Really good post! I also found this quote which distilled their position in the 404media coverage of the situation.
> “What I can say for sure is that TicketMaster and AXS have had every opportunity to support scam-free third party ticket resale and delivery platforms if they wished: By documenting their ticket QR code cryptography, and by exposing apps and APIs which would allow verification and rotation of ticket secrets,” Conduition told me in an email. “But they intentionally choose not to do so, and then they act all surprised-pikachu when 3rd party resale scams proliferate. They're opting to play legal whack-a-mole with scammers instead of fixing the problem directly with better technology, because they make more money as a resale monopoly than as an open and secure ecosystem.”
Basically, brokers are using the "secure.tickets" and similar websites to proxy ticket barcodes to buyers, without going through the actual ticket transfer mechanisms on the primary ticketer AXS/TM, (similar to how this blogger does). Then resellers are delivering these ticket URLs, hosted on random websites, to Seatgeek and Stubhub customers, and those platforms are supporting their delivery by telling their customers that the tickets are legit. Sounds like AXS is fighting back against this practice.
The underlying issue is that those tickets have a "no resale" provision that doesn't apply when the original seller acts as a broker.
Do other brokers, when they go and work around that limitation break the sales contact? Maybe. The legal system would churn an answer in a few years.
Do AXS et al with their "only we are allowed to engage in a secondary policy" are abusing their monopoly on original sales? The legal system would churn an answer about the legality of this in few years, but I think it's obvious they at least break rules in the spirit.
Monopoly is the keyword here. Ticketmaster and Boeing and all the other nefarious companies here use PATENTS to prevent competitors from eating their lunch. Patents need to be done away with to allow free competition, don't believe the propaganda about patents helping creators
I love it when a system has been working for hundreds of years through by far the most prosperous time in human history but people on the internet are sure it is wrong. No proof, no evidence, not even logic, just certainty.
Also, I don’t think any of the issues with Ticketmaster have anything to do with patents.
I'd also like to highlight another bad practice by Ticketmaster.
When you purchase a ticket from them and resell it on their marketplace, once someone purchases it, they(Ticketmaster) hold your funds and only give you the money ~7-14 business days after the event is over. They say this is to verify the validity of the ticket.
On the buyer side, you purchase the ticket from the marketplace and it gets added to your account immediately. (I think) You get the barcode some time ~1 week before the actual event begins.
The confusion for me? Ticketmaster owned the ticket and all logic relating to the validity of it. The logic to validate this shouldn't be complex at all. They OWN the ticket. They KNOW it's legitimate because it never left their database. Yet they double dip and hold both buyer and seller funds. Events can be close to a year in the future but the seller won't see that until after that event ends.
There's another good point in here. Why do they hold the ticket until just before the event? I bought tickets to a concert for my wife's favorite band. Then, my wife's work scheduled an event for that same week and she had to leave town. So, what I really wanted was a refund so someone else could buy the tickets. They don't do that of course. So, then I wanted to sell the tickets for face value... but ticketmaster didn't "deliver" the tickets to my account until the day before the event!
I watched for a month leading up to the event as the ticket prices plummeted while the scalpers were desperate to get at least something for their tickets before my ticket was even delivered to me.
As soon as they take my money, they should update the database to show that the ticket is mine. If I want to sell it, I should be able to do that immediately too.
But, from what I've read, that instant resale ability only belongs to their "partners" who resell a lot of tickets, and you need access to their "TradeDesk" tool to do it: https://tradedesk.ticketmaster.com
Just vote with your pocket and don’t buy tickets from them. I do that - yes I don’t get to go to major concerts but there are still so much more that is not on ticket master. I found a lot of new entertainment and was happy to pay $4 fee instead of whatever TM charges nowadays.
This began a lot more on third party sites like stubhub due to Covid and the massive amount of cancellations; before most places paid out after the sale, and if the buyer wound up having an issue (due to the seller mistake, selling it multiple times, whatever) they would charge the seller and usually assess a penalty.
But when everything in the world was being cancelled I assume they didn't have all the money just sitting around to reverse and it was a ton of thrash to deal with. As someone who had bought tons of tickets and sold some, it was a mess. I had a ton of credit card refunds back, the third party sites had to reverse payments, etc.
Waiting until after the event is just less overhead. Guarantees the transaction happened without a hitch.
There are some POS and broker sites that still pay on transfer, but none of the "primary" secondary market does.
I’ve never dealt much with TicketMaster, despite them being a monopoly. So my questions here may just be out of naiveté:
1) Why would TicketMaster pay event organizers ahead of time, if the event might be shit and attendees may demand their money back? Rather than having to deal with a lot of chargebacks and making it their own problem with the banks, they might prefer to make sure the event goes off without a hitch and refund people while they still can. Rather than subsidizing the refunds they make the event organizer have to get (and pay for) financing instead, backed by their payout. They might also offer such financing.
2) I get that they hold event organizers hostage by making contracts with the venues for years, that might be an antitrust issue but it’s separate from 1.
3) Why would TicketMaster make scalping easy? Middlemen would just buy up all the tickets and then pump and dump the price, much like early crypto investors in a meme token or altcoin do. So they don’t “deliver” the ticket to you until just before the event, exactly for that reason.
With ChatGPT it’s now easier than ever to impersonate thousands of people at scale, with credit cards and everything. But I will admit, showing up to an event at least once confirms there is a human behind the account. But a first-timer buyer? Shouldn’t be able to resell, no.
>When you purchase a ticket from them and resell it on their marketplace, once someone purchases it, they(Ticketmaster) hold your funds and only give you the money ~7-14 business days after the event is over. They say this is to verify the validity of the ticket.
I imagine it's more about discouraging scalping, regardless of what they may say about it.
Maybe to stop people selling the ticket and still going to the event with a pre-printed one? Solving that would also be easy if they have a central verification system (just invalidate the ticket and issue a new one) but not if it is all p2p.
(disclaimer: I'm a complete outsider, last time I bought anything from Ticketmaster was a really long time ago).
They would need to solve that anyway in case 2 or more friends attempt to get in on the same ticket.
Not at all difficult - simply share screen a third device and display the rotating QR-code through e.g. zoom on individual phones. For additional trickery, try to split the group into joining multiple ticket scanning lines and timing the scan of the ticket to be as close as possible to eachother.
Possibly it's fraud prevention, in case payment for the original ticket was fraudulent and chargeback occurs after the ticket is resold on marketplace?
That does sound like a very reasonable thing to do. Otherwise you have a threat vector of steal card, buy ticket, sell ticket, pocket the cash, card owner disputes, now Ticketmaster has paid a stolen identity who took the money and ran.
Anything that can be used to monetize stolen cards will tend to be used for the purpose even if it's inefficient.
I hate TM and ridiculous fees as much as anyone, but this article is overly hyperbolic.
There's a section named "Pirating Tickets", that just explains how to re-create a barcode that you already paid for. You're not using this to rob anyone of anything.
And at the end, "Have fun refactoring your ticket verification system". Why? There are no vulnerabilities here. A rotating barcode (even if following a known pattern) is still more secure than a static barcode on a piece of paper.
Piracy here just means you can use it to sell your ticket without using their platform, which is analogous to just sending someone the PDF or handing over the piece of paper as always.
While this has the upside of breaking you free from TM's obnoxious practices, it also obviously opens up for scalpers and all.
Scalping is still possible without understanding the tech - you could just stream a video of the bar codes and sell the stream instead of selling the ticket.
Are you sure you understood the article? The token is supposed to be a secret and the TOTP generation should happen remotely. This is not the case and this suggest a fundamental lack of security practices at the company.
"Should happen remotely" – according to who? What is the security risk for the end-user?
"this suggest a fundamental lack of security practices at the company" – that's a stretch of a conclusion to make. You're being as hyperbolic as the original post.
What didn't I understand about the article? This still offers a slight increase in security over static barcodes, without introducing any new vulnerabilities.
Well it's more like the "security: they want is fundamentally is incompatible with support for ofline use in this case (as long as we have open computing platforms anyway).
It's piracy in a way that's analogous to ripping like Netflix content. You are breaking away from DRM which is piracy. They also cite the potential to have multiple tokens valid per one ticket which would let multiple people get in with the same ticket.
I doubt the second bit is true - they will still be marking the ticket as used in their backend.
They are just trying to prevent scalpers printing off tickets 10 times and selling them outside the venues as a scam, which happened at every large concert I have ever been to until recently (so I assume this is working!).
I'd argue that a few extra people sneaking in on the same ticket (assuming this is even possible) is more like sharing your Netflix credentials than ripping Netflix content and having it be shareable with the entire world.
You're also walking into a stadium/concert in plain view of security cameras, so the stakes and deniability are different as well.
The way this is already being exploited in the wild is that a scalper/scammer buys 1 ticket, then resells the same ticket multiple times. Multiple people believe they have a valid ticket, show up at the event, but only the 1st ticket works. The other people who try to use the ticket are turned away saying that their ticket has already been used.
> The way this is already being exploited in the wild is that a scalper/scammer buys 1 ticket, then resells the same ticket multiple times. Multiple people believe they have a valid ticket, show up at the event, but only the 1st ticket works. The other people who try to use the ticket are turned away saying that their ticket has already been used.
That is one of many ways this is already exploited in the wild.
Do you have a source for this? What platform are they selling multiple copies of the ticket through, and what app are the buyers using that allows multiple buyers to receive and show the same animated barcode?
This way you can sell and have the ticket completely off of ticketmaster. That is a vulnerability. It lets users do something they explicitly don't want to allow.
He was basically wondering if he could create two tickets each with different tokens. Tokens are valid for 20 hours but it probably doesn’t invalidate the old token (e.g. a request for a new token makes it to the internet but due to congestion, the response never comes back to your phone before timing out) and this could trigger multiple tokens for the same ticket and are all valid.
This sort of ticketing thing is a trivially solvable problem. It is solved at every airport in the entire world millions of times per day. You provide the name of each concertgoer when you buy a ticket, and they show up with their ticket and ID. You often need to show your ID at these kinds of venues to prove you're old enough to drink beer anyway.
I have to believe the reason the likes of ticket master isn't fixing this is because they are selling/auctioning/reserving some percentage of tickets to scalpers or "3rd party sellers".
Requiring ID is such an obvious solution that I have to believe these convoluted approaches are only there so the secondary market can exist and so ticket master can wash their hands when prices get out of control on that market.
I have to presume that the driving impetus of all of this is that they're trying to avoid the actual requirement of checking the ID. Like, they want to improve the flow of traffic through admissions.
But I mean, obviously, any kind of system like this strikes me as the same sort of thing as DRM. That you can somehow protect the message from the person you're sharing the message to. How can you avoid reselling if you don't verify the original purchaser? It just seemes ridiculous on its face.
Yeah I agree, they are not incentivized to fix scaling/bots because they get a fee every time a ticket is sold. It is in their best interest for the ticket to be sold as many times as possible.
But also, the hell with this. I'm still sour enough about the TSA without the concept of, "I'll buy tickets for me and three of my friends then see who wants to go," becoming impossible or gated by ticket transfer fees.
Airlines are preventing a secondary market. Unfavorable for your use case, but also prevents scalping airline tickets (while allowing airlines to attempt to maximize revenue). There are always tradeoffs and compromise.
To hack around this, I've used Southwest Airlines; I can buy tickets for folks and if they can't travel, we cancel the ticket(s) and keep the travel funds banked for another time. I hope this is potentially helpful information.
Even allowing that but requiring your valid ID must be taken into the venue by yourself (or by your friends eg if you get sick and can't go) would be a big improvement, meaning ticket scalps would have to actually go or have someone on their team go along with every ticket they resell.
Depends a lot on the country you live in. In most European countries "carrying an ID" is legally required if the police stops you anyway (they do need a reason to see it though), so "show an ID at the entrance" is no big deal.
It's to my understanding mainly the US where ID requirements are often side eyed because many people don't have them and there's no national standard (and due to a variety of political reasons there probably won't ever be any.)
that's really just an opinion. and I'd argue that if people really care about a fair and sustainable concert going, given how ridiculous the live event situation is, you'd support pretty common and standard requirements like ID to be shown. as others said: ID is already required to validate age in many events/venues
> Flying requires an ID. Attending a concert should not.
Why though? Not disagreeing per say because I'd have thought so too, but upon reflection...
I assume the main reason airlines require an ID is safety and security. We maintain a denied parties list and use identity verification to make it as difficult as possible to fly a plane into a crowded venue. Border control is another issue, but there's plenty of intra-country or intra-state flights where this isn't an issue.
Ticketmaster sells unverified access to crowded venues.
Italy solved this. Five years ago, a new law enforced ID-checking when you enter any big events (like concerts with an audience larger than 5000 people).
Tickets have your name on it, and you can only change the name or resell them through the official seller (so, third party resellers are out of the game). Also, every reselling transaction is registered and can be inspected by the Italian Rightsholder Agency (SIAE).
Because this, and more very strange rules it is very hard for ticketing systems to get into the Italian market.
Some examples:
- not allowed to change to time or name of the event after the 1st ticket is sold
- only allowed section names in halls from a know list
- free tickets on events... can only do this under strange conditions
- smart card application, for encryption, must run on a physical server in Italy. You should not be able to log into the ticketing box office if that smart card application is not running.
One ID for the entire order would be fine. You can buy 4 tickets, and go into the concert with your 3 friends. It often works this way even with no ID involved, I buy two tickets, add them both to my wallet, scan them both when my GF and I go to the show.
You COULD still scalp tickets if the person who bought them from you is going to walk in with you. But the scalper would have to eat the cost of one ticket to do it, and it's probably onerous enough to severly reduce the impact of scalping.
That requires a single source of truth for which names go with which tickets. Which is going to be a problem if tickets need to be transferred in contexts where users don't have internet access (but they do have local connectivity between devices) or in contexts where the venue doesn't have internet access. Or in cases where the single source of truth might be vulnerable to attack or doesn't have the resources to handle the load at certain times.
I don't have the solution explicitly, but it seems like it ought to be possible to do this such that PII need not be collected. Tickets could be cryptographic proofs that a chain of custody exists and meets certain criteria. The proofs could be constructed at transfer time and verified at admission, no servers in the loop anywhere. Yeah, we'll come up against the CAP theorem eventually, but we might find that the imposed constraints are workable.
> Which is going to be a problem if tickets need to be transferred in contexts where users don't have internet access (but they do have local connectivity between devices) or in contexts where the venue doesn't have internet access.
You know as well as I do that TicketMaster won't allow any of that, because it means they miss out on selling another ticket.
I agree, mostly. What do you do for people without an ID (and without a parent)? Think of the number of people at a Taylor Swift concert who are under 18 -- a lot. Also, checking the name between ticket and ID will slow down entrance by 2-5 times, I guess.
I was recently at a Festival that requires ticket + ID (https://www.resurrectionfest.es). The key to success was to put a little more personal at the gates, maybe 15 people instead of 10. But it is also true that we have the ID document issued in our early teens it not before. Each ticket verification takes 3 more seconds extra to verify the ID matches, no big deal.
Said festival does their own ticket re-sale to avoid scalping but mainly to avoid shady sites that are known to allow the selling of counterfeits. You can only cede your ticket, not sell it. It is not perfect (e.g. if you don't find a buyer for the same price, you can't sell it at a lost to recoup some money. You get your ticket back) but at least is not as bad as the one from Ticketmaster.
