swozey wrote:
| I used to work or a mobile event app company that made a lot of
| the big festival/conference apps. Everything was built to
| function locally from a sqlite file on your phone that was
| constantly updated _when_ you did have coverage.
|
| It was 100% expected that you would have no cell signal the
| entire event and we built in as many mitigations as we could
| think of.
|
| This was 2013ish, I think there are a lot more mesh network
| devices that can relay signal nowadays but I'm not involved
| anymore in that stuff.
|
| It was the best on-call I've ever had because.. nobody had cell
| signal while the event was on to complain about something.
|
| This person complains that people didn't have network access on
| their phones when they were at the gate. I can only assume that
| they waited till they were at the gate to install/use the app
| so it never got its offline data.
|
| _Always_ open your event apps before getting to the event.
| Sometimes they 're completely bare bones and have to reach out
| and pull that apps specific database so its sure you have the
| latest. Most of the event apps are a template that is modified
| for each event and just has different assets/sqlite.
| tptacek wrote:
| As the article notes, this ticket system does in fact work
| offline.
| mattmaroon wrote:
| Well, as it also notes, it works offline if you remember to
| open the ticket before you get there, and they don't (or at
| least didn't used to) give you sufficient warning. I found
| out that's how it works the hard way when it was new by
| having to walk a half mile back from the venue to get service
| to load the tickets.
|
| There's also the chance the ticketmaster app won't work
| properly later even if you did do it. I've had other apps
| shit the bed for no apparent reason in offline mode before. I
| add them to my wallet now just in case.
| tptacek wrote:
| Sure, I'm just reacting because TOTP is like the textbook
| example of a system designed to work without interactive
| access to a networked resource. The whole as TM designed it
| has crappy affordances, but you could fix that without
| breaking the design.
| mattmaroon wrote:
| Ah, yeah. I'm just hoping the justice dept breaks them up
| and ticket sales move to something like the airline
| model.
| donalhunt wrote:
| Recent experience for a large stadiums event suggests they
| have fixed the notifications. I got a lot of notifications
| encouraging me to a) charge my phone and b) download the
| ticket before arrival.
| mattmaroon wrote:
| Yes, they have learned. As much as I hate them they are
| mostly a well-run company.
| 725686 wrote:
| Pleas notice the "completely" in my comment.
| mattmaroon wrote:
| Off topic (though the post does go into it a bit): Ticketmaster's
| current form is entirely due to a failure of government. Decades
| from now, case studies will be written on how one company managed
| to have a monopoly on an industry that is so not a natural
| monopoly.
| kls0e wrote:
| super entertaining read! many thanks.
| lakerz16 wrote:
| I hate TM and ridiculous fees as much as anyone, but this article
| is overly hyperbolic.
|
| There's a section named "Pirating Tickets", that just explains
| how to re-create a barcode that you already paid for. You're not
| using this to rob anyone of anything.
|
| And at the end, "Have fun refactoring your ticket verification
| system". Why? There are no vulnerabilities here. A rotating
| barcode (even if following a known pattern) is still more secure
| than a static barcode on a piece of paper.
| CYR1X wrote:
| It's piracy in a way that's analogous to ripping like Netflix
| content. You are breaking away from DRM which is piracy. They
| also cite the potential to have multiple tokens valid per one
| ticket which would let multiple people get in with the same
| ticket.
| lakerz16 wrote:
| I'd argue that a few extra people sneaking in on the same
| ticket (assuming this is even possible) is more like sharing
| your Netflix credentials than ripping Netflix content and
| having it be shareable with the entire world.
|
| You're also walking into a stadium/concert in plain view of
| security cameras, so the stakes and deniability are different
| as well.
| giaour wrote:
| Not a lawyer, but "subverting DRM" (even if it's trivial or
| really stupidly designed) can be a crime in and of itself
| in the US under the DMCA. There are a bunch of exceptions
| to this, so I have no idea if OP's work is actually
| illegal.
| joquarky wrote:
| Security researchers are an exception, but the title of
| "security researcher" is undefined
| Closi wrote:
| I doubt the second bit is true - they will still be marking
| the ticket as used in their backend.
|
| They are just trying to prevent scalpers printing off tickets
| 10 times and selling them outside the venues as a scam, which
| happened at every large concert I have ever been to until
| recently (so I assume this is working!).
| orbillius wrote:
| > they will still be marking the ticket as used in their
| backend.
