I believe I may accidentally be one of these "hackers."
For those of you who don't know how the line worked, TicketFly sent registered users a link to a page that would allow them to purchase tickets at 12:00pm PST. Like most people, I clicked the link just before noon and ended up in a waiting room with a countdown clock and a note explaining that a continue button would appear at exactly 12:00.
My coworkers and I were curious if the button was simply hidden from view using JavaScript, so we did what any hackers (in the Hacker News sense) would do – we viewed the page's source. There it was! In the middle of the page sat a small javascript function with a link to reveal the button. Curious again, we clicked it. I believe the waiting room page just refreshed at that point, and we though nothing of it. A few minutes later, the queue began, and after sitting in it for about 40 seconds, I was shown the purchasing screen. I assumed I got lucky and left happy.
When I read this blog post on Saturday evening, I realized what had happened and freaked out a bit. It appears that clicking that link placed us at the top of the queue, even though we couldn't actually start the purchasing process until noon. Because of this, I am probably going to lose my tickets. Yet the fact that we could cut in line never even occurred to us, because we assumed that any queuing logic would have happened on the server side to prevent exactly this kind of exploit.
I feel bad for the users that I apparently cut in front of. I feel equally crappy, though, because I'm certain that other "hackers" are in similar situations to me. From what I've read in subsequent reports, using NoScript or otherwise browsing with Javascript disabled would have revealed the button before noon. That means that those people, too, will be labeled as hackers and have their tickets revoked. I'm relatively certain that even having a system clock running a few minutes early would mark you as a line cutter.
Not sure what to do next. I suppose all I can do is wait. This sucks.
That sucks. In my eyes that's more on Ticketfly than on you. They have an event with ~400 dollar tickets that far more people want to pay for and attend than tickets are available. They should have made sure there system wasn't exploitable in this way.
Of course hindsight is always 20/20. It just doesn't seem fair that for clicking a link they served to your computer a few minutes early you'd get totally #$&$ed out of a ticket.
It doesn't seem fair you got to click the link a little early by peeking at the source but that shouldn't have been doable in the first place and they literally served you the key for access.
Reminds me of a few free file hosts (probably now long dead) that would do the countdown thing client-side, with the direct link to download the file right there in the source code.
And that's why you never put that kind of logic on the front-end. Or if you do, always make sure there's a back-end double-check. In this case, from what I gather, an unique key that could only be known if people got it via an email would've been adequate.
> And that's why you never put that kind of logic on the front-end.
I wonder what kinds of goodies all these front end frameworks will lead to, when they eventually fall into the hands of people who don't understand that the final arbiter of some things must be on the back end.
Doing the queue/first-come-first-serve thing only makes sense if you expect the number of people arriving at exactly the starting moment to be less than your supply of tickets. Otherwise what you have is a ticket lottery, except that the "randomization" is being done by ping times rather than anything explicit. If they can't expand the ticket supply by enough to meet demand, then they should probably make an explicit ticket lottery.
Doing a lottery also has the advantage that you can make some extra rules to make it more fair. For instance you can prefer people that didn't get tickets the year before.
Many ticket-limited events have figured out how to run a massive timed purchasing event like this. TicketFly could have checked out any one of them to learn how to properly execute this kind of event, and prevent "line-skipping". (ShmooCon and Playa Del Fuego are two such events i'm familiar with)
The system is very simple: you open up the ticket purchase page a few minutes before registration opens. The page reloads at randomish 30-second intervals. Once registration opens, the backend sets a queue number linked to a unique ID, and sets a cookie in your browser with that ID. You wait for the page to finally reload and say "it's your turn to purchase tickets!" And so, through a delayed system of individual registrations, everyone gets their ticket if they showed up at the appropriate time.
The 'queue' is a server-side aspect of this system, and it all happens on servers that have their clocks synchronized. Before accepting anyone into the queue, the server software needs to check if it's 12:00 yet (or whatever time registration opens).
Their software did not check the time before populating the queue. Bottom line: this was a bug in TicketFly's software, not "hacking".
I've never been to this, and I'm pretty sure I wouldn't want to go. (When I go to the desert, it's not to be around other people.) However, this whole authority-obedience-fashion-and-privilege episode seems somewhat counter to my previous media-driven impressions of the event.
If you want to do something fun in the wilderness with your friends, you don't need anyone's permission for that.
Except in this case the Bureau of Land Management's (BLM) permission. I spent a lot of time in Las Vegas and for the most part you just drove out into BLM land and it was fine. But if you have a group greater than a certain size it requires permits. The tickets process is a way for them to not exceed their permit limit of 50,000 people. Doing so would get them banned from getting permitted in the future.
That said, I'm rather surprised at this point that some tech billionaire hasn't bought a couple of thousand of acres of desert[1] and allowed it to be run there. But at some point the 'exclusivity' becomes its own value.
The title seems off. They haven't been caught yet. Burning man officials simply said they will find and cancel the tickets. That seems like something they might say regardless of whether they actually could do so.
Can anyone explain to me how they could go about determining who skipped the line and who didn't? I'm curious.