No, it's not. At my work here we'll all go online to try and get tickets to a big gig. One of us might get in, so that person will get ~8 tickets or whatever the maximum is. And then we split them between us, transfering over cash etc. If we have a few left over we'll sell them to friends for the ticket value.
But none of us have any intention of lining up with the others to get in. We want to go with our partners, our own friends etc.
I want Bob, Terry or Bazzy to by able to buy tickets for me (or me for Bob, Terry or Bazza) but I do not want to have to meet up with Bob, Terry and Bazza and stand in line with them all to get in.
So yea, it's not trivial. I wish it was, I farkin' hate scalpers.
how is this not the same as 8 people trying to find airline tickets for everyone? you can buy tickets for different passengers. some airlines/travel agencies even allow for name change for a fee.
This is trivial and solutions exist in the wild already. If you buy tix for the Paris Olympics, you can transfer them to your friends or you can assign their names to the tickets directly.
The interesting mechanism there is that you can buy a lot of seats at once, but you don’t get to choose where they are exactly, only the section. So in every case you’re going to have people buying big lots of tickets and distributing them to friends and family after the fact.
The issue is most likely about throughput. You want to let fans enter the venue as quick as possible. Most venues have lots of gates, but still the latency at each gate has to be a handful of seconds per ticket. Having to validate both ticket and ID would easily double or triple that time.
I keep reading about this argument but Olympics and World Cup matches are arguably as large events (if not larger) and they place name on ticket and check ID at entrance.
people complain at ticketmaster yet seem to bend over backwards to justify the state of affairs
Some venues do this already and the scalpers buy an additional ticket to burn on themselves so they can get their customer in the gate. It just goes into the cost of doing business. I agree this is probably one of the best ways to stop scalpers but it's not foolproof.
I’ve heard the argument that forcing people to have an ID is anti folks with disabilities and anti-poor since it requires someone to go to an issuing agency to obtain and pay for one, which could be putting someone out who has a mobility disability or doesn’t have a lot of money.
I’m not making the argument but it’s an argument I’ve heard.
Exactly. The privacy characteristics of government ID cards are worse than any other solution. When sharing such an ID, a person is providing several global, stable identifiers (e.g. ID number, full legal name). For adtech and data brokers, this is the ultimate fingerprint for tracking and matching.
In a perfect world, the digitization of these IDs would come with modern digital privacy and security. Scanning your ID number would only provide a recipient-specific ID that couldn't be matched with other vendors. Age eligibility and driver's licensing status would be presented as separate signed attestations that share no other data.
I wouldn’t bring my ID to a concert. I don’t have my wallet with me and even if I would they wouldn’t like me to have a backpack. I‘m coming as light and minimal as possible and also would hate to lose my ID jumping around at a concert.
+1 to this. also doesn't Olympics and World Cup class events also face similar issue as concerts, and they allow for fair'ish purchase and resale by private people, but only through their platform?
There was a recent story of someone taking pictures of other people's boarding passes, and using that to board the plane.
With this ticketmaster scheme, unless the person has access to the secret keys, the pass would only be valid for a few seconds, likely defeating this attack against boarding passes.
How often has this been a problem though? How about not keeping your boarding pass, or ticket, or credit card for that matter, visible for the world? Just put it in your wallet, I don't know.
This is security FUD. Stop solving problems that do not exist to the point where it makes the news when they do happen, once a century.
This DRM scheme concretely creates millions of small annoyances to millions of people and wasting our time as a society.
A lot of people think live event ticketing is the same problem as airplane tickets, but they really aren't. As an example, there are rules about requiring identification for commercial flight. There are rules against requiring identification for live events.
Buying and using a scalped ticket isn't a crime for the concert-goer, using a fake ID (in most states) is meaning it puts significantly more pressure the consumer to not buy. Also, most people in the US over the age of 21 don't have fake ID's, so it's a reasonable detriment.
It's not hard if you remove the self delusion. Removing the self delusion is maybe tricky for the individual, but it's easy for people around the individual to see. Societal tools like shame are generally used to encourage people in the right direction, but we don't do a great job of this in America, because money tends to override everything else and I don't think we have good structures around expressing non-monetary values like honor.
Especially on the west coast, we're so passive in our shaming of people that it probably doesn't translate to action. There are people who work at Evil companies like Facebook, etc, who are otherwise nice, but I find myself not including them or turned off to them as friends because this sort of contradiction is hard to square in my brain. Of course I wouldn't communicate to this, being a passive PNW raised wimp, and it's not even super explicit in my mind, it's really more of a bad vibe than anything else. I imagine over time if enough people act like I do, it doesn't actually translate to different decisions from the individual in question, but instead translates to them waking up one day feeling distant and unfulfilled, which is probably the worst of all outcomes. They still work for Bad Company, but are also sad about it, and there's a general sense of malaise pervading life that's hard to pinpoint.
*Obviously this all ignores the people who don't have a choice of employment. But here I'm generally referring to software people who have high pay and career mobility. Things get murkier when the conversation is opened up to people who are just trying to survive.
And pretty much every company is bad. But this is a wrong answer because the question is actually nonsense.
The answer to "What happens when you move faster than light" is not "nothing", it is undefined because the question is invalid. Asking if a person or a company is good or bad isn't a question that can ever have a well-defined answer: the answers we give are rounded according to our own values. To get more specific, not all of us have a huge amount of choice in who we work for.
If apenwarr believes I want to be a good person they should hire me at Tailscale. What's that, they won't? They don't have openings, or I'm not qualified? I guess they're the bad person because now I have to work for a bad company or lose my income. And if I lose my income, my co-habitants lose their housing, and my donations to good causes dry up. Do I just not do enough good for apenwarr? They must be a paragon of virtue. Surely they don't eat meat, or even associate with meat-eaters. Surely they don't fly in airplanes.
It doesn't need a well defined evaluation scheme. You're the one asking the question, you can provide your own scheme, and come up with your own answer. Whether you're honest with yourself in this process is up to you.
It's still useful to point out that IF you think your company is bad THEN you should do something about that. It establishes that "I was just following orders that I know are wrong" isn't a valid excuse (e.g. like if you end up in court for something you did on the job).
> the answers we give are rounded according to our own values
I agree with this entirely.
And rounding does not change the answer in most situations.
Something that isn't well-defined can still be mostly-defined.
I have no idea what the point of that strawman is in your last paragraph. It doesn't make sense with or without rounding. Maybe if you round every single value to infinity, but that's not what "rounding" normally means...
> Asking if a person or a company is good or bad isn't a question that can ever have a well-defined answer: the answers we give are rounded according to our own values.
It's baffling that you have to carry a mobile phone to access a show. What if you run out of battery? Or if you accidentally break the screen just before entering the venue? The more the technology evolves the more we find horrible uses for it. People should fight back by refraining from purchasing tickets from them, I know is not easy for people to miss their favorite artist but until a monopoly is broken there is no other effective way to prevent them from doing what they want.
I had to use something like this to get into The Killers gig last week at the O2 in London (fantastic gig btw, and Andy Bell from Erasure made a special guest appearance to sing A Little Respect which was the cherry on top, but I digress).
The WiFi in the O2 was woeful, and even on "The best network" EE the app wasn't loading.
Eventually after stepping aside and letting a load of people go in front of us I managed to get it to load, but it was a dreadful experience.
Contrast that with seeing the Pet Shop Boys last month in Birmingham where the ticket was on my phone in Apple Wallet was night and day (and you could print the ticket if you didn't have an iPhone, or wanted a physical version).
You can still print the ticket on paper. Tho nowadays that means a trip to a FedEx store for me, since I refuse to keep buying inkjets I only use a couple times a year.
> Tho nowadays that means a trip to a FedEx store for me
I've really appreciated my local library for allowing 20ish pages of printing per day, which has allowed me to limp through the no-printer lifestyle. Plus I usually grab a DVD movie while I'm there.
Stop buying overpriced ink jets. I get knock off laser cartridges for cheap and they last a couple years each. I did have to push a few random buttons on my Brother to let me do it, but it works now
I worked a summer job in a Ticketmaster box office ten years ago and had access to the whole of their UK customer database in order to print off ticket collections. I’d type in a customer’s post code and up came all of the data Ticketmaster held on them… including their password in plaintext.
I had to create an account just to reply to this; as much as TM has it's faults this is just false, it does not store passwords in any reversible way or at least hasn't for more than 2 years and all evidence removed.
Source: I am an engineer within TM that has worked on integration between various booking products in the UK market.
Glad to hear their security has improved since then! This was the 2014 Commonwealth Games and I had only recently learned about password hashing so I was particularly shocked that they were exposing passwords to thin clients used by front line employees.
As an engineer within Ticketmaster, I'd be curious to hear your take on the conclusion of the article.
> I think we can all agree: Fuck TicketMaster. I hope their sleazy product managers and business majors read this and throw a tantrum. I hope their devs read this and feel embarrassed. It’s rare that I feel genuine malice towards other developers, but to those who designed this system, I say: Shame.
> Shame on you for abusing your talent to exclude the technologically-disadvantaged.
> Shame on you for letting the marketing team dress this dark-pattern as a safety measure.
> Shame on you for supporting a company with such cruel business practices.
> Software developers are the wizards and shamans of the modern age. We ought to use our powers with the austerity and integrity such power implies. You’re using them to exclude people from entertainment events.
> Have fun refactoring your ticket verification system.
I have been to Ticketmaster events that use reasonably priced, printable tickets, you could even buy a printed ticket with cash. In fact, even though there are so many Ticketmaster events, they are not all working the same way. And Ticketmaster doesn't have the monopoly on shitty practices, the article gives a good example in the beginning.
What I suspect is that Ticketmaster is nothing more than a service provider. The venue/event organizer/... looks at the Ticketmaster catalogue and pick the product they want. There are "evil" products in that catalogue, and they are probably the ones with the best returns, but I am sure people have a choice.
I'd even go as far as calling Ticketmaster "Evil as a Service". So people can say "fuck Ticketmaster" instead of saying "fuck Taylor Swift". I would be very surprised if artists (and their agents) at the level of Taylor Swift didn't have a say regarding ticket sale practices, even with Ticketmaster.
Of course, the monopolistic practices of Ticketmaster are a problem, people are most likely paying more than they should because of it, but all the crap with apps, resale platforms, etc... I am pretty sure the event organizers, maybe the artists themselves are as much to blame.
Often, they do not. The DOJ is currently suing TicketMaster because they have exclusive agreements with nearly all of the large venues and that prevents those venues from using other ticket providers. To be fair to TicketMaster, they argue they are not a monopoly because there are many smaller venues that they are not exclusive with.
But, TicketMaster even requires that artists use TicketMaster's promotional agency if they want access to these large venues.
I wasn't talking about having the choice of using another agency, Ticketmaster is predatory and this is a problem.
I was talking about using Ticketmaster (for the lack of other choice) but using one of the more consumer friendly services Ticketmaster appear to provide. I am sure Ticketmaster won't mind, they get their share anyways.
What I wanted to say is that Ticketmaster may be responsible for your ticket costing $70 and not $60, but for all the other bullshit, they just do what is asked of them (by the artists, venue, event organizers, etc... maybe even the fans themselves). Or at least, that's how I think it is.
You're missing that Ticketmaster (Live Nation) control and own a substantial portion of the venues, the catering, logistics, tour buses, security and so on.
The venue "choosing" the Ticketmaster product is owned by Live Nation.
> Does anyone knows how Ticketmaster works, really?
For the most part, no. I'm actually shocked by how much understanding you are demonstrating in this post. I did not expect to find that on Hacker News.
Tours have some choices, yes. See the Cure tour last year. But no, paper tickets and non-auction prices (for front section) have been phased out quickly.
Some tiny stragglers perhaps. Went to a tiny venue recently but was goldenvoice.
I belive I heard that Ticketmaster let the venue set one of the arbitrary fees and then hide it amongst the rest. So I would agree that the rest of what you said sounds likely.
> If you take a closer look at your ticket, you may notice that it has a gliding movement, making it in a sense, alive. That movement is our ticket technology actively working to safeguard you every second.
This part made me want to throw up, preferably a couple of buckets full, right onto the heads of the marketing team who came up with it.
Kudos to the author of the article. Great work and a great read to go with it.
How about the “Add to Apple Wallet” option? He did not talk about that at all, but AFAIK the ticket would be fully available offline and not in Ticketmaster app, no? It’s actually an elegant solution IMHO.
Yes, it is available offline if you “Add to Apple Wallet”.
The ticket in Apple Wallet is still revocable if you transfer the ticket to someone else using Ticketmaster’s website, probably through an update that Ticketmaster pushes to the wallet [1].
Just recently dealt with this for a big Ticketmaster event. The Apple ID has to match the email address on the Ticketmaster account, or the ticket will show as Void in the Apple Wallet.
But it does solve the offline issue that the blog author was experiencing.
I just added a ticket to my Google Wallet for a concert last night and it was very similar to the Ticketmaster/LiveNation app. The PDF417 barcode changed and had an animation around it. My guess is that it is the same or very similar on Apple devices.
A few months ago I went to Las Vegas to watch U2 at the Sphere. When I learned that I needed to open the app or website in order to get in I panicked in fear of the shitty internet that is common in massive events, so I opened my tickets since I left the hotel. Unless this stuff works completely offline, it is a terrible idea.
I used to work or a mobile event app company that made a lot of the big festival/conference apps. Everything was built to function locally from a sqlite file on your phone that was constantly updated when you did have coverage.
It was 100% expected that you would have no cell signal the entire event and we built in as many mitigations as we could think of.
This was 2013ish, I think there are a lot more mesh network devices that can relay signal nowadays but I'm not involved anymore in that stuff.
It was the best on-call I've ever had because.. nobody had cell signal while the event was on to complain about something.
This person complains that people didn't have network access on their phones when they were at the gate. I can only assume that they waited till they were at the gate to install/use the app so it never got its offline data.
Always open your event apps before getting to the event. Sometimes they're completely bare bones and have to reach out and pull that apps specific database so its sure you have the latest. Most of the event apps are a template that is modified for each event and just has different assets/sqlite.
What is the worst that can happen? I have it installed on my iPhone and deny whatever permissions it asks for.
I have enough confidence in the sandbox that "installing an app" is basically never an issue (though I don't out of the principle that most things companies have apps for just shouldn't be apps).
Well, as it also notes, it works offline if you remember to open the ticket before you get there, and they don't (or at least didn't used to) give you sufficient warning. I found out that's how it works the hard way when it was new by having to walk a half mile back from the venue to get service to load the tickets.
There's also the chance the ticketmaster app won't work properly later even if you did do it. I've had other apps shit the bed for no apparent reason in offline mode before. I add them to my wallet now just in case.
There's a faire this week in Oregon that draws people in from 500 miles away.
I've been a couple times, and what I've learned that was still not common knowledge to faire vendors as recently as last year is that T-Mobile brings out a mobile cell tower to support the faire, and no other cellular network does.
So if you're trying to accept electronic payments, the whole thing tends to fall over and you only get to sell to people who brought loads of cash and prioritized hitting your booth first. Only the vendors on T-Mobile are able to take purchases for a big part of the day, and a few other people who use the rare billing system that is fine queuing up Visa transactions until after the bulk of people leave. The line for the cash machine sucks up a substantial part of your time budget for the faire, meaning you probably miss out on some things altogether.
I’ve never been clear what the main purpose of these things is but they do seem to get deployed for trade shows and such. Maybe for natural disasters?