|
| I assume that's true, but it makes me wonder how their
| scanners are connected to the server.
|
| I mean, if 10,000 people showing up to an event with
| smartphones overwhelms wireless networks, wont that also
| kick their scanners off the network?
|
| They'd probably like to have a system where, if a scanner
| loses its connection, it can still validate tickets. It
| could store a copy of validated tickets locally, and upload
| it when the network connection is restored - that would
| mean a copied ticket would have to make sure they go to a
| different door/scanner. But it would allow copying.
| hunter2_ wrote:
| I have no idea what connectivity options are available in
| current scanners, but it sounds like a viable solution
| could be to use an RF band that customers don't
| overwhelm, similar to wireless microphones perhaps, with
| a little hub situated nearby that consolidates the list
| of already-scanned tickets, possibly standalone or
| possibly on a wired network that includes other far-away
| entrances.
| janalsncm wrote:
| Simplest answer is a private wifi network for the
| scanners.
| dzhiurgis wrote:
| 900mhz networks like halow or even lorawan should do
|
| Even at huge venues i dont expect requests would be over
| 5 rps
| donalhunt wrote:
| You would hope... But they often run the scanners in
| offline mode (e.g. at temporary / seasonal events) so there
| can be lag in the backends being updated.
|
| Heard from a friend who got straight into two events in the
| same city recently - they presumed the show was at one
| outdoor venue but the scanners let them straight in at the
| first (wrong) venue. Went to the correct venue and got in
| there without any issue too (this suggests one or both
| venues were offline or using offline scanners).
| hunter2_ wrote:
| Hm. So I guess at a small venue that has 3 door people
| with offline scanners, you have a 2/3 chance of success
| if you're the second of two people sharing a barcode.
| Combined with the obvious 3/3 success being the first
| person, that averages out to 5/6 chance if both of you
| (oblivious to each other) schedule your arrival
| similarly.
| emeril wrote:
| not really offline but someone who works in industry here
| once detailed out that each scanner has it's own copy of
| a SQLite database that is being updated as fast as
| possible based on inserts of other scanners since any
| downtime is a big deal at these venues
|
| i.e., theoretically duplicate tickets would be identified
| but not instantly but still pretty quickly
| CephalopodMD wrote:
| This way you can sell and have the ticket completely off of
| ticketmaster. That is a vulnerability. It lets users do
| something they explicitly don't want to allow.
| lakerz16 wrote:
| Assuming that you can actually do that.
|
| If the seller re-opens the TM app and it generates a new
| token and invalidates the old one, then that's not the case.
| sitkack wrote:
| Vulnerability to LN business practices. Not a system
| vulnerability.
| guhcampos wrote:
| Piracy here just means you can use it to sell your ticket
| without using their platform, which is analogous to just
| sending someone the PDF or handing over the piece of paper as
| always.
|
| While this has the upside of breaking you free from TM's
| obnoxious practices, it also obviously opens up for scalpers
| and all.
| rzr2000 wrote:
| The way this is already being exploited in the wild is that a
| scalper/scammer buys 1 ticket, then resells the same ticket
| multiple times. Multiple people believe they have a valid
| ticket, show up at the event, but only the 1st ticket works.
| The other people who try to use the ticket are turned away
| saying that their ticket has already been used.
| cbsmith wrote:
| > The way this is already being exploited in the wild is that
| a scalper/scammer buys 1 ticket, then resells the same ticket
| multiple times. Multiple people believe they have a valid
| ticket, show up at the event, but only the 1st ticket works.
| The other people who try to use the ticket are turned away
| saying that their ticket has already been used.
|
| That is one of _many_ ways this is already exploited in the
| wild.
| justinclift wrote:
| https://archive.md/hrgE0 /
| http://web.archive.org/web/20240521005653/https://conduition...
| RicoElectrico wrote:
| What's the deal with PDF417? Why did they choose it over QR?
| ssl-3 wrote:
| Perhaps a better question is: Why not PDF417?
|
| What functional improvement would be had by using a 2D QR code?
| chocolatkey wrote:
| One possible reason I can think of is that phone camera apps
| will not proactively read PDF417 barcodes like they will QR
| codes, thus discouraging people from thinking they can scan
| and decode them.