My understanding is that any users who entered the queue between 11:55ish (when the waiting room appeared) and 12:00 PST (when purchasing officially started) will have their tickets revoked.
Why do people need tickets to go out in the desert and have a big party?
Perhaps my thinking is naive here, but tickets seem to run counter to one of the main principles of Burning Man which is "Radical Self Reliance". If I'm paying you for a ticket then I must be relying on someone for security.
The tickets pay for several things including the permits to hold the event on federal land, the setup and cleanup of basic infrastructure, and the maintenance of basic facilities such as porta-potties.
[+] [-] fWnApHU2PY6CPA|11 years ago|reply
For those of you who don't know how the line worked, TicketFly sent registered users a link to a page that would allow them to purchase tickets at 12:00pm PST. Like most people, I clicked the link just before noon and ended up in a waiting room with a countdown clock and a note explaining that a continue button would appear at exactly 12:00.
My coworkers and I were curious if the button was simply hidden from view using JavaScript, so we did what any hackers (in the Hacker News sense) would do – we viewed the page's source. There it was! In the middle of the page sat a small javascript function with a link to reveal the button. Curious again, we clicked it. I believe the waiting room page just refreshed at that point, and we though nothing of it. A few minutes later, the queue began, and after sitting in it for about 40 seconds, I was shown the purchasing screen. I assumed I got lucky and left happy.
When I read this blog post on Saturday evening, I realized what had happened and freaked out a bit. It appears that clicking that link placed us at the top of the queue, even though we couldn't actually start the purchasing process until noon. Because of this, I am probably going to lose my tickets. Yet the fact that we could cut in line never even occurred to us, because we assumed that any queuing logic would have happened on the server side to prevent exactly this kind of exploit.
I feel bad for the users that I apparently cut in front of. I feel equally crappy, though, because I'm certain that other "hackers" are in similar situations to me. From what I've read in subsequent reports, using NoScript or otherwise browsing with Javascript disabled would have revealed the button before noon. That means that those people, too, will be labeled as hackers and have their tickets revoked. I'm relatively certain that even having a system clock running a few minutes early would mark you as a line cutter.
Not sure what to do next. I suppose all I can do is wait. This sucks.
[+] [-] codyb|11 years ago|reply
Of course hindsight is always 20/20. It just doesn't seem fair that for clicking a link they served to your computer a few minutes early you'd get totally #$&$ed out of a ticket.
It doesn't seem fair you got to click the link a little early by peeking at the source but that shouldn't have been doable in the first place and they literally served you the key for access.
[+] [-] userbinator|11 years ago|reply
[+] [-] lawlessone|11 years ago|reply
[+] [-] raldi|11 years ago|reply
Um, Larry and Sergey have been going to Burning Man since at least 1998:
http://www.theatlantic.com/technology/archive/2013/09/the-fi...
[+] [-] Cthulhu_|11 years ago|reply
[+] [-] davidw|11 years ago|reply
I wonder what kinds of goodies all these front end frameworks will lead to, when they eventually fall into the hands of people who don't understand that the final arbiter of some things must be on the back end.
[+] [-] jimrandomh|11 years ago|reply
[+] [-] legulere|11 years ago|reply
[+] [-] peterwwillis|11 years ago|reply
The system is very simple: you open up the ticket purchase page a few minutes before registration opens. The page reloads at randomish 30-second intervals. Once registration opens, the backend sets a queue number linked to a unique ID, and sets a cookie in your browser with that ID. You wait for the page to finally reload and say "it's your turn to purchase tickets!" And so, through a delayed system of individual registrations, everyone gets their ticket if they showed up at the appropriate time.
The 'queue' is a server-side aspect of this system, and it all happens on servers that have their clocks synchronized. Before accepting anyone into the queue, the server software needs to check if it's 12:00 yet (or whatever time registration opens).
Their software did not check the time before populating the queue. Bottom line: this was a bug in TicketFly's software, not "hacking".
[+] [-] djcapelis|11 years ago|reply
That's an order of magnitude difference.
[+] [-] jessaustin|11 years ago|reply
If you want to do something fun in the wilderness with your friends, you don't need anyone's permission for that.
[+] [-] ChuckMcM|11 years ago|reply
That said, I'm rather surprised at this point that some tech billionaire hasn't bought a couple of thousand of acres of desert[1] and allowed it to be run there. But at some point the 'exclusivity' becomes its own value.
[1] Land ownership debates not withstanding.
[+] [-] avalaunch|11 years ago|reply
Can anyone explain to me how they could go about determining who skipped the line and who didn't? I'm curious.
[+] [-] fWnApHU2PY6CPA|11 years ago|reply
[+] [-] joncalhoun|11 years ago|reply
[+] [-] cornewut|11 years ago|reply
[+] [-] amckenna|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] WorldWideWayne|11 years ago|reply
Perhaps my thinking is naive here, but tickets seem to run counter to one of the main principles of Burning Man which is "Radical Self Reliance". If I'm paying you for a ticket then I must be relying on someone for security.
[+] [-] amckenna|11 years ago|reply
They publish a great breakdown of where the money goes here: http://burningman.org/event/preparation/ticket-money/