Then there are microcells, which can be privately owned. I worked at a place that had one when I was in mobile. There was a period of time when one of the carriers would sell you one if you were having connectivity issues. It’s possible for instance, living on a hill, to have a cell signal on your roof but not in the rest of the house and they can work as a repeater.
Off topic (though the post does go into it a bit): Ticketmaster's current form is entirely due to a failure of government. Decades from now, case studies will be written on how one company managed to have a monopoly on an industry that is so not a natural monopoly.
I recently purchased tickets via SeatGeek and was provided a link to one of these barcodes, which accepted as a querystring parameter an access token that seemingly had a long expiration attached to it. It was hosted on “downloadmytickets.com”, which doesn’t look legitimate and caused me to do this same type of analysis to see how it all worked. Whether or not this was a way to bypass the “security” to enable sale via third parties, or just a very untrustworthy-looking official domain, I don’t know. But in the end it worked fine at the venue. Definitely more stress involved than I would have liked though.
Yes, these systems are getting more popular recently, I believe they are typically being run by large ticket broker platforms.
I don't know about the specific site you mentioned, however the large broker platform Automatiq runs a number of domains like this, where they effectively proxy the original ticket token, recreate it with TOTP just as in this article, and display it to any user who has the right link in a similar format to how TM displays it. They advertise this service as "Transferless Delivery" to their ticket reseller customers. The main Automatiq one is called "secure.tickets".
It reduces work for sellers, because they never even have to transfer the tickets out of their Ticketmaster account anymore. Of course, it's horrible for buyers because they have no idea whether the random website link they were sent is actually going to serve them a barcode corresponding to a real ticket or not, or whether the site will be up, and they have no rights to the ticket as far as the primary ticket issuer (TM) is concerned, buyers don't even know the name on their own tickets.
Seatgeek and StubHub seem to be aware of these systems because of how closely they work with ticket brokers, and just coach customers to accept them if they are from any of the domains known to them. See https://support.seatgeek.com/hc/en-us/articles/2074030716443... the Automatiq site is called out specifically on that page.
Who thought it was a good idea to require an internet connection at an event. For anything, not just ticketing. It is as if the people who designed these apps never went to a large event.
No internet is the rule, not the exception. Sometimes, you can't even send a SMS. Apps designed for use in events should always work offline, and if internet use is justified, take into account latencies in minutes and use bandwith sparingly. Failing to do that will make the experience terrible for everyone, as bandwidth will be saturated by thousands of phones trying to do something with that damn app.
At least Ticketmaster does it somewhat right here. The app is supposed to refresh the ticket 20 hours before the event, to account for the fact that the internet may be unavailable at the gate.
> There’s no risk that your ticket won’t get you in
Isn’t this not true? The risk with printable tickets is that a seller could sell it to multiple people, who all print it out, but then only the first person who uses it can get in?
Even if the venue doesn’t check to see if a ticket has already been used, only one person can sit in the actual seat.
> The risk with printable tickets is that a seller could sell it to multiple people, who all print it out, but then only the first person who uses it can get in?
Note that the portion of that you're quoting that you didn't quote is "If you bought the ticket off the event’s official ticketing agency (not a sketchy reseller)"
I.e., we're specifically talking about someone holding a ticket that they purchased from Ticketmaster. If there are multiple copies floating about, presumably at some point the artist (/the actual event) is going to be unhappy that Ticketmaster is screwing their fans/attendees over.
Ticketmaster has a system for transferring tickets, if you want to buy or sell tickets.
There could very well be a reason for someone to only sell a physical ticket, or not transfer it through ticketmaster, but I have yet to find anyone but scammers that want to do that.
The reason is, just as you mention, that scammers will try to sell multiple tickets. Then one (or many) sucker turns up to the avenue, only to discover that the ticket has already been validated.
Let's face it, the real problem with ticket sales is scalping. OP may not like Ticketmaster, and doesn't want to install the app, but the majority of fans don't have a problem with that. The real problem for most fans are the scalpers who push prices out of their budget.
Of course we all like to dream up all sorts of technical crypto solutions to this, preferably decentralized to remove evil Ticketmaster from the equation. But I don't think the ticket scalping problem is a technical problem per se. I believe it is because tickets are currently sold under the wrong terms, which encourages scalping.
A possible solution could be to make tickets non-transferable, but always refundable. So only you (the buyer of the ticket) can use it, but you can't resell it. But if you decide not to go, you should be able to refund the ticket to the ticket office for full price. The ticket can then be sold again to someone else, for the same price.
Now, of course this is a naive idea. There are many practical and technical challenges to it, not to mention the politics of the entertainment industry. I'm not too familiar with the event industry, so I'm not sure if this would even align all the incentives, but it would benefit the fans and the performers who care about their fans.
> tickets are currently sold under the wrong terms, which encourages scalping
The incentive to scalp arises from the likelihood that a ticket will be worth more in the future (buy low, sell high) and that future worth is established by scarcity (sold out shows). To help eliminate this likelihood, the original price (face value) needs to decrease over time, ideally in such a way that the final original ticket sale occurs right when doors open, because the sooner that occurs, the bigger the opportunity for scalping. "Dutch auction" [0] is one implementation of this concept, though it's typically to find the most money a single buyer will pay, whereas in this case we have thousands of buyers. Perhaps the rate at which the price declines could be dynamically adjusted to aim for N% sold when N% of the on-sale timeline has elapsed, for any N.
The problem is convincing promoters/etc. that this would be as profitable for them as the status quo. But it might be!
This is terrible - right now the random 17 year old middle-class kid at least has a small chance of getting a somewhat reasonably priced ticket to a popular show. In your model, they have zero chance.
Auction models are good for price discovery but this isn’t a price discovery problem, it is a supply problem. Believe it or not, artists don’t always want to maximize revenue from a ticket, they want fans from lower income brackets to be able to attend as well.
> Let's face it, the real problem with ticket sales is scalping. OP may not like Ticketmaster, and doesn't want to install the app, but the majority of fans don't have a problem with that. The real problem for most fans are the scalpers who push prices out of their budget.
No, the problem is artists wanting to falsely advertise low prices, and using gimmicks like first-come-first-served ticket sales and "scalpers" (usually fake, sometimes hired by the artists themselves) to do it, and the "fans" buying into this whole false narrative. If artists would honestly sell, and fans would honestly buy, at the actual prices, then the whole kabuki play of "evil scalpers" could be avoided.
And (and I think you were implying this), Ticketmaster giving themselves complete control over the still existing scalping market which they use to boost their own profits without any benefits over the standard scalping market (arguably also including further downsides).
Yes, non-transferable tickets would fix the scalping part of it. I'm guessing the face value would go up a lot in that case, and that's fine... at least it's an honest market then and ticketmaster cannot pass the blame on to the scalpers.
> The real problem for most fans are the scalpers who push prices out of their budget.
Isn't that the market sorting itself out? What do you want, planned economy? How is fixing the price on a ticket different than the soviet union stamping prices directly onto manufactured items. I meant this to be sarcastic, but it's only half so, since I find the comparison appropriate, you know free market and all.
Nice reverse engineering! As a hacky way for the non-tech-savvy, couldn't you use a temp account to create ticketmaster account and then buy the ticket and then sell the temp account information to bypass their rules?
This reverse-engineering also breaks if ticketmaster forces venue staff to only scan if the barcode is in the ticketmaster app. Unless you create a lookalike app to trick the staffers.
I am not an expert, but I think one of their layers of protections (that is, to ensure that TM itself gets the greatest share of scalping money) is applying much greater scrutiny to freshly-created accounts when it comes to the in-demand events. I'm not sure how they effectively bootstrap new legit users of course, but I've been offered I think around $100 to sell my Ticketmaster account, which is old. (I can't recall how they found me, perhaps it was an ad just stating that they'd buy an account older than X years).
Phone number? The friction/expense of a scalper getting a new one for every sale would seem sufficient. Although I guess the scalper could reclaim (via password reset or whatever) accounts after the show to some extent.
Good luck forcing a check like this at a busy event venue.
I once paid at Starbucks with the Apple Wallet barcode appearing in a photo of my phone displayed on the back of a DSLR. Plopped my not-remotely-iPhone-like Nikon D800 on the counter lens-down, LCD-up, barista scanned it without a second thought.
It's one thing for customers phones' wifi issues to be a problem, but it's an even worse problem if the scanner itself needs reliable connectivity. That makes me wonder if there is some kind of delegated deterministic derivation step in the secrets too (which wouldn't be obvious in this kind of analysis), so that the handheld scanners can avoid an on-line dependency.
They needed reliable connectivity in the previous scenario (checking barcodes against a central db) - they just setup a local private wifi network for the handsets and all the venue devices.
Otherwise I can't see how you would avoid replay attacks.
You can do time-based binding. Many TLS/Quic 0RTT take this approach; where the signature is only valid for a second or so. It's not as good as a real strike register, but probably ok for this kind of environment. Of course the barcodes would need to be more dynamic, but that's doable.
And this is why those companies love DRM'd (non-rooted) devices and try to detect when you broke this form of DRM: you can't get at your data, not even to make a backup of it; they're in full control. Also for security (can't grant root to malware if you don't have the permission to grant that), but also for everything else
You could extract the barcode at all times in the future by setting the system clock (you can do this on non-rooted phones, and keep it that way at least if you do it in airplane mode).
The Android docs mention a "secure timer" in the hardware security module, but I'm not sure that it can be used to prevent this.
>Software developers are the wizards and shamans of the modern age. We ought to use our powers with the austerity and integrity such power implies. You’re using them to exclude people from entertainment events.
I can definitely think of worse things programmers are doing aside from making it mildly difficult to see Taylor Swift .
I have personal qualms with working in certain industries because of this, but Ticketmaster ultimately provides a luxury. You don't need to see a concert, and if you have such an issue with their business practices you can do something else with your Friday night .
I've actually never had an issue with Ticketmaster. At a point a certain other ticket provider just blocked me without any explanation, and I had to go down to the box office to buy tickets. That sucked, but compare to airlines who do weird things like print off tickets without the actual seat number, Ticketmaster doesn't bother me too much.
You’re not considering the stagehands and artists who have to live under Live Nation’s vertical monopoly. I was chatting with a former tour guy the other day, someone who’s been a tech for major touring bands since the ‘80s, and he mentioned that he had to quit the business because Live Nation had driven wages down below poverty level while bringing in random unskilled labor to do highly-technical stage setups. (He quit after almost losing a hand to a large piece of unsecured stage equipment.) The enshittification of modern life is an inconvenience to most of us, but life and livelihood to many others.
> Ticketmaster ultimately provides a luxury. You don't need to see a concert
I don't agree. Entertainment/recreation is a need. Music is an important part of the human experience, and seeing it live, with other fans, is really valuable to some people. And the fact is, the value a person places on the experience is totally orthogonal to their ability to use/afford Ticketmaster. And it's not just about Taylor Swift - even local shows can be difficult to access without quarrelsome online portals. (But also, someone being obsessed with Taylor Swift isn't a personality flaw.)
I agree that experiencing music is a fundamental part of human life, but experiencing specific musicians at specific venues is not. It is very easy to find free live music without Ticketmaster or online portals.
A $COACH_COMPANY in the UK has recently announced that they are moving to only app-purchased tickets. Except tickets purchased directly from the driver, which is VERY expensive.
Well, F.U. $COACH_COMPANY. I don't want to have to install your app for that, but I guess I won't have any other option if I need to get to the airport.
I'd say this highly depends on the fastidiousness of the ticket taker and the rules of the venue. I purchased Major League Baseball tix recently through my employer which uses a 3rd-party seller site that has restrictions like this (a moving graphic behind the barcode with the admonishment not to take a screenshot because it won't work).
I was unable to attend the event that night so I sent my wife a screenshot of the ticket. Two tickets, in fact. They were taken with zero issue.
> Software developers are the wizards and shamans of the modern age.
No they are not. The big difference is that wizards and shamans closely guarded their secrets to keep their position secure, while software developers will happily give them away to as many people as possible.
This means that software developers as such have close to zero leverage.
A system like that could work in an entirely disconnected mode where the "ticket" device has a cryptographic token whose signature can be checked at the door without either side having internet access. The weakness of that system is that you can't "revoke" or sell tickets. Such revocation would be possible though if either the ticket or the validator device is internet connected.
I saw the New York Red Bulls play not long ago and had to use Ticketmaster's system for the first time. I travel with a tablet, not a smartphone, and I was expecting trouble. Turns out the only trouble I had was that they didn't want to let me in with a tablet but they did when I explained my ticket was on my tablet. It did require an internet connection but Red Bull Arena has great WiFi so that was no problem.
> Based on this, it might be reasonable to assume the rawToken is only valid for a 20 hour period
Bet your bottom dollar it’s good for 24h and they added 4h of buffer in their API guidance to handle admissions after the start of the show “for free.”
Not that this really gets you anything, just made me chuckle.
One things this articles kind of misses: You need that unique token... Ok, you can get it in some way.. But ticketmaster should keep it private, then, even if you know the algorithm. You still cant do a lot without the token......
So he reversed engineered it, but its still secure: You need the token.
It's a little bizarre to me that they are annoyed at being dependent on the signal but want to avoid Google Wallet because ... privacy? What privacy do they have so far? I can understand keeping your credit cards off of it, because Google is obviously getting a list of all your purchases. But there's nothing really private about having a ticket to a concert through Ticketmaster. They "take your privacy seriously" and sell your information to commercial partners and send you offers of things they think you're interested in.
What I find really interesting is that there are so many scams that that the rejection of tickets is common enough to go unnoticed. Someone testing out their new "F-ticketmaster" ticket generation tool is free to test it in the real world. If it doesn't work they will simply be turned away the door like so many others who have been scammed. Nobody would notice the test.
But if each ticket is for a particular seat, would ticketmaster notice if too people came with tickets for the same seat? I bet not. I bet they just trust their ticketing system to be foolproof. If anything they might just reject the second ticket without any way to know which was authentic.
Reading this reminded me when last year I found a few old venue printed ticket stubs to concerts I went to the in the late 90's and 00's. I almost threw them out when I realized they weren't really taking up space and could be maybe put into a collage or photo/scrap book. I just suppose I find it laughibly absurd that something as mundane as a ticket stub was replaced by an energy wasting Rube Goldberg contraption that doesn't do anything for the person who wants to go to the concert.
I agree with the bad implement but the opening complaining that "old way of printable tickets was great why change it" have so many problems.
Scalpers are the problem that you have to accept. At the time of purchase, there's no way to tell the difference between a legit purchaser and a scalper or even someone who bought it and simply can't go and needs to resell.
IDs, ticket limiters, CCs, etc, etc. All methods can be circumvented by someone dedicated enough. You can only make it "not scalable" but the tickets still need to be transferable, securely.
Unless we're willing to go ID checking at the gate, there's not going to be a true solution.
Buying something at a low price and selling it at a high price is arbitrage 101 and is free money.
The "true solution" is to sell tickets at their actual market price instead of pretending that the face value of concert tickets isn't increasing due to a larger population and greater demand.
People will scream (including in this thread) that it’s “unfair” that ‘only the wealthy can afford them then’ but their beef is with scarcity and thus with reality. It’s always “unfair” to the 10,001st person who wants to attend the concert with 10,000 capacity. Today it’s a weird lottery with 6 different fan and credit-cardmember presales, which each sell out immediately, and the “backstop” at the end which is the ability to buy expensive scalped tickets.