| liendolucas wrote:
| It's baffling that you have to carry a mobile phone to access a
| show. What if you run out of battery? Or if you accidentally
| break the screen just before entering the venue? The more the
| technology evolves the more we find horrible uses for it. People
| should fight back by refraining from purchasing tickets from
| them, I know is not easy for people to miss their favorite artist
| but until a monopoly is broken there is no other effective way to
| prevent them from doing what they want.
| chuckadams wrote:
| You can still print the ticket on paper. Tho nowadays that
| means a trip to a FedEx store for me, since I refuse to keep
| buying inkjets I only use a couple times a year.
| omega3 wrote:
| Laser printers have solved this - I don't expect to change
| the toner for a decade.
| lnxg33k1 wrote:
| I bought a laser printer, I think something around 19 years
| ago, and it broke before I could finish the toner
| jcranmer wrote:
| > I refuse to keep buying inkjets I only use a couple times a
| year.
|
| Laser printers are the solution, and Brother laser printers
| seem to remain the most highly-regarded.
| davkan wrote:
| Yup, I use my brother laser printer to print probably 20
| pages a year and it's been going strong for 5 years now on
| the cartridge that it came with when I bought it on eBay.
| bonestamp2 wrote:
| Yep, I've bought 3 laser printers over the past 30 years...
| 1 about every 10 years, and not because I needed to...
| because I wanted more features. I've passed the old models
| down to others and they're still running. Toner never dries
| out, heads don't need cleaning. I would never buy another
| inkjet. The only use I can see for inkjet is photo
| printing, and even then I'd rather get them done at CVS or
| walgreens unless it is a special size or printing material
| that they can't handle.
|
| A brother laser can often be had for $100 these days.
| xp84 wrote:
| Another printer lifehack: Goodwill (which has a 'computer'
| store near me, they send all the best tech stuff there)
| sells laser printers of all kinds for like $20-40 and that
| plus a $20 Amazon non-official cartridge will basically
| have you set for life for the occasional print job. Since
| they're heavy, the Goodwill route saves most of the cost
| compared to eBay, though I did get mine on eBay.
|
| I actually recommend HP but Brother is great too. My
| current HP is at least 10 years old, and it's the second
| I've owned. My first was a 2000 vintage which I used from
| 2005-2017. (Its rubber rollers eventually got dried out and
| I wasn't as skilled a refurbisher as I fancied myself)
| 1_1xdev1 wrote:
| No, you actually can't for the tickets the article is talking
| about. This is increasingly common. It's insane
| ReliantGuyZ wrote:
| > Tho nowadays that means a trip to a FedEx store for me
|
| I've really appreciated my local library for allowing 20ish
| pages of printing per day, which has allowed me to limp
| through the no-printer lifestyle. Plus I usually grab a DVD
| movie while I'm there.
|
| Life's good in the mid-2000s.
| bonestamp2 wrote:
| For sure. Additional info... many libraries also let you
| stream movies through kanopy.com, and read/listen to
| e-books through the app Libby.
| philjohn wrote:
| I had to use something like this to get into The Killers gig
| last week at the O2 in London (fantastic gig btw, and Andy Bell
| from Erasure made a special guest appearance to sing A Little
| Respect which was the cherry on top, but I digress).
|
| The WiFi in the O2 was woeful, and even on "The best network"
| EE the app wasn't loading.
|
| Eventually after stepping aside and letting a load of people go
| in front of us I managed to get it to load, but it was a
| dreadful experience.
|
| Contrast that with seeing the Pet Shop Boys last month in
| Birmingham where the ticket was on my phone in Apple Wallet was
| night and day (and you could print the ticket if you didn't
| have an iPhone, or wanted a physical version).
| sandworm101 wrote:
| What I find really interesting is that there are so many scams
| that that the rejection of tickets is common enough to go
| unnoticed. Someone testing out their new "F-ticketmaster" ticket
| generation tool is free to test it in the real world. If it
| doesn't work they will simply be turned away the door like so
| many others who have been scammed. Nobody would notice the test.
|
| But if each ticket is for a particular seat, would ticketmaster
| notice if too people came with tickets for the same seat? I bet
| not. I bet they just trust their ticketing system to be
| foolproof. If anything they might just reject the second ticket
| without any way to know which was authentic.
| LordShredda wrote:
| I can't buy a ticket in my country, because my phone number is
| foreign. Can I use this to have someone buy it for me and
| transfer it to me?