There are finite tickets but unbounded demand. A lottery means you can slightly adjust the distribution of poor vs rich, but in practice today it still advantages those comfortable enough to sit around refreshing their computers at the right moment, instead of working. And lots of opportunists will snap up those tickets you are hoping poor people will get, to sell them to the wealthy.
In my opinion for in-demand shows it should just be a Dutch auction (all of the highest 10,000 bids win, awarded at some fixed cutoff date before the event). If not enough bids are received, the concert isn’t sold out, so then the rest go on sale for the lowest bid.
> The "true solution" is to sell tickets at their actual market price
That is *a* solution but it isn't *the* solution. The fact that many smart people are not choosing that solution is an indicator that there are some factors to the problem that you aren't considering.
> Buying something at a low price and selling it at a high price is arbitrage 101 and is free money.
A bit of a nit pick, but this isn't "free money" unless you have a guarantee that someone will actually buy at the higher price. You could buy low, be unable to sell, and end up eating the "buy low" cost.
> sell tickets at their actual market price
How do you know what their actual market price is? You have to open it up to a market, where supply/demand get to play out.
IIRC some ticketing company tried doing something to this effect by scaling prices in realtime based on how many people were also trying to buy. I believe it was widely criticized as unfair/exploitive.
So you're back to square one then, where you have to set some price.
It's interesting how the real problem here is that our economic system has no way to sell a product at what the seller will bear, only what the buyer will bear.
I think this is a fascinating feature, a lot of artists would be more than happy to make $X for a show so that their fans can come see them. The problem ends up that a free market has no mechanism for that, the artist can sell the tickets such that they end up with $X but then you get things like scalpers who don't want to see the show but do want money and act like artificial demand. They know that regardless of what the seller wants there are buyers that will pay $X+N and want to capture that $N.
The scalper provides no value to the market, but they get $N, which seems like a market failure to me. The fans lose $N, the artist still only gets $X and they also get reputation damage because fans are upset that things cost $X+N.
And that's just the end of it. The artist literally can not perform for their fans at a venue for $X even if that's what they want, there's just no mechanism in the free market to make that function correctly. I find market failures like this fascinating because it really shows the limits of how "free" markets operate. The only person that isn't free to do what they'd like is the producer of the good being sold, they literally can't sell it for less than the market will bear.
And I suppose this plays out for every part of the market, if I can produce apples and make a profit for $1 a bushel and that's plenty of money for me, I don't want any more, tough shit. Arbitrage will make sure that people pay more for those apples. If people are willing to pay $5 a bushel then someone will snap up my cheap apples, mark them up and make a bunch of money for doing nothing. Even if I were willing to do all the distribution myself, if the person conducting arbitrage adds no value to the system (the common argument being that they deserve the money for finding cheap apples and connecting people that demand apples with a supply of apples), it just can't happen. The incentive to make that free money means everyone loses, I don't get to give people cheap apples, people don't get to enjoy cheap apples, everyone is worse off except for the person doing arbitrage.
IOW the true solution to scamming is to raise prices so high that only the extremely wealthy can afford them, regardless of how accessible the actual concert/act/group/promoter wants the show to be.
The "real" solution here would be for Ticketmaster (or whoever) to actually make a ticket non-transferrable somehow, and then allow for tickets to be transferred directly through the original website for at most the original ticket price, and refund me the money.
For example, if I have a $200 ticket and I can't make it and want to sell it, I can post up a link to the original ticket seller's website (in this case Ticketmaster) where someone else can go buy it, and, if they do, I get a refund of the amount they paid. I can say how much I'm willing to accept (full price, $150, whatever) and someone can go buy "my" ticket, potentially at a loss if I'm willing to accept it. Ticketmaster can make money on these tickets by charging a non-refundable processing fee or whatever to everyone (the original buyer and any subsequent re-buyers). They make a tidy profit, everyone gets what they want.
The only complications are
1. making the tickets non-transferrable but also work offline is a difficult technology problem
2. Ticketmaster is an unregulated monopoly and thus has no incentive to behave in the best interests of the market or its customers when they could rake in millions more by screwing everyone except the scalpers
As far as I understand, this can't be done due to PR.
"evil scalpers are exploiting this poor artist by charging outrageous prices and preventing many fans from going" is a far better look than "evil artist is exploiting their poor fans by charging outrageous prices and preventing many fans from going."
To prevent scalping, you'd need a massive price increase, and very few artists are willing to be the first to do this.
The market sets a clearing price for the ticket as commodity (i.e. for a single event). However, the iterated game that is the spectator-performer relationship, the seller may _strongly_ prefer yielding some of their benefit to the buyer in exchange for long term EV, positive PR, or just plain old goodwill.
The problem is maintaining a mutually-beneficial but economically suboptimal equilibria.
The reason they don't do that is to have an organic fan base of poor people who drive up the prices for the rich people. If you eliminate the poor people, the rich people aren't going to take the band forward. They'll move on to whatever the next shiny thing is. You need a hardcore fan base of poor people to support and grow your valuation.
Buying a single-use item at any price and then selling it on at any price to multiple people is fraud.
Fiddling with the prices does absolutely nothing to fix that problem, because it isn’t a problem with price, but a problem with developing an unduplicatable token.
Ticketmaster is evil, and most resellers are fine, but some are evil and that’s a problem this at least attempts to solve.
It's only free money if there's no risk, and if there's no transaction cost to acquiring at the lower price. If there's no risk in buying something low and attempting to sell it high, then that thing is mispriced.
That's because there isn't a difference between a "legit purchaser" and a scalper except their intentions, which you can't get from amy kind of barcode.
> TicketMaster markets their SafeTix technology as a cure-all for scammers and scalpers
Scammers - yes; but how scalpers? Does this mean there is no way to resell or give the ticket to another person?
Edit: The answer was couple of sentences later; looks like yes, unless via an official marketplace. I like this even less than scalpers.
"SafeTix makes it harder for people to resell tickets outside of TicketMaster’s closed, high-margin ticket-resale marketplace, where they make a boatload of money by buying low and selling high to customers with no alternative."
> Shame on you for abusing your talent to exclude the technologically-disadvantaged.
Very minor nitpick: I don't like the term "technologically disadvantaged" here. While it is undoubtedly true that there are many people who are without smart phones due to economic reasons, or because their battery died or their phone was just stolen ... there are also lots of people, myself included, who would CHOOSE to forgo a smart phone when attending a concert / event.
My wife and I live in a city with a Caesar's hotel and casino within walking distance. When there are shows and concerts we are interested in, we don't hesitate to buy tickets. When we go to such a show for a date night, we would like to leave our phones at home. Some of this might be due to our being middle aged, and so we're not glued to our phones 24/7, but it's also just a hassle to bring them through security, and to often have to put them in those lock bags because they don't want people recording etc.
So to us, e-tickets are evil for no other reason than the fact that it assumes that we want to have a phone on us and to use it as a ticket. I will happily pay the fee for a physical ticket whenever available.
People always cite exclusivity deals / monopoly power when it comes to Ticketmaster's dominance, but I also recall reading post-mortems about several failed competitors that indicate the problem Ticketmaster solves (massive spikey demand with strict guarantees on the seats selected) is quite technically challenging. I know, it doesn't seem like it would be that hard to solve, you're probably already thinking how you would do it. But you can't ignore that many others have tried and failed.
I got tickets for a concert in UK, which could only be bought if you had UK Ticketmaster app. No, the international version of Ticketmaster app did not have these. Had to get me a blank Android phone, had to initialize it pretending I'm in UK via VPN, so I can see the UK Android Playstore (got my phone number blocked by Google in the process - "too many verifications from this number"). Then, it finally let me get the tickets and actually see the dreadful barcode in the app.
Impressive. I had no idea mobile-only tickets are a thing. For me it's always been the other way around because sometimes some events would insist on a printed ticket even if it comes as a PDF with a barcode. This sort of thing became annoying enough to me that I bought a printer.
But then ticket resale online marketplaces aren't a thing around here either. When people resell event tickets, it's usually an entirely DIY affair.
> They can’t have robust DRM on their tickets if those tickets can still be viewed offline.
Of course they can. All they need is a secret key embedded somewhere that the app can access but you can't. It's just a happy circumstance that they used a simple protocol in which the key is easily extracted. But they could have used a proper PKI protocol instead, which would have made it much harder, if not impossible, to hack.
If the app can access it (offline, on your device), then what stops a developer from using tools to extract the token from the device, either from wherever it's stored in memory or using an interactive debugger to extract it as the app requests it?
Great post. While I'm all for messing up greedy companies, this is a clear example of why JavaScript should never be used for security. Executing the code locally, plus the ability to read the source code, fundamentally goes against securing your application. It doesn’t mean that not having those will make the application more secure, though.
Another case of abusing ToTK, an excellent technology that promised convenience, security, and offline access. Similarly, Duo builds their stuff off ToTK and then fending off (or makes it very, very hard) you from using a third-party ToTK authenticator with their sites.
This company just jettisons the fine promise of available offline that was made by ToTK.
Very cool post, but as someone who has been on the other side of the situation, I do have sympathy for what they are trying to accomplish.
I bought a ticket that someone had double sold, and by the time I got to the door, they turned me away and said the ticket had already been used. So their system has good intentions, they just need to make it work offline.
> This ticket is digital. Saving data offline is the same as copying it to your hard drive. If data can be copied, it can be transmitted. If it can be transmitted, it can be shared. If it can be shared, it can be sold.
Is this still true in the age of locked-down bootloaders, secure enclaves, TPMs etc?
Side note: this is actually a great advertisement for server side rendering! If they didn't do all this client side rendering, exposing data in JSON APIs, then I doubt this reverse engineering would have been possible.
I see what you mean. The barcode wouldn't work offline.
It seems like that didn't matter at the venue though? The spotty internet connection not allowing the code to load was the first part of the article wasn't it?
Setting up separate accounts for every ticket purchase seems like a LOT of overhead (especially scalpers buying many tickets at once and piecemealing them out), and is easy to defeat, e.g. require out of band auth via the phone number associated with the account before logging in for the first time on a new device.
Would be interesting to see the same done for the UEFA ticket app.
They use QR codes that are activated/visible only when the user in on site, detected via Bluetooth.
They claim that secondary use is then not possible.
One possible reason I can think of is that phone camera apps will not proactively read PDF417 barcodes like they will QR codes, thus discouraging people from thinking they can scan and decode them.
PDF417 has non-square pixels (or rather as it's called in barcode nomenclature "modules") which feels very janky - it was meant for linear scanners after all.
Oh, and quoting Wikipedia:
In practice, a PDF417 symbol takes about four times the area of a DataMatrix or QR Code.
This was a fun read. I wonder if they reported it to a bug bounty program of theirs. Based on his writing how he feels about their business I'm going to guess no.
> This is a contradiction in TicketMaster’s marketing. They can’t have robust DRM on their tickets if those tickets can still be viewed offline.
The "robust DRM" is called "ID cards". Here in Europe, it's become commonplace to tie soccer tickets to ID cards that are verified at the gates to keep hooligans (or those suspected of being hooligans, which is a status that is way WAY easier obtainable than one might reasonably assume) out, and high-class events that attract scalpers like a pile of dungs attracts flies have been doing that for even longer.
Huh, weird, a turns out an old, low-tech solution is much more secure than Ticketmaster's roll-your-own weird TOT-QR "security" (even considering the magic animation that that makes it "in a sense, alive")
(Not that requiring ID doesn't raise the same and also other consumer rights issues)
The thing is, unlike most of Europe, the US doesn't have a legal mandate for anyone to possess an ID card, and so in practice you got 50 states worth of driver's licenses, library cards, military or government employment IDs that can be used (or faked)... so you can't really use these for legitimately verifying anything unless you want to spend a lot of time and money to train your staff to spot fakes. Banks can do that but no one wants to do that for the goons that run security at venues for minimum wage.
I get the loathing for Ticketmaster and all, but can we just also acknowledge that the only reason they can do what they do because the various entities they collaborate with participate in the monopolistic cartel scheme?
Can we also please acknowledge that if people stop going to the things Ticketmaster sells tickets to, they will stop these practices? No one is forcing people to participate in these things; I don’t.
Lastly, it even calls itself Tomicketmaster. And you didn’t realize you are a Ticketslave? It is right there, in the name! Right in front of your eyes!
It always amazes me what they can get away with and people just behave like buffalo on the Serengeti, stampeding through the crock infested river … “those crocks are the worst! Ok, Karl, we are up next”
Instead of chiding your TicketMASTER devs and alpha slave MBAs, maybe stop being a TicketSLAVE altogether. Has that dawned on any buffalo?
Fun fact, to drive the point home. Guess how the predators of the Serengeti are treated when they want to go to an event. You think they deal with Ticketslavery even though the Ticketslaves is how the cabal makes its money?
I know the discussion has drifted into the larger realm of ethics and civic responsibility. But with respect to the original title, I always thought that it would be trivial to create a software 'tumbler' the logic of which was based on primitive examples, such as this.
Edit: each user could have thier own initial state.
https://en.wikipedia.org/wiki/Alternating_step_generator
granted you'd need to ramp up the bits to make them less crackable.
Then all you'd need is some translation to 2-d QR scancode graphics and a silly sliding bar and voila! Ticketmaster hegemony.
But yes, its disgusting that i've needed a phone for events...
I am sure this is pointed out elsewhere, but ticketmasters business model is based on lying to the public so that the artists and venues don’t have to.
Taylor Swift is a nice-ish person and wants her fans to think they can buy tickets for her shows at about 25 bucks because that’s a lot of money for a 12 year old and she does not want to alienate her fans.
Her manager is an evil cackling bastard and wants to get as much as he can.
He knows if he sells all the tickets for 25 bucks he will lose money in the tour and the people who resell the tickets for 2000 will make 1975 dollars profit.
So he does a deal with ticketmaster.
They will sell 100 seats at 25 bucks, then announce “wow that sold out quickly” and then pretend that the other 5000 tickets they have are sold, and then resell them on secondary sites (ie ticket master is actually selling you orignal tickets through secondary markets).
Then they give the cash to the evil manager who twirls his moustache.
All the rest, the adding extra charges at end of sales process, the ridiculous rush to buy at a given moment in time instead of some auction or lottery, the whole thing of backhanders to venues, all that is secondary to enabling Taylor swift to take a huge cut without seeming like a evil moustache twirling money grabbing manager.
I'm not sure this is true. Most (~80%) large venues are owned and operated by Live Nation, who also owns Ticketmaster. They also have exclusivity agreements with hundreds of others.
It's, in effect, a shell operating as a scalper and a customer service disruptor. This has very little to do with the artist beyond selecting venues.
I don't think this is accurate. Ticketmaster/LiveNation control most good/big venues so artists have to deal with them in some way. Artists generally don't want to charge market clearing prices to their fans (for niceness and PR reasons) but Ticketmaster is happy to be the bad guy and do that via exorbitant fees. I'm very in favor of breaking up Ticketmaster but we should be clear-eyed about what that will do: it will transfer money from either Ticketmaster to scalpers or transfer money from Ticketmaster to artists.
Fundamentally, if there's someone out there willing to pay up to $x for a space-limited event, they will find someone to give that $x to. I'd rather that person be the artist.
There was an article in the LATimes article a few years ago with the former ceo of Ticketmaster who explicitly confirmed the above. Ticketmaster does a deal with the band to charge as much as possible and take all the negative blowback or whatever about it and then gives them a kickback.
The grandparent is implying that "Taylor Swift" and the "Evil Manager" are two sides of the same coin; they don't need to even be different people. The system lets a (big) artist extract value while keeping their public image clean. It's a shell game, and Ticketmaster plays the role of bad-guy-as-a-service.
Of course, their insane monopoly means they also get to take advantage of smaller artists, venues etc. None of this is good.
Why shouldn't the artists get a cut of the greater-than-MSRP resale? Yeah, I realize that some pretend that the MSRP is the real price, but if anyone should get a cut of the jacked up fees, it should the people on the stage or producing the show.
There was a trial in 2009 that had Katy Perry’s contract with Ticketmaster released into the open - cannot find it at the moment but it was explicit about how many tickets would be available for her to sell etc
This is all open and documented in the upcoming prosecution by US attorney - also cannot find atm
Face value on tickets for her last tour started at 75.
All that money went to Taylor. ALL OF IT.
How do you pay for support staff, trucking how do you pay to move t-shrits from one venue to the next.
This is where all those fees come in... It's not the manager grabbing the money (that bit is later), it's the promoter covering the cost of the tour. Paying for staff to haul and set up a stage at every venue, paying for band members, dancers, people to run lights...
The Management (and the artist) will then "hold back" tickets. Most of the best seats are sold one of two ways. Fan club packages, where you pay 3000 bucks to meet the artist, get a photo and get a good seat. - OR - they go directly to the secondary market. This used to be scalpers (who "worked" for management) but now is secondary sales sites.
There are still two more bits: Consessions. Most artist get a pretty hefty kick back after covering venue staffing. These contracts can be weird, but artists, managers and promoters LIKE Ticketmaster being a one stop shop. It lets them negotiate a single deal (and one that is better for the artist) for the whole tour. Then there is merch, this is a gold mine for the artst and management too. Again there is a staffing component but that is covered by the concessions (mostly).
IN a lot of cases a venue will not sell out, and that is FINE. What happens is that the "fans" ran to the front of the line and paid too much for tickets, bought on the secondary market to get good seats. IN many cases there was so much money made at this stage that the monetary value of the rest of the tickets drops to zero....
At that point no one wants an half empty venue... So it gets papered over. They give away tons of free tickets, they "leak" a late box office hold being released... but it's now a fire sale. The nose bleed seats are selling for 5-10 bucks (even in today's market). Because assess in seats sells beer, t-shirts, and a full venue makes it an "experience"
This is the model that Bill Graham built and the vision of the industry he was going towards. TM is still, at its core, Bill Graham Presents.
I used to work in the industry, it's a hot mess and every one is greedy.
Not sure why you are saying Taylor Swift's fans are 12 year olds because they aren't. The average age of a Taylor Swift fan is closer to 30.
And because of Taylor Swift there is now a DOJ investigation of ticketmaster. Taylor Swift is not on the side of ticketmaster like you are conspiracizing.
I can't confirm what they said, but TicketMaster does have a "partner" reseller program for scalpers where they have tools to help scalpers list and manage resale tickets in bulk. They also have events where they help teach scalpers how to make more money, which is good for TicketMaster since it makes even more money on secondary sales. Ticket scalping used to be illegal, and now TicketMaster is helping facilitate it.
Scalping aside, TicketMaster is taking massive fees each time the same ticket is sold. For example, I went to an event last year and the fee was $50 on each ticket, and these were reseller tickets so TicketMaster had already taken a fee on each of those tickets at least once already (perhaps more than once).
TicketMaster also owns many venues or has exclusive deals with most large venues that prevent those venues from using any other ticket selling platform. The DOJ is currently investigating this monopoly. TicketMaster alleges it is not a monopoly since there are many smaller venues that they are not involved with.
> Software developers are the wizards and shamans of the modern age. We ought to use our powers with the austerity and integrity such power implies.
This is one of the most powerful truths underlying the world we currently inhabit. The sooner we can agree to behave accordingly, the better our prospects for ripping the reigns of society from the hands of those whose only animating principles are avarice and exploitation.
I still don't blame the developers, I blame government. It's not the job of rank and file workers to police companies. I wouldn't work for LN, but I'm not going to blame someone else for doing so. We've all gotta feed our families. (I realize there's a line somewhere, you wouldn't excuse a prison guard at Auschwitz the same way, but I can't get too worked up about a developer making a ticketing app even if I hate the ticketing company.)
Developed countries long ago came to the conclusion that companies should not be allowed to have monopolies because it is bad for society as a whole, and it's hard to think of a current monopoly as egregious as this one. There is absolutely no reason one company should have exclusive rights to 85% of large venues, also be an evebt promoter, and also be the ticket seller.
Anything their developers do is not the real issue, a society that allows this to happen in the first place is.
Even government software has issues (Vienna). I paid a €100+ fine for not having a ticket, even though I spent time going through the purchase flow. I have 100s of tickets purchased. Live agent and support agent just shrugged and told me I don't know how to use the app, washed their hands of any responsibility or need for understanding.
It's like there's no way to make the software human and humans in the loop have a crutch to lean on to not behave as a human. When I contacted the dev team directly, they shrugged too. No refund.
To me it feels like software is the place where society can just exercise its cruelty and indifference, or maybe it is a reflection of society, it's probably just like humans are. What we think software should behave like is not human.
I had more pleasant experiences with London/UK train ticket edge cases and felt like the system is built to deal with user/server errors.
"Developers are blameless" is a uniquely HN take, for obvious site demographic reasons.
I see a worthwhile product as a stool with at least three legs: Technical feasibility, business viability, and ethical acceptability. Take one leg away and the stool should fail. Yet, HN commenters endlessly discuss/debate the first two and largely ignore the third. I think we all have a duty to work on projects that are ethically sound (defining that is a whole other discussion). There are plenty of companies out there and plenty of products to work on--it's not like we have to pick an evil one in order to survive and "feed our families."
Shamans and wizards (never heard this used to describe anyone in history but let’s assume it’s just any kind of supposed magic user) were people at the top tier of their societies in terms of political power. Not kings or chieftains, but above everyone else.
Programmers are just making a living selling their labor power like every other office drone in the world. We’re one of the most common lines of work out there.
If you want the mysticism angle, we are like those kids they used to catch “witches”.
> Shamans and wizards (never heard this used to describe anyone in history but let’s assume it’s just any kind of supposed magic user) were people at the top tier of their societies in terms of political power. Not kings or chieftains, but above everyone else.
I don't know where you came by such a notion; Shamans, "Wizards", witches, "wise women/men", are usually shunned from society such that they tend to live near the outskirts of towns or cities, nobody really wants to live close to them; and when "bad things happen" tend to be the first ones to get blamed for it; then they also are commonly used as scapegoats for whatever political, economic or religious effort some corrupt officials try to push.
That doesn't sound very societal top-tier to me.
We're definitely not witches or wizards, at most we are scholars or [specialized] craftsmen. "Knowledge workers" if you will. Not as unlikable as the wise folk that live towards the edge of town, and not as at risk of getting tied to a post and lit on fire because the bishop believes we commune with unclean spirits.
Are there any documented examples of societies where "magics", "shamans" or "wizards" were at the top of the hierarchy? I gotta say, I'm an avid reader of Ancient History and Anthropology and the closest I can think of is the Priest-Kings of Sumeria and your garden variety theocracy and the latter is much more of a priestly bureeacracy than anything else...
I think you don't know what you think you know. My mom is a shaman type. These types often live at the outskirts of society where no well-to-do person would like to be seen. Zero political power but enough utility to keep at an arm's distance -- further if possible while not needed.
Yeah, we are more like masons. We have useful skills that enable building impressive things, but at the end of the day we are building someone else's cathedral.
Programmers being analogous to wizards or martial artists made more sense back when one used to need to train years or decades to become one.
With age comes wisdom.
There has been a lot of good that came from making coding more accessible; I'm not trying to gatekeep. But I do think that this is one instance where the outcome is worse. The martial arts masters still unquestionably exist among us. It's just that they're now surrounded by younger, less-wise people with guns. Both types can fight an army, but only one has the wisdom to know when it's better not to.
Yes I think there is truth to this. Something I have seen lately with Rust for example, is because the language is harder to learn, the discourse, tutorials, libraries are all much higher quality.
The fact we have had less than benevolent wizards and shamans, why would we expect to have modern day equivalent of only benevolent coders? It's such a fairy tale level of expectation that it seems childish. Spending any energy in trying to make real world a fairy tale is just wasted.
We wouldn't. You might expect that on an indivudual level. But at a society level, I would expect any company that's doing things that are specifically allowed by our goverment (who did approve the Ticketmaster Live Nation Merger) to get their jobs filled just like any other. I think Ticketmaster is evil, another developer might not. That's fine, they're not killing people or dumping toxic chemicals into reservoirs, we can agree to disagree.
My outrage is directed entirely at the government agencies whose job it was to stop this, not the developers making a ticketing app.
It’s interesting, the more we agree and hold strong, the higher the demand grows for engineers who would help some companies create their hellscape. The incentive will grow higher and higher until people break rank. And you start over.
I cannot agree more. And this is exactly why the old Google motto of "don't be evil" was so important. And the decline of Google is highly correlated with the removal of this motto from its culture.
I sincerely hope all tech companies can take a page from old Google and truly instill an innate rejection of evil among all software engineers.
People don't code out of a sense of duty, they do so to earn money, so there is no mechanism to enforce "behavior."
> our prospects for ripping the reigns of society
There are too many industries that take the mantle of improving society on their back. This is a mistake. There is no natural representative mechanism that ensures your actions are aligned to required outcomes.
This should probably be left to congress. If you're concerned that they won't do it then that should immediately suggest the appropriate course of action to you.
> of those whose only animating principles are avarice and exploitation.
Short term thinking cannot lead to long term rewards without abject manipulation of the marketplace.
Congress is useless, along with the rest of the planetary corporate-fascist oligarch facsimiles of democracy.
If software engineers united behind true ideals of freedom, we could automate the entire stack of "leadership" and raise the floor of society.
Open source implementations of:
Universal cryptographic identification
Decentralized voluntary anonymous voting, verifiable by every voter
Sovereign algorithmic monetary policy
Liquid representation
Complete digitization of all necessary information to audit any authorities, at any time
Full release of privacy for any "public official" -- service to society should be a burden, not a privilege
This, and much, much more can ALL be done with software. An entirely new paradigm of society, with freedom unalienably encoded into the fabric of the social machine.
Our rights digitized, our privacy, speech, and pursuit of happiness made into software.
I would say software may have an impact, and the thinking of this impact extends far beyond the next quarter of profits. This mindset can extend into a multi-planetary society and beyond. A continuously evolving, open source mechanism of human governance.
The Golden Rule: "He who has the gold, makes the rules."
Truth is that money is all that matters. Nothing else in the world of business matters not relationships, not customers, not Boards of Directors or CEOs. Money.
Until a person realizes this, they will be forever caught in a cycle of thought that is not truth.
"Follow the money!" is the best way to see how society works, and is why every government wants their hands in our money. Meaningful change in this world requires money. No amount of idealism or 'using our powers' can change that.
Do the wizards have 'F-Off' money? No. Will they ever? No.
This is not only a truth of the world we currently inhabit, it has always been a truth, of all the worlds we have inhabited. Power and greed go hand in hand for a reason and the struggle to find the balance is, and will always be present.
It was not true of this world 150 years ago that any person with sufficient learning could tap buttons to create an experience to be found in the hand of the majority of living humans.
I agree power and greed go hand in hand - absolute power corrupts, absolutely - but this bit? This is new.
It's worth remembering that folks who can be bought, can be bought off and spend a lot of time enjoying their riches while true believers are somewhat more difficult to convince and don't take any time off.
That's important because all of the big evils have been perpetrated by true believers in pursuit of their "one true way." (Yes, some large evils have been perpetrated by folks chasing money. I'm talking about things like wholesale slaughter of as many people as they could lay their hands on.)
> I remember a time when printable tickets were ubiquitous. One could print off tickets after buying them online or even (gasp) in-person, and bring these paper tickets to get entry into the event when you arrive
I go to 1-2 concerts a month so I'm well aware of how scummy TM is, but the problem with PDF tickets is that people sell fakes or sell the same ticket multiple times. I know multiple people who've been scammed this way. I get not wanting to use your phone for everything, but the changing barcode isn't just technology for the sake of technology, it's actually there to solve a problem.
> PDF tickets work even if your phone loses internet connection
So do the digital barcodes if you add them to your phones wallet.
TM even sends you an email before every event that says:
>> If you haven't already, download the Ticketmaster app or sign into your Ticketmaster account via mobile web. From My Events, tap view then add tickets to your phone's wallet for easy access at entry.
>> We encourage you to download your tickets to your digital wallet before you leave for your event. This ensures that you can always access your tickets.
> If you bought the ticket off the event’s official ticketing agency (not a sketchy reseller), you know for sure that they’re real.
The problem is that that isn't how the real world works. Ignoring the massive scalping problem currently happening (that TM is complicit in) sometimes plans change or people learn about events after the initial sale. Personally, any time I have to buy or sell through a reseller, I use StubHub, but I know plenty of people who don't want to use them as they charge high fees and they aren't much better than TM from a moral stand point.
Also, I get the impression that if TM locked all tickets so that they could only be resold on TM, the author of this article would have a problem with that.
I found the article really interesting from a tech perspective.
And I have no love for TicketMaster, but the migration from paper/PDF tickets to scannable changing QR codes is inevitable, precisely to combat scammers.
TicketMaster does a lot of bad things, but this doesn't seem to be one of them. And learning to download the digital tickets in advance -- either to the app or your Apple wallet -- is just a thing you learn to do, the same way you learn to download a bunch of podcasts before your airline flight that charges for (or doesn't have) WiFi. (And if your ticket was a PDF, you'd similarly be stuck if you couldn't get internet at the venue and hadn't downloaded it in advance.)
>So do the digital barcodes if you add them to your phones wallet.
??? Last I heard the adding the barcode to the phone's wallet did not work, or at least not reliably. Some older folks I know struggled with it, and I specifically help setup the ticket master app and download the barcode. They mentioned that the app eventually logged them off when they got on site and had to struggle with poor wifi. Eventually got it to work but IIRC it took several minutes before they had a stable enough connection for it.
Does it need an actually Google/Apple wallet or something setup?
Isn’t this a bit like irresponsible disclosure? Since this may be considered a security vulnerability. Although it’s all client side, I’m sure there’s some basis for a lawsuit here.
How is this a security vulnerability? It's displaying the exact bits Ticketmaster uses and explaining what those bits are. They're not circumventing security systems, just the requirement to use the app.
It is my opinion that you do not need to responsibly disclose "security by obscurity"
Additionally, what is irresponsible here? Its not like this gives you the capability to clone tickets without first having a ticket in the first place.
The public prosecutor does not pursue cases where responsible aka coordinated vulnerability disclosure was applied. I'd say that's a legal shield of some kind at least, and it is generally also considered best practice in the industry. There's exceptions to everything but, in the general case, I'm not sure where you're getting these viewpoints from
If it runs on my CPU and shows up on my screen after I paid for it, it's mine and I can do whatever I want. Anybody who thinks otherwise can fuck off outright.