| TeeWEE wrote:
| One things this articles kind of misses: You need that unique
| token... Ok, you can get it in some way.. But ticketmaster should
| keep it private, then, even if you know the algorithm. You still
| cant do a lot without the token......
|
| So he reversed engineered it, but its still secure: You need the
| token.
| lisper wrote:
| > They can't have robust DRM on their tickets if those tickets
| can still be viewed offline.
|
| Of course they can. All they need is a secret key embedded
| somewhere that the app can access but you can't. It's just a
| happy circumstance that they used a simple protocol in which the
| key is easily extracted. But they could have used a proper PKI
| protocol instead, which would have made it much harder, if not
| impossible, to hack.
| torcete wrote:
| A $COACH_COMPANY in the UK has recently announced that they are
| moving to only app-purchased tickets. Except tickets purchased
| directly from the driver, which is VERY expensive.
|
| Well, F.U. $COACH_COMPANY. I don't want to have to install your
| app for that, but I guess I won't have any other option if I need
| to get to the airport.
| PaulHoule wrote:
| A system like that could work in an entirely disconnected mode
| where the "ticket" device has a cryptographic token whose
| signature can be checked at the door without either side having
| internet access. The weakness of that system is that you can't
| "revoke" or sell tickets. Such revocation would be possible
| though if either the ticket or the validator device is internet
| connected.
|
| I saw the New York Red Bulls play not long ago and had to use
| Ticketmaster's system for the first time. I travel with a tablet,
| not a smartphone, and I was expecting trouble. Turns out the only
| trouble I had was that they didn't want to let me in with a
| tablet but they did when I explained my ticket was on my tablet.
| It did require an internet connection but Red Bull Arena has
| great WiFi so that was no problem.
| hinkley wrote:
| There's a faire this week in Oregon that draws people in from 500
| miles away.
|
| I've been a couple times, and what I've learned that was still
| not common knowledge to faire vendors as recently as last year is
| that T-Mobile brings out a mobile cell tower to support the
| faire, and no other cellular network does.
|
| So if you're trying to accept electronic payments, the whole
| thing tends to fall over and you only get to sell to people who
| brought loads of cash and prioritized hitting your booth first.
| Only the vendors on T-Mobile are able to take purchases for a big
| part of the day, and a few other people who use the rare billing
| system that is fine queuing up Visa transactions until after the
| bulk of people leave. The line for the cash machine sucks up a
| substantial part of your time budget for the faire, meaning you
| probably miss out on some things altogether.
| acureau wrote:
| That's a pretty smart business move by T-Mobile, I didn't know
| mobile cell towers were a thing
| colmmacc wrote:
| It's one thing for customers phones' wifi issues to be a problem,
| but it's an even worse problem if the scanner itself needs
| reliable connectivity. That makes me wonder if there is some kind
| of delegated deterministic derivation step in the secrets too
| (which wouldn't be obvious in this kind of analysis), so that the
| handheld scanners can avoid an on-line dependency.
| Closi wrote:
| They needed reliable connectivity in the previous scenario
| (checking barcodes against a central db) - they just setup a
| local private wifi network for the handsets and all the venue
| devices.
|
| Otherwise I can't see how you would avoid replay attacks.
| colmmacc wrote:
| You can do time-based binding. Many TLS/Quic 0RTT take this
| approach; where the signature is only valid for a second or
| so. It's not as good as a real strike register, but probably
| ok for this kind of environment. Of course the barcodes would
| need to be more dynamic, but that's doable.
| dandigangi wrote:
| This was a fun read. I wonder if they reported it to a bug bounty
| program of theirs. Based on his writing how he feels about their
| business I'm going to guess no.
| ec109685 wrote:
| This isn't a vulnerability. It has to work this way if offline
| access is permitted.
| uniq7 wrote:
| > I paid three hundred US dollars for this high-tech experience.
|
| That's a good incentive for companies to keep up with the "high-
| tech experience".
| gspencley wrote:
| > Shame on you for abusing your talent to exclude the
| technologically-disadvantaged.
|
| Very minor nitpick: I don't like the term "technologically
| disadvantaged" here. While it is undoubtedly true that there are
| many people who are without smart phones due to economic reasons,
| or because their battery died or their phone was just stolen ...
| there are also lots of people, myself included, who would CHOOSE
| to forgo a smart phone when attending a concert / event.