I'm struggling to come up with a good basis for a lawsuit. CFAA abuse is the first thing that comes to mind, but this is a real stretch for that, and SCOTUS shut that stretching down a while ago. DMCA doesn't come into play, since this isn't circumventing any copyright protection schemes. So this kind of leaves you with some form of contract violation, but even that seems like a stretch here. Tortious interference or interference with prospective business? I mean, I don't see any events complaining about this (hell, Ticketmaster itself arguably has some contract liability issues with the fact that their technology relies on cell service which tends to be spotty in dense crowds). So you're kind of left with some individual contract liability issue, which is literally not worth the cost of litigation.
Except for a lot of performers and venue operators. Ticketmaster is paid well to be the bad guy. They often share the fees with both the performer and the venue.
The app-based barcodes don’t seem to be solving a security problem for customers - they seem to be for the purpose of ensuring that traditional scalping doesn’t work, forcing ticket resale into a market that TicketMaster can profit from.
I would consider it unethical to publish details of an unpatched vulnerability that allowed ticket forgery, but I don’t think it’s unethical to bypass DRM-like controls for personal convenience rather than commercial purposes.
Really good post! I also found this quote which distilled their position in the 404media coverage of the situation.
> “What I can say for sure is that TicketMaster and AXS have had every opportunity to support scam-free third party ticket resale and delivery platforms if they wished: By documenting their ticket QR code cryptography, and by exposing apps and APIs which would allow verification and rotation of ticket secrets,” Conduition told me in an email. “But they intentionally choose not to do so, and then they act all surprised-pikachu when 3rd party resale scams proliferate. They're opting to play legal whack-a-mole with scammers instead of fixing the problem directly with better technology, because they make more money as a resale monopoly than as an open and secure ecosystem.”
from https://www.404media.co/scalpers-are-working-with-hackers-to...
I dug up the court docs referenced in that article, it's pretty interesting-
AXS Group LLC v. Internet Referral Services LLC (2:24-cv-00377) District Court, C.D. California
Amended complaint: https://news.ycombinator.com/item?id=40906148#40910690).
Basically, brokers are using the "secure.tickets" and similar websites to proxy ticket barcodes to buyers, without going through the actual ticket transfer mechanisms on the primary ticketer AXS/TM, (similar to how this blogger does). Then resellers are delivering these ticket URLs, hosted on random websites, to Seatgeek and Stubhub customers, and those platforms are supporting their delivery by telling their customers that the tickets are legit. Sounds like AXS is fighting back against this practice.
The underlying issue is that those tickets have a "no resale" provision that doesn't apply when the original seller acts as a broker.
Do other brokers, when they go and work around that limitation break the sales contact? Maybe. The legal system would churn an answer in a few years.
Do AXS et al with their "only we are allowed to engage in a secondary policy" are abusing their monopoly on original sales? The legal system would churn an answer about the legality of this in few years, but I think it's obvious they at least break rules in the spirit.
Monopoly is the keyword here. Ticketmaster and Boeing and all the other nefarious companies here use PATENTS to prevent competitors from eating their lunch. Patents need to be done away with to allow free competition, don't believe the propaganda about patents helping creators
I love it when a system has been working for hundreds of years through by far the most prosperous time in human history but people on the internet are sure it is wrong. No proof, no evidence, not even logic, just certainty.
Also, I don’t think any of the issues with Ticketmaster have anything to do with patents.
11 replies →
If you don't have a patent on an invention then how do you protect it from people who will just steal what you have spent time/money creating?
12 replies →
What patents does Ticketmaster have that stop competitors from selling tickets?
[flagged]
Not all cryptography is blockchain
Hash chains already existed. But someone created blockchain anyway.
I'd also like to highlight another bad practice by Ticketmaster.
When you purchase a ticket from them and resell it on their marketplace, once someone purchases it, they(Ticketmaster) hold your funds and only give you the money ~7-14 business days after the event is over. They say this is to verify the validity of the ticket.
On the buyer side, you purchase the ticket from the marketplace and it gets added to your account immediately. (I think) You get the barcode some time ~1 week before the actual event begins.
The confusion for me? Ticketmaster owned the ticket and all logic relating to the validity of it. The logic to validate this shouldn't be complex at all. They OWN the ticket. They KNOW it's legitimate because it never left their database. Yet they double dip and hold both buyer and seller funds. Events can be close to a year in the future but the seller won't see that until after that event ends.
There's another good point in here. Why do they hold the ticket until just before the event? I bought tickets to a concert for my wife's favorite band. Then, my wife's work scheduled an event for that same week and she had to leave town. So, what I really wanted was a refund so someone else could buy the tickets. They don't do that of course. So, then I wanted to sell the tickets for face value... but ticketmaster didn't "deliver" the tickets to my account until the day before the event!
I watched for a month leading up to the event as the ticket prices plummeted while the scalpers were desperate to get at least something for their tickets before my ticket was even delivered to me.
As soon as they take my money, they should update the database to show that the ticket is mine. If I want to sell it, I should be able to do that immediately too.
But, from what I've read, that instant resale ability only belongs to their "partners" who resell a lot of tickets, and you need access to their "TradeDesk" tool to do it: https://tradedesk.ticketmaster.com
Just vote with your pocket and don’t buy tickets from them. I do that - yes I don’t get to go to major concerts but there are still so much more that is not on ticket master. I found a lot of new entertainment and was happy to pay $4 fee instead of whatever TM charges nowadays.
39 replies →
This began a lot more on third party sites like stubhub due to Covid and the massive amount of cancellations; before most places paid out after the sale, and if the buyer wound up having an issue (due to the seller mistake, selling it multiple times, whatever) they would charge the seller and usually assess a penalty.
But when everything in the world was being cancelled I assume they didn't have all the money just sitting around to reverse and it was a ton of thrash to deal with. As someone who had bought tons of tickets and sold some, it was a mess. I had a ton of credit card refunds back, the third party sites had to reverse payments, etc.
Waiting until after the event is just less overhead. Guarantees the transaction happened without a hitch.
There are some POS and broker sites that still pay on transfer, but none of the "primary" secondary market does.
I’ve never dealt much with TicketMaster, despite them being a monopoly. So my questions here may just be out of naiveté:
1) Why would TicketMaster pay event organizers ahead of time, if the event might be shit and attendees may demand their money back? Rather than having to deal with a lot of chargebacks and making it their own problem with the banks, they might prefer to make sure the event goes off without a hitch and refund people while they still can. Rather than subsidizing the refunds they make the event organizer have to get (and pay for) financing instead, backed by their payout. They might also offer such financing.
2) I get that they hold event organizers hostage by making contracts with the venues for years, that might be an antitrust issue but it’s separate from 1.
3) Why would TicketMaster make scalping easy? Middlemen would just buy up all the tickets and then pump and dump the price, much like early crypto investors in a meme token or altcoin do. So they don’t “deliver” the ticket to you until just before the event, exactly for that reason.
With ChatGPT it’s now easier than ever to impersonate thousands of people at scale, with credit cards and everything. But I will admit, showing up to an event at least once confirms there is a human behind the account. But a first-timer buyer? Shouldn’t be able to resell, no.
2 replies →
Tbf, this does sound like a fairly efficient anti-scalper strategy, so I guess there's at least some upside to this mess.
1 reply →
It's simply 0% financing for their business. No more complex than that.
Excellent point. I wonder if Ticketmaster profits by making interest off of holding those funds?
Wonder no more—yes.
6 replies →
>When you purchase a ticket from them and resell it on their marketplace, once someone purchases it, they(Ticketmaster) hold your funds and only give you the money ~7-14 business days after the event is over. They say this is to verify the validity of the ticket.
I imagine it's more about discouraging scalping, regardless of what they may say about it.
Maybe to stop people selling the ticket and still going to the event with a pre-printed one? Solving that would also be easy if they have a central verification system (just invalidate the ticket and issue a new one) but not if it is all p2p.
(disclaimer: I'm a complete outsider, last time I bought anything from Ticketmaster was a really long time ago).
They would need to solve that anyway in case 2 or more friends attempt to get in on the same ticket.
Not at all difficult - simply share screen a third device and display the rotating QR-code through e.g. zoom on individual phones. For additional trickery, try to split the group into joining multiple ticket scanning lines and timing the scan of the ticket to be as close as possible to eachother.
Possibly it's fraud prevention, in case payment for the original ticket was fraudulent and chargeback occurs after the ticket is resold on marketplace?
That does sound like a very reasonable thing to do. Otherwise you have a threat vector of steal card, buy ticket, sell ticket, pocket the cash, card owner disputes, now Ticketmaster has paid a stolen identity who took the money and ran.
Anything that can be used to monetize stolen cards will tend to be used for the purpose even if it's inefficient.
I really, really, really hope Ticketmaster gets broken up. Their shittiness seemingly knows no bounds.
Because you could just print the ticket, then sell it, and still enter the show with it ?
This is literally what the rolling codes prevent.
I hate TM and ridiculous fees as much as anyone, but this article is overly hyperbolic.
There's a section named "Pirating Tickets", that just explains how to re-create a barcode that you already paid for. You're not using this to rob anyone of anything.
And at the end, "Have fun refactoring your ticket verification system". Why? There are no vulnerabilities here. A rotating barcode (even if following a known pattern) is still more secure than a static barcode on a piece of paper.
Piracy here just means you can use it to sell your ticket without using their platform, which is analogous to just sending someone the PDF or handing over the piece of paper as always.
While this has the upside of breaking you free from TM's obnoxious practices, it also obviously opens up for scalpers and all.
Scalping is still possible without understanding the tech - you could just stream a video of the bar codes and sell the stream instead of selling the ticket.
5 replies →
Piracy here means that you can sell 50k tickets to the same seat with a real valid rotating barcode.
Are you sure you understood the article? The token is supposed to be a secret and the TOTP generation should happen remotely. This is not the case and this suggest a fundamental lack of security practices at the company.
"Should happen remotely" – according to who? What is the security risk for the end-user?
"this suggest a fundamental lack of security practices at the company" – that's a stretch of a conclusion to make. You're being as hyperbolic as the original post.
What didn't I understand about the article? This still offers a slight increase in security over static barcodes, without introducing any new vulnerabilities.
1 reply →
> the TOTP generation should happen remotely.
It says that it is available offline (if you've viewed it in the last 20 hours), so the TOTP generation can't happen remotely
Well it's more like the "security: they want is fundamentally is incompatible with support for ofline use in this case (as long as we have open computing platforms anyway).
Which would increase the problem he described--too many people trying to get in overloading the local bandwidth.
It's enough to defeat screenshotting and the 20 hour bit would defeat large scale malicious use.
Not good security but probably good enough, especially in stopping the resale of stolen tickets.
It's piracy in a way that's analogous to ripping like Netflix content. You are breaking away from DRM which is piracy. They also cite the potential to have multiple tokens valid per one ticket which would let multiple people get in with the same ticket.
I doubt the second bit is true - they will still be marking the ticket as used in their backend.
They are just trying to prevent scalpers printing off tickets 10 times and selling them outside the venues as a scam, which happened at every large concert I have ever been to until recently (so I assume this is working!).
16 replies →
I'd argue that a few extra people sneaking in on the same ticket (assuming this is even possible) is more like sharing your Netflix credentials than ripping Netflix content and having it be shareable with the entire world.
You're also walking into a stadium/concert in plain view of security cameras, so the stakes and deniability are different as well.
3 replies →
It would be DRM if the barcode was copyrighted material, which it isn't.
The way this is already being exploited in the wild is that a scalper/scammer buys 1 ticket, then resells the same ticket multiple times. Multiple people believe they have a valid ticket, show up at the event, but only the 1st ticket works. The other people who try to use the ticket are turned away saying that their ticket has already been used.
> The way this is already being exploited in the wild is that a scalper/scammer buys 1 ticket, then resells the same ticket multiple times. Multiple people believe they have a valid ticket, show up at the event, but only the 1st ticket works. The other people who try to use the ticket are turned away saying that their ticket has already been used.
That is one of many ways this is already exploited in the wild.
Do you have a source for this? What platform are they selling multiple copies of the ticket through, and what app are the buyers using that allows multiple buyers to receive and show the same animated barcode?
This way you can sell and have the ticket completely off of ticketmaster. That is a vulnerability. It lets users do something they explicitly don't want to allow.
Assuming that you can actually do that.
If the seller re-opens the TM app and it generates a new token and invalidates the old one, then that's not the case.
1 reply →
He was basically wondering if he could create two tickets each with different tokens. Tokens are valid for 20 hours but it probably doesn’t invalidate the old token (e.g. a request for a new token makes it to the internet but due to congestion, the response never comes back to your phone before timing out) and this could trigger multiple tokens for the same ticket and are all valid.
Thank you for posting this. This article left me super unsatisfied too.
This sort of ticketing thing is a trivially solvable problem. It is solved at every airport in the entire world millions of times per day. You provide the name of each concertgoer when you buy a ticket, and they show up with their ticket and ID. You often need to show your ID at these kinds of venues to prove you're old enough to drink beer anyway.
Yup.
I have to believe the reason the likes of ticket master isn't fixing this is because they are selling/auctioning/reserving some percentage of tickets to scalpers or "3rd party sellers".
Requiring ID is such an obvious solution that I have to believe these convoluted approaches are only there so the secondary market can exist and so ticket master can wash their hands when prices get out of control on that market.
I have to presume that the driving impetus of all of this is that they're trying to avoid the actual requirement of checking the ID. Like, they want to improve the flow of traffic through admissions.
But I mean, obviously, any kind of system like this strikes me as the same sort of thing as DRM. That you can somehow protect the message from the person you're sharing the message to. How can you avoid reselling if you don't verify the original purchaser? It just seemes ridiculous on its face.
36 replies →
Yeah I agree, they are not incentivized to fix scaling/bots because they get a fee every time a ticket is sold. It is in their best interest for the ticket to be sold as many times as possible.
[flagged]
But also, the hell with this. I'm still sour enough about the TSA without the concept of, "I'll buy tickets for me and three of my friends then see who wants to go," becoming impossible or gated by ticket transfer fees.
Airlines are preventing a secondary market. Unfavorable for your use case, but also prevents scalping airline tickets (while allowing airlines to attempt to maximize revenue). There are always tradeoffs and compromise.
To hack around this, I've used Southwest Airlines; I can buy tickets for folks and if they can't travel, we cancel the ticket(s) and keep the travel funds banked for another time. I hope this is potentially helpful information.
https://simpleflying.com/why-airlines-dont-allow-name-change...
6 replies →
Even allowing that but requiring your valid ID must be taken into the venue by yourself (or by your friends eg if you get sick and can't go) would be a big improvement, meaning ticket scalps would have to actually go or have someone on their team go along with every ticket they resell.
Flying requires an ID. Attending a concert should not. Any solution that is solved by "simple, just require an ID" is not a solution.
Depends a lot on the country you live in. In most European countries "carrying an ID" is legally required if the police stops you anyway (they do need a reason to see it though), so "show an ID at the entrance" is no big deal.
It's to my understanding mainly the US where ID requirements are often side eyed because many people don't have them and there's no national standard (and due to a variety of political reasons there probably won't ever be any.)
5 replies →
that's really just an opinion. and I'd argue that if people really care about a fair and sustainable concert going, given how ridiculous the live event situation is, you'd support pretty common and standard requirements like ID to be shown. as others said: ID is already required to validate age in many events/venues
1 reply →
> Flying requires an ID. Attending a concert should not.
Why though? Not disagreeing per say because I'd have thought so too, but upon reflection...
I assume the main reason airlines require an ID is safety and security. We maintain a denied parties list and use identity verification to make it as difficult as possible to fly a plane into a crowded venue. Border control is another issue, but there's plenty of intra-country or intra-state flights where this isn't an issue.
Ticketmaster sells unverified access to crowded venues.
6 replies →
How are you getting into shows without presenting ID for age? Every (well, every legal...) venue I've been to in NYC cards to see if you are 21.
2 replies →
Italy solved this. Five years ago, a new law enforced ID-checking when you enter any big events (like concerts with an audience larger than 5000 people).
Tickets have your name on it, and you can only change the name or resell them through the official seller (so, third party resellers are out of the game). Also, every reselling transaction is registered and can be inspected by the Italian Rightsholder Agency (SIAE).
I’d rather not solve it than let the state have more information about my transactions
Because this, and more very strange rules it is very hard for ticketing systems to get into the Italian market. Some examples:
- not allowed to change to time or name of the event after the 1st ticket is sold
- only allowed section names in halls from a know list
- free tickets on events... can only do this under strange conditions
- smart card application, for encryption, must run on a physical server in Italy. You should not be able to log into the ticketing box office if that smart card application is not running.
1 reply →
People often buy tickets without knowing exactly which of their friends are going to attend with them. This is not true of airplane tickets.
One ID for the entire order would be fine. You can buy 4 tickets, and go into the concert with your 3 friends. It often works this way even with no ID involved, I buy two tickets, add them both to my wallet, scan them both when my GF and I go to the show.
You COULD still scalp tickets if the person who bought them from you is going to walk in with you. But the scalper would have to eat the cost of one ticket to do it, and it's probably onerous enough to severly reduce the impact of scalping.
10 replies →
Would be awesome if it were true for airplane tickets
That requires a single source of truth for which names go with which tickets. Which is going to be a problem if tickets need to be transferred in contexts where users don't have internet access (but they do have local connectivity between devices) or in contexts where the venue doesn't have internet access. Or in cases where the single source of truth might be vulnerable to attack or doesn't have the resources to handle the load at certain times.
I don't have the solution explicitly, but it seems like it ought to be possible to do this such that PII need not be collected. Tickets could be cryptographic proofs that a chain of custody exists and meets certain criteria. The proofs could be constructed at transfer time and verified at admission, no servers in the loop anywhere. Yeah, we'll come up against the CAP theorem eventually, but we might find that the imposed constraints are workable.
> Which is going to be a problem if tickets need to be transferred in contexts where users don't have internet access (but they do have local connectivity between devices) or in contexts where the venue doesn't have internet access.
You know as well as I do that TicketMaster won't allow any of that, because it means they miss out on selling another ticket.
1 reply →
I agree, mostly. What do you do for people without an ID (and without a parent)? Think of the number of people at a Taylor Swift concert who are under 18 -- a lot. Also, checking the name between ticket and ID will slow down entrance by 2-5 times, I guess.
I was recently at a Festival that requires ticket + ID (https://www.resurrectionfest.es). The key to success was to put a little more personal at the gates, maybe 15 people instead of 10. But it is also true that we have the ID document issued in our early teens it not before. Each ticket verification takes 3 more seconds extra to verify the ID matches, no big deal.
Said festival does their own ticket re-sale to avoid scalping but mainly to avoid shady sites that are known to allow the selling of counterfeits. You can only cede your ticket, not sell it. It is not perfect (e.g. if you don't find a buyer for the same price, you can't sell it at a lost to recoup some money. You get your ticket back) but at least is not as bad as the one from Ticketmaster.
No, it's not. At my work here we'll all go online to try and get tickets to a big gig. One of us might get in, so that person will get ~8 tickets or whatever the maximum is. And then we split them between us, transfering over cash etc. If we have a few left over we'll sell them to friends for the ticket value.
But none of us have any intention of lining up with the others to get in. We want to go with our partners, our own friends etc.
I want Bob, Terry or Bazzy to by able to buy tickets for me (or me for Bob, Terry or Bazza) but I do not want to have to meet up with Bob, Terry and Bazza and stand in line with them all to get in.
So yea, it's not trivial. I wish it was, I farkin' hate scalpers.
how is this not the same as 8 people trying to find airline tickets for everyone? you can buy tickets for different passengers. some airlines/travel agencies even allow for name change for a fee.
This is trivial and solutions exist in the wild already. If you buy tix for the Paris Olympics, you can transfer them to your friends or you can assign their names to the tickets directly.
The interesting mechanism there is that you can buy a lot of seats at once, but you don’t get to choose where they are exactly, only the section. So in every case you’re going to have people buying big lots of tickets and distributing them to friends and family after the fact.
Hell, you just scan your ID at TSA nowadays. They don't need your ticket.
Or just scan your face with the new Digital ID rolling out. It's actually quite nice.
I flew about 3 days ago and they only asked for my minor children’s boarding passes.
The issue is most likely about throughput. You want to let fans enter the venue as quick as possible. Most venues have lots of gates, but still the latency at each gate has to be a handful of seconds per ticket. Having to validate both ticket and ID would easily double or triple that time.
Today's digital entry experience is far from frictionless. Might as well add a scan of the PDF417 barcode on the back of the latest state ID cards.
I just went to a MLB game yesterday, and the digital process was:
I imagine this could have been:
2 replies →
I keep reading about this argument but Olympics and World Cup matches are arguably as large events (if not larger) and they place name on ticket and check ID at entrance.
people complain at ticketmaster yet seem to bend over backwards to justify the state of affairs
3 replies →
Some venues do this already and the scalpers buy an additional ticket to burn on themselves so they can get their customer in the gate. It just goes into the cost of doing business. I agree this is probably one of the best ways to stop scalpers but it's not foolproof.
I’ve heard the argument that forcing people to have an ID is anti folks with disabilities and anti-poor since it requires someone to go to an issuing agency to obtain and pay for one, which could be putting someone out who has a mobility disability or doesn’t have a lot of money.
I’m not making the argument but it’s an argument I’ve heard.
If the government needs people to have IDs, then maybe the government should provide those IDs for free...
1 reply →
Airlines are starting to use rotating barcodes as well. Heck some are even switching to purely facial recognition.
I’m not sure that would fly in Europe. And I personally don’t want to hand over my id to use a ticket
Exactly. The privacy characteristics of government ID cards are worse than any other solution. When sharing such an ID, a person is providing several global, stable identifiers (e.g. ID number, full legal name). For adtech and data brokers, this is the ultimate fingerprint for tracking and matching.
In a perfect world, the digitization of these IDs would come with modern digital privacy and security. Scanning your ID number would only provide a recipient-specific ID that couldn't be matched with other vendors. Age eligibility and driver's licensing status would be presented as separate signed attestations that share no other data.
We aren't even heading in that direction yet.
I wouldn’t bring my ID to a concert. I don’t have my wallet with me and even if I would they wouldn’t like me to have a backpack. I‘m coming as light and minimal as possible and also would hate to lose my ID jumping around at a concert.
...yet you have a phone (for the moving barcode and whatnot) which is heavier and bulkier than a card?
6 replies →
+1 to this. also doesn't Olympics and World Cup class events also face similar issue as concerts, and they allow for fair'ish purchase and resale by private people, but only through their platform?
This improves the security over airline tickets.
There was a recent story of someone taking pictures of other people's boarding passes, and using that to board the plane.
With this ticketmaster scheme, unless the person has access to the secret keys, the pass would only be valid for a few seconds, likely defeating this attack against boarding passes.
https://www.nbcdfw.com/news/local/texas-news/texas-man-board...
How often has this been a problem though? How about not keeping your boarding pass, or ticket, or credit card for that matter, visible for the world? Just put it in your wallet, I don't know.
This is security FUD. Stop solving problems that do not exist to the point where it makes the news when they do happen, once a century.
This DRM scheme concretely creates millions of small annoyances to millions of people and wasting our time as a society.
4 replies →
This is a horrible horrible idea.
It'd then be impossible to buy a few tickets to an event with the intention of finding people to come after the fact.
This has its own problems. It makes it difficult to swap tickets.
A music festival I went to recently charged 30 euro to change the name on a ticket.
A lot of concert goers are under 18 and dint have valid state id.
Yeah, except NO.
A lot of people think live event ticketing is the same problem as airplane tickets, but they really aren't. As an example, there are rules about requiring identification for commercial flight. There are rules against requiring identification for live events.
Where has rules prohibiting it? Maybe will move. :D
Ticketmaster says: NIH
[flagged]
Oh cool, so when I buy a scalped ticket I'll simply order a quality fake ID as well.
1 reply →
Buying and using a scalped ticket isn't a crime for the concert-goer, using a fake ID (in most states) is meaning it puts significantly more pressure the consumer to not buy. Also, most people in the US over the age of 21 don't have fake ID's, so it's a reasonable detriment.
GenAI?
The solution doesn't have to be perfect. It just has to be good. Good enough is good enough.
With regards to the end of the article.
> Can I work for a bad company and still be a good person?
> No.
https://apenwarr.ca/log/20201121
I'm glad we cleared that up. Now all that remains is a good, measurable definition of what a bad company is.
It's like porn. You know it when you see it and also there's quite a lot of it.
As one grows older, they may find that not everything in reality can be quantified or put into words.
And trying to objectify value judgements is another whole area of contention that inevitably leads to itself.
1 reply →
> Now all that remains is a good, measurable definition of what a bad company is.
Lets re-invent religion.
You're trying to get quantitative about a qualitative problem.
4 replies →
If you're asking the above question, it means you already think the company is bad according to your own morals.
1 reply →
It's not hard if you remove the self delusion. Removing the self delusion is maybe tricky for the individual, but it's easy for people around the individual to see. Societal tools like shame are generally used to encourage people in the right direction, but we don't do a great job of this in America, because money tends to override everything else and I don't think we have good structures around expressing non-monetary values like honor.
Especially on the west coast, we're so passive in our shaming of people that it probably doesn't translate to action. There are people who work at Evil companies like Facebook, etc, who are otherwise nice, but I find myself not including them or turned off to them as friends because this sort of contradiction is hard to square in my brain. Of course I wouldn't communicate to this, being a passive PNW raised wimp, and it's not even super explicit in my mind, it's really more of a bad vibe than anything else. I imagine over time if enough people act like I do, it doesn't actually translate to different decisions from the individual in question, but instead translates to them waking up one day feeling distant and unfulfilled, which is probably the worst of all outcomes. They still work for Bad Company, but are also sad about it, and there's a general sense of malaise pervading life that's hard to pinpoint.
*Obviously this all ignores the people who don't have a choice of employment. But here I'm generally referring to software people who have high pay and career mobility. Things get murkier when the conversation is opened up to people who are just trying to survive.
5 replies →
Does this extend to where you live and pay taxes?
Yes.
1 reply →
I think we should make an exception for saboteurs.
And whistle blowers. And double agents.
All company's are "bad" in some way... does that mean all employees are bad?
> No.
And pretty much every company is bad. But this is a wrong answer because the question is actually nonsense.
The answer to "What happens when you move faster than light" is not "nothing", it is undefined because the question is invalid. Asking if a person or a company is good or bad isn't a question that can ever have a well-defined answer: the answers we give are rounded according to our own values. To get more specific, not all of us have a huge amount of choice in who we work for.
If apenwarr believes I want to be a good person they should hire me at Tailscale. What's that, they won't? They don't have openings, or I'm not qualified? I guess they're the bad person because now I have to work for a bad company or lose my income. And if I lose my income, my co-habitants lose their housing, and my donations to good causes dry up. Do I just not do enough good for apenwarr? They must be a paragon of virtue. Surely they don't eat meat, or even associate with meat-eaters. Surely they don't fly in airplanes.
It doesn't need a well defined evaluation scheme. You're the one asking the question, you can provide your own scheme, and come up with your own answer. Whether you're honest with yourself in this process is up to you.
It's still useful to point out that IF you think your company is bad THEN you should do something about that. It establishes that "I was just following orders that I know are wrong" isn't a valid excuse (e.g. like if you end up in court for something you did on the job).
1 reply →
> the answers we give are rounded according to our own values
I agree with this entirely.
And rounding does not change the answer in most situations.
Something that isn't well-defined can still be mostly-defined.
I have no idea what the point of that strawman is in your last paragraph. It doesn't make sense with or without rounding. Maybe if you round every single value to infinity, but that's not what "rounding" normally means...
10 replies →
> Asking if a person or a company is good or bad isn't a question that can ever have a well-defined answer: the answers we give are rounded according to our own values.
Counterexample:
Was Hitler bad?
10 replies →
It's baffling that you have to carry a mobile phone to access a show. What if you run out of battery? Or if you accidentally break the screen just before entering the venue? The more the technology evolves the more we find horrible uses for it. People should fight back by refraining from purchasing tickets from them, I know is not easy for people to miss their favorite artist but until a monopoly is broken there is no other effective way to prevent them from doing what they want.
I had to use something like this to get into The Killers gig last week at the O2 in London (fantastic gig btw, and Andy Bell from Erasure made a special guest appearance to sing A Little Respect which was the cherry on top, but I digress).
The WiFi in the O2 was woeful, and even on "The best network" EE the app wasn't loading.
Eventually after stepping aside and letting a load of people go in front of us I managed to get it to load, but it was a dreadful experience.
Contrast that with seeing the Pet Shop Boys last month in Birmingham where the ticket was on my phone in Apple Wallet was night and day (and you could print the ticket if you didn't have an iPhone, or wanted a physical version).
I mean Ticketmaster’s current best practice seems to be NFC tickets stored in a mobile wallet which do work offline
You can still print the ticket on paper. Tho nowadays that means a trip to a FedEx store for me, since I refuse to keep buying inkjets I only use a couple times a year.
> I refuse to keep buying inkjets I only use a couple times a year.
Laser printers are the solution, and Brother laser printers seem to remain the most highly-regarded.
4 replies →
No, you actually can’t for the tickets the article is talking about. This is increasingly common. It’s insane
> Tho nowadays that means a trip to a FedEx store for me
I've really appreciated my local library for allowing 20ish pages of printing per day, which has allowed me to limp through the no-printer lifestyle. Plus I usually grab a DVD movie while I'm there.
Life's good in the mid-2000s.
1 reply →
Laser printers have solved this - I don’t expect to change the toner for a decade.
1 reply →
Stop buying overpriced ink jets. I get knock off laser cartridges for cheap and they last a couple years each. I did have to push a few random buttons on my Brother to let me do it, but it works now
I worked a summer job in a Ticketmaster box office ten years ago and had access to the whole of their UK customer database in order to print off ticket collections. I’d type in a customer’s post code and up came all of the data Ticketmaster held on them… including their password in plaintext.
I had to create an account just to reply to this; as much as TM has it's faults this is just false, it does not store passwords in any reversible way or at least hasn't for more than 2 years and all evidence removed.
Source: I am an engineer within TM that has worked on integration between various booking products in the UK market.
Well there is an 8 year delta between your timeline and the OPs... so I don't see any contradictions here.
Glad to hear their security has improved since then! This was the 2014 Commonwealth Games and I had only recently learned about password hashing so I was particularly shocked that they were exposing passwords to thin clients used by front line employees.
As an engineer within Ticketmaster, I'd be curious to hear your take on the conclusion of the article.
> I think we can all agree: Fuck TicketMaster. I hope their sleazy product managers and business majors read this and throw a tantrum. I hope their devs read this and feel embarrassed. It’s rare that I feel genuine malice towards other developers, but to those who designed this system, I say: Shame.