|
| My wife and I live in a city with a Caesar's hotel and casino
| within walking distance. When there are shows and concerts we are
| interested in, we don't hesitate to buy tickets. When we go to
| such a show for a date night, we would like to leave our phones
| at home. Some of this might be due to our being middle aged, and
| so we're not glued to our phones 24/7, but it's also just a
| hassle to bring them through security, and to often have to put
| them in those lock bags because they don't want people recording
| etc.
|
| So to us, e-tickets are evil for no other reason than the fact
| that it assumes that we want to have a phone on us and to use it
| as a ticket. I will happily pay the fee for a physical ticket
| whenever available.
| RcouF1uZ4gsC wrote:
| > Software developers are the wizards and shamans of the modern
| age.
|
| No they are not. The big difference is that wizards and shamans
| closely guarded their secrets to keep their position secure,
| while software developers will happily give them away to as many
| people as possible.
|
| This means that software developers as such have close to zero
| leverage.
| ThouYS wrote:
| nice, more of this please. the constant abuse through everything
| digital has to be fought
| gwbas1c wrote:
| > If they had issued me normal, printable PDF tickets I could
| save offline to my phone
|
| Uhm, you can save the tickets to Google Wallet.
| limaoscarjuliet wrote:
| I got tickets for a concert in UK, which could only be bought if
| you had UK Ticketmaster app. No, the international version of
| Ticketmaster app did not have these. Had to get me a blank
| Android phone, had to initialize it pretending I'm in UK via VPN,
| so I can see the UK Android Playstore (got my phone number
| blocked by Google in the process - "too many verifications from
| this number"). Then, it finally let me get the tickets and
| actually see the dreadful barcode in the app.
|
| This is horrible. Please stop.
| jofla_net wrote:
| I know the discussion has drifted into the larger realm of ethics
| and civic responsibility. But with respect to the original title,
| I always thought that it would be trivial to create a software
| 'tumbler' the logic of which was based on primitive examples,
| such as this. Edit: each user could have thier own initial state.
| https://en.wikipedia.org/wiki/Alternating_step_generator granted
| you'd need to ramp up the bits to make them less crackable. Then
| all you'd need is some translation to 2-d QR scancode graphics
| and a silly sliding bar and voila! Ticketmaster hegemony.
|
| But yes, its disgusting that i've needed a phone for events...
| grishka wrote:
| Impressive. I had no idea mobile- _only_ tickets are a thing. For
| me it 's always been the other way around because sometimes some
| events would insist on a printed ticket even if it comes as a PDF
| with a barcode. This sort of thing became annoying enough to me
| that I bought a printer.
|
| But then ticket resale online marketplaces aren't a thing around
| here either. When people resell event tickets, it's usually an
| entirely DIY affair.
| lifeisstillgood wrote:
| I am sure this is pointed out elsewhere, but ticketmasters
| business model is based on lying to the public so that the
| artists and venues don't have to.
|
| Taylor Swift is a nice-ish person and wants her fans to think
| they can buy tickets for her shows at about 25 bucks because
| that's a lot of money for a 12 year old and she does not want to
| alienate her fans.
|
| Her manager is an evil cackling bastard and wants to get as much
| as he can.
|
| He knows if he sells all the tickets for 25 bucks he will lose
| money in the tour and the people who resell the tickets for 2000
| will make 1975 dollars profit.
|
| So he does a deal with ticketmaster.
|
| They will sell 100 seats at 25 bucks, then announce "wow that
| sold out quickly" and then pretend that the other 5000 tickets
| they have are sold, and then resell them on secondary sites (ie
| ticket master is actually selling you orignal tickets through
| secondary markets).
|
| Then they give the cash to the evil manager who twirls his
| moustache.
|
| All the rest, the adding extra charges at end of sales process,
| the ridiculous rush to buy at a given moment in time instead of
| some auction or lottery, the whole thing of backhanders to
| venues, all that is secondary to enabling Taylor swift to take a
| huge cut without seeming like a evil moustache twirling money
| grabbing manager.
| IncreasePosts wrote:
| Can you provide a source for artists getting a cut of the
| greater-than-MSRP resale market?
| xhkkffbf wrote:
| Why shouldn't the artists get a cut of the greater-than-MSRP
| resale? Yeah, I realize that some pretend that the MSRP is
| the real price, but if anyone should get a cut of the jacked
| up fees, it should the people on the stage or producing the
| show.
| peddling-brink wrote:
| I don't think anyone is arguing otherwise. The frustration
| is the inaccurate pricing and other monopolistic behavior
| from TM et al.
| xp84 wrote:
| I mean, they should have that revenue, and a lot of us want
| them to just raise the prices for that reason. What's
| arguably kinda dishonest is when they have deals with
| Ticketmaster's scam of a resale scheme that result in them
| getting a large amount of the 'scalping margin' while also
| yelling about how they price their tickets SO low, and it's
| scalpers to blame for 'stealing the tickets from all you
| Real Fans!'
| ghayes wrote:
| There are a lot of journal articles about this, but here's a
| recent NPR story [0] and a Vox article from 2019 [1].
|
| [0] https://www.npr.org/transcripts/154299904
|
| [1] https://www.vox.com/the-goods/2019/7/22/20703858/live-
| nation...
| financetechbro wrote:
| As much as I dislike Ticketmaster this is pure conspiracy
| unless you provide sources
| bonestamp2 wrote:
| I can't confirm what they said, but TicketMaster does have a
| "partner" reseller program for scalpers where they have tools
| to help scalpers list and manage resale tickets in bulk. They
| also have events where they help teach scalpers how to make
| more money, which is good for TicketMaster since it makes
| even more money on secondary sales. Ticket scalping used to
| be illegal, and now TicketMaster is helping facilitate it.
|
| Source: https://www.cbc.ca/news/business/ticketmaster-
| resellers-las-...
|
| Scalping aside, TicketMaster is taking massive fees each time
| the same ticket is sold. For example, I went to an event last
| year and the fee was $50 on each ticket, and these were
| reseller tickets so TicketMaster had already taken a fee on
| each of those tickets at least once already (perhaps more
| than once).
|
| TicketMaster also owns many venues or has exclusive deals
| with most large venues that prevent those venues from using
| any other ticket selling platform. The DOJ is currently
| investigating this monopoly. TicketMaster alleges it is not a
| monopoly since there are many smaller venues that they are
| not involved with.
| cbsmith wrote:
| > Scalping aside, TicketMaster is taking massive fees each
| time the same ticket is sold. For example, I went to an
| event last year and the fee was $50 on each ticket, and
| these were reseller tickets so TicketMaster had already
| taken a fee on each of those tickets at least once already
| (perhaps more than once).
|
| So your evidence is that you were charged a $50 fee on a
| separate transaction that didn't involve TicketMaster?
|
| This is not the compelling evidence that you think it is.
| Decker87 wrote:
| Taylor Swift's manager is a woman. And an artist like TS is
| going to know exactly how it works behind the scenes
| floatrock wrote:
| Hey now, it's 2024, anyone can twirl their evil mustache if
| they want to sport one. Just wash your hands afterwards.
| axus wrote:
| If Britney Spears's book is to be believed, the talent can be
| kept in the dark.
| telotortium wrote:
| Britney Spears ended up forced into a conservancy. Taylor
| Swift is much more savvy (gets songwriter credit on
| everything, successfully rereleased her early tracks to get
| better royalties from her back catalog, manages her fanbase
| really well in general). She definitely knows the game with
| Ticketmaster.
| sethaurus wrote:
| The grandparent is implying that "Taylor Swift" and the "Evil
| Manager" are two sides of the same coin; they don't need to
| even be different people. The system lets a (big) artist
| extract value while keeping their public image clean. It's a
| shell game, and Ticketmaster plays the role of bad-guy-as-a-
| service.
|
| Of course, their insane monopoly means they also get to take
| advantage of smaller artists, venues etc. None of this is
| good.
| MarketingJason wrote:
| I'm not sure this is true. Most (~80%) large venues are owned
| and operated by Live Nation, who also owns Ticketmaster. They
| also have exclusivity agreements with hundreds of others.
|
| It's, in effect, a shell operating as a scalper and a customer
| service disruptor. This has very little to do with the artist
| beyond selecting venues.
| cbsmith wrote:
| It's about 60% of large venues. The 80% is Ticketmaster's
| share of the ticketing marketplace.
| Zopieux wrote:
| Agreed, fuck Ticketmaster. Sincerely.
| AlexanderTheGr8 wrote:
| Nice reverse engineering! As a hacky way for the non-tech-savvy,
| couldn't you use a temp account to create ticketmaster account
| and then buy the ticket and then sell the temp account
| information to bypass their rules?
|
| This reverse-engineering also breaks if ticketmaster forces venue
| staff to only scan if the barcode is in the ticketmaster app.
| Unless you create a lookalike app to trick the staffers.
| jasomill wrote:
| Good luck forcing a check like this at a busy concert venue.
|
| I once paid at Starbucks with the Apple Wallet barcode
| appearing in a photo of my phone displayed on the back of a
| DSLR. Plopped my not-remotely-iPhone-like Nikon D800 on the
| counter lens-down, LCD-up, barista scanned it without a second
| thought.
| drowntoge wrote:
| > If you take a closer look at your ticket, you may notice that
| it has a gliding movement, making it in a sense, alive. That
| movement is our ticket technology actively working to safeguard
| you every second.
|
| This part made me want to throw up, preferably a couple of
| buckets full, right onto the heads of the marketing team who came
| up with it.
|
| Kudos to the author of the article. Great work and a great read
| to go with it.
| xp84 wrote:
| Those little blue bars are some hard workers. They don't even
| sleep! Just moving back and forth all day, protecting me. <3
| GuB-42 wrote:
| Does anyone knows how Ticketmaster works, really?
|
| I have been to Ticketmaster events that use reasonably priced,
| printable tickets, you could even buy a printed ticket with cash.
| In fact, even though there are so many Ticketmaster events, they
| are not all working the same way. And Ticketmaster doesn't have
| the monopoly on shitty practices, the article gives a good
| example in the beginning.
|
| What I suspect is that Ticketmaster is nothing more than a
| service provider. The venue/event organizer/... looks at the
| Ticketmaster catalogue and pick the product they want. There are
| "evil" products in that catalogue, and they are probably the ones
| with the best returns, but I am sure people have a choice.
|
| I'd even go as far as calling Ticketmaster "Evil as a Service".
| So people can say "fuck Ticketmaster" instead of saying "fuck
| Taylor Swift". I would be very surprised if artists (and their
| agents) at the level of Taylor Swift didn't have a say regarding
| ticket sale practices, even with Ticketmaster.
|
| Of course, the monopolistic practices of Ticketmaster are a
| problem, people are most likely paying more than they should
| because of it, but all the crap with apps, resale platforms,
| etc... I am pretty sure the event organizers, maybe the artists
| themselves are as much to blame.
| orangecat wrote:
| _I 'd even go as far as calling Ticketmaster "Evil as a
| Service"._
|
| Correct, except rather than "evil" it's "market-clearing
| pricing". Of course many people see no distinction there.
| bonestamp2 wrote:
| > but I am sure people have a choice
|
| Often, they do not. The DOJ is currently suing TicketMaster
| because they have exclusive agreements with nearly all of the
| large venues and that prevents those venues from using other
| ticket providers. To be fair to TicketMaster, they argue they
| are not a monopoly because there are many smaller venues that
| they are not exclusive with.
|
| But, TicketMaster even requires that artists use TicketMaster's
| promotional agency if they want access to these large venues.
|
| And more evil stuff! Details here...
|
| https://www.justice.gov/opa/pr/justice-department-sues-live-...
| GuB-42 wrote:
| I wasn't talking about having the choice of using another
| agency, Ticketmaster is predatory and this is a problem.
|
| I was talking about using Ticketmaster (for the lack of other
| choice) but using one of the more consumer friendly services
| Ticketmaster appear to provide. I am sure Ticketmaster won't
| mind, they get their share anyways.
|
| What I wanted to say is that Ticketmaster may be responsible
| for your ticket costing $70 and not $60, but for all the
| other bullshit, they just do what is asked of them (by the
| artists, venue, event organizers, etc... maybe even the fans
| themselves). Or at least, that's how I think it is.
| cbsmith wrote:
| > Does anyone knows how Ticketmaster works, really?
|
| For the most part, no. I'm actually shocked by how much
| understanding you are demonstrating in this post. I did not
| expect to find that on Hacker News.
| LeonM wrote:
| Let's face it, the real problem with ticket sales is scalping. OP
| may not like Ticketmaster, and doesn't want to install the app,
| but the majority of fans don't have a problem with that. The real
| problem for most fans are the scalpers who push prices out of
| their budget.
|
| Of course we all like to dream up all sorts of technical crypto
| solutions to this, preferably decentralized to remove evil
| Ticketmaster from the equation. But I don't think the ticket
| scalping problem is a technical problem per se. I believe it is
| because tickets are currently sold under the wrong terms, which
| encourages scalping.
|
| A possible solution could be to make tickets non-transferable,
| but always refundable. So only you (the buyer of the ticket) can
| use it, but you can't resell it. But if you decide not to go, you
| should be able to refund the ticket to the ticket office for full
| price. The ticket can then be sold again to someone else, for the
| same price.
|
| Now, of course this is a naive idea. There are many practical and
| technical challenges to it, not to mention the politics of the
| entertainment industry. I'm not too familiar with the event
| industry, so I'm not sure if this would even align all the
| incentives, but it would benefit the fans and the performers who
| care about their fans.
| mlyle wrote:
| The problem is scalping.
|
| Unfortunately, this "solution" is Ticketmaster cementing their
| control of the ticket marketplace and spying on their users.
| jmholla wrote:
| And (and I think you were implying this), Ticketmaster giving
| themselves complete control over the still existing scalping
| market which they use to boost their own profits without any
| benefits over the standard scalping market (arguably also
| including further downsides).
| bonestamp2 wrote:
| Yes, non-transferable tickets would fix the scalping part of
| it. I'm guessing the face value would go up a lot in that case,
| and that's fine... at least it's an honest market then and
| ticketmaster cannot pass the blame on to the scalpers.
| dsego wrote:
| > The real problem for most fans are the scalpers who push
| prices out of their budget.
|
| Isn't that the market sorting itself out? What do you want,
| planned economy? How is fixing the price on a ticket different
| than the soviet union stamping prices directly onto
| manufactured items. I meant this to be sarcastic, but it's only
| half so, since I find the comparison appropriate, you know free
| market and all.
| hunter2_ wrote:
| > tickets are currently sold under the wrong terms, which
| encourages scalping
|
| The incentive to scalp arises from the likelihood that a ticket
| will be worth more in the future (buy low, sell high) and that
| future worth is established by scarcity (sold out shows). To
| help eliminate this likelihood, the original price (face value)
| needs to decrease over time, ideally in such a way that the
| final original ticket sale occurs right when doors open,
| because the sooner that occurs, the bigger the opportunity for
| scalping. "Dutch auction" [0] is one implementation of this
| concept, though it's typically to find the most money a single
| buyer will pay, whereas in this case we have thousands of
| buyers. Perhaps the rate at which the price declines could be
| dynamically adjusted to aim for N% sold when N% of the on-sale
| timeline has elapsed, for any N.
|
| The problem is convincing promoters/etc. that this would be as
| profitable for them as the status quo. But it might be!
|
| [0] https://en.wikipedia.org/wiki/Dutch_auction
| xg15 wrote:
| > _This ticket is digital. Saving data offline is the same as
| copying it to your hard drive. If data can be copied, it can be
| transmitted. If it can be transmitted, it can be shared. If it
| can be shared, it can be sold._
|
| Is this still true in the age of locked-down bootloaders, secure
| enclaves, TPMs etc?
| nedt wrote:
| That data might be part of a backup to your Mac. Maybe it's
| even just a sqlite file.
| GuB-42 wrote:
| > My phone has no internet connection...
|
| Who thought it was a good idea to require an internet connection
| at an event. For anything, not just ticketing. It is as if the
| people who designed these apps never went to a large event.
|
| No internet is the rule, not the exception. Sometimes, you can't
| even send a SMS. Apps designed for use in events should always
| work offline, and if internet use is justified, take into account
| latencies in minutes and use bandwith sparingly. Failing to do
| that will make the experience terrible for everyone, as bandwidth
| will be saturated by thousands of phones trying to do something
| with that damn app.
|
| At least Ticketmaster does it somewhat right here. The app is
| supposed to refresh the ticket 20 hours before the event, to
| account for the fact that the internet may be unavailable at the
| gate.
| scottfits wrote:
| Very cool post, but as someone who has been on the other side of
| the situation, I do have sympathy for what they are trying to
| accomplish.
|
| I bought a ticket that someone had double sold, and by the time I
| got to the door, they turned me away and said the ticket had
| already been used. So their system has good intentions, they just
| need to make it work offline.
| tacker2000 wrote:
| Would be interesting to see the same done for the UEFA ticket
| app. They use QR codes that are activated/visible only when the
| user in on site, detected via Bluetooth. They claim that
| secondary use is then not possible.
___________________________________________________________________
(page generated 2024-07-08 23:00 UTC)