> Shame on you for abusing your talent to exclude the technologically-disadvantaged.
> Shame on you for letting the marketing team dress this dark-pattern as a safety measure.
> Shame on you for supporting a company with such cruel business practices.
> Software developers are the wizards and shamans of the modern age. We ought to use our powers with the austerity and integrity such power implies. You’re using them to exclude people from entertainment events.
> Have fun refactoring your ticket verification system.
2 replies →
Does anyone knows how Ticketmaster works, really?
I have been to Ticketmaster events that use reasonably priced, printable tickets, you could even buy a printed ticket with cash. In fact, even though there are so many Ticketmaster events, they are not all working the same way. And Ticketmaster doesn't have the monopoly on shitty practices, the article gives a good example in the beginning.
What I suspect is that Ticketmaster is nothing more than a service provider. The venue/event organizer/... looks at the Ticketmaster catalogue and pick the product they want. There are "evil" products in that catalogue, and they are probably the ones with the best returns, but I am sure people have a choice.
I'd even go as far as calling Ticketmaster "Evil as a Service". So people can say "fuck Ticketmaster" instead of saying "fuck Taylor Swift". I would be very surprised if artists (and their agents) at the level of Taylor Swift didn't have a say regarding ticket sale practices, even with Ticketmaster.
Of course, the monopolistic practices of Ticketmaster are a problem, people are most likely paying more than they should because of it, but all the crap with apps, resale platforms, etc... I am pretty sure the event organizers, maybe the artists themselves are as much to blame.
> but I am sure people have a choice
Often, they do not. The DOJ is currently suing TicketMaster because they have exclusive agreements with nearly all of the large venues and that prevents those venues from using other ticket providers. To be fair to TicketMaster, they argue they are not a monopoly because there are many smaller venues that they are not exclusive with.
But, TicketMaster even requires that artists use TicketMaster's promotional agency if they want access to these large venues.
And more evil stuff! Details here...
https://www.justice.gov/opa/pr/justice-department-sues-live-...
I wasn't talking about having the choice of using another agency, Ticketmaster is predatory and this is a problem.
I was talking about using Ticketmaster (for the lack of other choice) but using one of the more consumer friendly services Ticketmaster appear to provide. I am sure Ticketmaster won't mind, they get their share anyways.
What I wanted to say is that Ticketmaster may be responsible for your ticket costing $70 and not $60, but for all the other bullshit, they just do what is asked of them (by the artists, venue, event organizers, etc... maybe even the fans themselves). Or at least, that's how I think it is.
You're missing that Ticketmaster (Live Nation) control and own a substantial portion of the venues, the catering, logistics, tour buses, security and so on.
The venue "choosing" the Ticketmaster product is owned by Live Nation.
> Does anyone knows how Ticketmaster works, really?
For the most part, no. I'm actually shocked by how much understanding you are demonstrating in this post. I did not expect to find that on Hacker News.
Tours have some choices, yes. See the Cure tour last year. But no, paper tickets and non-auction prices (for front section) have been phased out quickly.
Some tiny stragglers perhaps. Went to a tiny venue recently but was goldenvoice.
I'd even go as far as calling Ticketmaster "Evil as a Service".
Correct, except rather than "evil" it's "market-clearing pricing". Of course many people see no distinction there.
I belive I heard that Ticketmaster let the venue set one of the arbitrary fees and then hide it amongst the rest. So I would agree that the rest of what you said sounds likely.
> If you take a closer look at your ticket, you may notice that it has a gliding movement, making it in a sense, alive. That movement is our ticket technology actively working to safeguard you every second.
This part made me want to throw up, preferably a couple of buckets full, right onto the heads of the marketing team who came up with it.
Kudos to the author of the article. Great work and a great read to go with it.
Those little blue bars are some hard workers. They don't even sleep! Just moving back and forth all day, protecting me. <3
How about the “Add to Apple Wallet” option? He did not talk about that at all, but AFAIK the ticket would be fully available offline and not in Ticketmaster app, no? It’s actually an elegant solution IMHO.
Yes, it is available offline if you “Add to Apple Wallet”.
The ticket in Apple Wallet is still revocable if you transfer the ticket to someone else using Ticketmaster’s website, probably through an update that Ticketmaster pushes to the wallet [1].
[1]: https://developer.apple.com/library/archive/documentation/Us...
Just recently dealt with this for a big Ticketmaster event. The Apple ID has to match the email address on the Ticketmaster account, or the ticket will show as Void in the Apple Wallet.
But it does solve the offline issue that the blog author was experiencing.
3 replies →
I just added a ticket to my Google Wallet for a concert last night and it was very similar to the Ticketmaster/LiveNation app. The PDF417 barcode changed and had an animation around it. My guess is that it is the same or very similar on Apple devices.
So items inside google/apple wallet don't need to be 'static'?
6 replies →
They mentioned avoiding google wallet, so we can assume android, and that apple wallet wasn't considered for not being an option for them.
The barcode in apple wallet also auto-updates.
A few months ago I went to Las Vegas to watch U2 at the Sphere. When I learned that I needed to open the app or website in order to get in I panicked in fear of the shitty internet that is common in massive events, so I opened my tickets since I left the hotel. Unless this stuff works completely offline, it is a terrible idea.
I used to work or a mobile event app company that made a lot of the big festival/conference apps. Everything was built to function locally from a sqlite file on your phone that was constantly updated when you did have coverage.
It was 100% expected that you would have no cell signal the entire event and we built in as many mitigations as we could think of.
This was 2013ish, I think there are a lot more mesh network devices that can relay signal nowadays but I'm not involved anymore in that stuff.
It was the best on-call I've ever had because.. nobody had cell signal while the event was on to complain about something.
This person complains that people didn't have network access on their phones when they were at the gate. I can only assume that they waited till they were at the gate to install/use the app so it never got its offline data.
Always open your event apps before getting to the event. Sometimes they're completely bare bones and have to reach out and pull that apps specific database so its sure you have the latest. Most of the event apps are a template that is modified for each event and just has different assets/sqlite.
...or just let us print g*d@mn paper tickets.
There's no way that I trust the developers of a company like Ticketmaster to install their app on my device.
What is the worst that can happen? I have it installed on my iPhone and deny whatever permissions it asks for.
I have enough confidence in the sandbox that "installing an app" is basically never an issue (though I don't out of the principle that most things companies have apps for just shouldn't be apps).
7 replies →
You don't trust your OS to sandbox it? With a threat model like that, I wouldn't use any apps other than the browser
21 replies →
As the article notes, this ticket system does in fact work offline.
Well, as it also notes, it works offline if you remember to open the ticket before you get there, and they don't (or at least didn't used to) give you sufficient warning. I found out that's how it works the hard way when it was new by having to walk a half mile back from the venue to get service to load the tickets.
There's also the chance the ticketmaster app won't work properly later even if you did do it. I've had other apps shit the bed for no apparent reason in offline mode before. I add them to my wallet now just in case.
7 replies →
Pleas notice the "completely" in my comment.
There's a faire this week in Oregon that draws people in from 500 miles away.
I've been a couple times, and what I've learned that was still not common knowledge to faire vendors as recently as last year is that T-Mobile brings out a mobile cell tower to support the faire, and no other cellular network does.
So if you're trying to accept electronic payments, the whole thing tends to fall over and you only get to sell to people who brought loads of cash and prioritized hitting your booth first. Only the vendors on T-Mobile are able to take purchases for a big part of the day, and a few other people who use the rare billing system that is fine queuing up Visa transactions until after the bulk of people leave. The line for the cash machine sucks up a substantial part of your time budget for the faire, meaning you probably miss out on some things altogether.
That's a pretty smart business move by T-Mobile, I didn't know mobile cell towers were a thing
I’ve never been clear what the main purpose of these things is but they do seem to get deployed for trade shows and such. Maybe for natural disasters?
Then there are microcells, which can be privately owned. I worked at a place that had one when I was in mobile. There was a period of time when one of the carriers would sell you one if you were having connectivity issues. It’s possible for instance, living on a hill, to have a cell signal on your roof but not in the rest of the house and they can work as a repeater.
1 reply →
Off topic (though the post does go into it a bit): Ticketmaster's current form is entirely due to a failure of government. Decades from now, case studies will be written on how one company managed to have a monopoly on an industry that is so not a natural monopoly.
I recently purchased tickets via SeatGeek and was provided a link to one of these barcodes, which accepted as a querystring parameter an access token that seemingly had a long expiration attached to it. It was hosted on “downloadmytickets.com”, which doesn’t look legitimate and caused me to do this same type of analysis to see how it all worked. Whether or not this was a way to bypass the “security” to enable sale via third parties, or just a very untrustworthy-looking official domain, I don’t know. But in the end it worked fine at the venue. Definitely more stress involved than I would have liked though.
Yes, these systems are getting more popular recently, I believe they are typically being run by large ticket broker platforms.
I don't know about the specific site you mentioned, however the large broker platform Automatiq runs a number of domains like this, where they effectively proxy the original ticket token, recreate it with TOTP just as in this article, and display it to any user who has the right link in a similar format to how TM displays it. They advertise this service as "Transferless Delivery" to their ticket reseller customers. The main Automatiq one is called "secure.tickets".
It reduces work for sellers, because they never even have to transfer the tickets out of their Ticketmaster account anymore. Of course, it's horrible for buyers because they have no idea whether the random website link they were sent is actually going to serve them a barcode corresponding to a real ticket or not, or whether the site will be up, and they have no rights to the ticket as far as the primary ticket issuer (TM) is concerned, buyers don't even know the name on their own tickets.
Seatgeek and StubHub seem to be aware of these systems because of how closely they work with ticket brokers, and just coach customers to accept them if they are from any of the domains known to them. See https://support.seatgeek.com/hc/en-us/articles/2074030716443... the Automatiq site is called out specifically on that page.
> My phone has no internet connection...
Who thought it was a good idea to require an internet connection at an event. For anything, not just ticketing. It is as if the people who designed these apps never went to a large event.
No internet is the rule, not the exception. Sometimes, you can't even send a SMS. Apps designed for use in events should always work offline, and if internet use is justified, take into account latencies in minutes and use bandwith sparingly. Failing to do that will make the experience terrible for everyone, as bandwidth will be saturated by thousands of phones trying to do something with that damn app.
At least Ticketmaster does it somewhat right here. The app is supposed to refresh the ticket 20 hours before the event, to account for the fact that the internet may be unavailable at the gate.
> There’s no risk that your ticket won’t get you in
Isn’t this not true? The risk with printable tickets is that a seller could sell it to multiple people, who all print it out, but then only the first person who uses it can get in?
Even if the venue doesn’t check to see if a ticket has already been used, only one person can sit in the actual seat.
Previous sentence:
> If you bought the ticket off the event’s official ticketing agency (not a sketchy reseller)
> The risk with printable tickets is that a seller could sell it to multiple people, who all print it out, but then only the first person who uses it can get in?
Note that the portion of that you're quoting that you didn't quote is "If you bought the ticket off the event’s official ticketing agency (not a sketchy reseller)"
I.e., we're specifically talking about someone holding a ticket that they purchased from Ticketmaster. If there are multiple copies floating about, presumably at some point the artist (/the actual event) is going to be unhappy that Ticketmaster is screwing their fans/attendees over.
Ticketmaster has a system for transferring tickets, if you want to buy or sell tickets.
There could very well be a reason for someone to only sell a physical ticket, or not transfer it through ticketmaster, but I have yet to find anyone but scammers that want to do that.
The reason is, just as you mention, that scammers will try to sell multiple tickets. Then one (or many) sucker turns up to the avenue, only to discover that the ticket has already been validated.
>Ticketmaster has a system for transferring tickets, if you want to buy or sell tickets
Sure, and it is terrible.
They can block you from transferring the ticket you bought, and can set a minimum resale price (effectively ensuring you cannot recoup anything)
You should to own what you purchase, simple as.
>is that a seller could sell it to multiple people, who all print it out
They can't "print it out" because it's a rotating code.
> "The risk with printable tickets is..."
Let's face it, the real problem with ticket sales is scalping. OP may not like Ticketmaster, and doesn't want to install the app, but the majority of fans don't have a problem with that. The real problem for most fans are the scalpers who push prices out of their budget.
Of course we all like to dream up all sorts of technical crypto solutions to this, preferably decentralized to remove evil Ticketmaster from the equation. But I don't think the ticket scalping problem is a technical problem per se. I believe it is because tickets are currently sold under the wrong terms, which encourages scalping.
A possible solution could be to make tickets non-transferable, but always refundable. So only you (the buyer of the ticket) can use it, but you can't resell it. But if you decide not to go, you should be able to refund the ticket to the ticket office for full price. The ticket can then be sold again to someone else, for the same price.
Now, of course this is a naive idea. There are many practical and technical challenges to it, not to mention the politics of the entertainment industry. I'm not too familiar with the event industry, so I'm not sure if this would even align all the incentives, but it would benefit the fans and the performers who care about their fans.
> tickets are currently sold under the wrong terms, which encourages scalping
The incentive to scalp arises from the likelihood that a ticket will be worth more in the future (buy low, sell high) and that future worth is established by scarcity (sold out shows). To help eliminate this likelihood, the original price (face value) needs to decrease over time, ideally in such a way that the final original ticket sale occurs right when doors open, because the sooner that occurs, the bigger the opportunity for scalping. "Dutch auction" [0] is one implementation of this concept, though it's typically to find the most money a single buyer will pay, whereas in this case we have thousands of buyers. Perhaps the rate at which the price declines could be dynamically adjusted to aim for N% sold when N% of the on-sale timeline has elapsed, for any N.
The problem is convincing promoters/etc. that this would be as profitable for them as the status quo. But it might be!
[0] https://en.wikipedia.org/wiki/Dutch_auction
This is terrible - right now the random 17 year old middle-class kid at least has a small chance of getting a somewhat reasonably priced ticket to a popular show. In your model, they have zero chance.
Auction models are good for price discovery but this isn’t a price discovery problem, it is a supply problem. Believe it or not, artists don’t always want to maximize revenue from a ticket, they want fans from lower income brackets to be able to attend as well.
4 replies →
> Let's face it, the real problem with ticket sales is scalping. OP may not like Ticketmaster, and doesn't want to install the app, but the majority of fans don't have a problem with that. The real problem for most fans are the scalpers who push prices out of their budget.
No, the problem is artists wanting to falsely advertise low prices, and using gimmicks like first-come-first-served ticket sales and "scalpers" (usually fake, sometimes hired by the artists themselves) to do it, and the "fans" buying into this whole false narrative. If artists would honestly sell, and fans would honestly buy, at the actual prices, then the whole kabuki play of "evil scalpers" could be avoided.
but how would the artist continue to pretend to be close to The People?
The problem is scalping.
Unfortunately, this "solution" is Ticketmaster cementing their control of the ticket marketplace and spying on their users.
And (and I think you were implying this), Ticketmaster giving themselves complete control over the still existing scalping market which they use to boost their own profits without any benefits over the standard scalping market (arguably also including further downsides).
1 reply →
Yes, non-transferable tickets would fix the scalping part of it. I'm guessing the face value would go up a lot in that case, and that's fine... at least it's an honest market then and ticketmaster cannot pass the blame on to the scalpers.
> The real problem for most fans are the scalpers who push prices out of their budget.
Isn't that the market sorting itself out? What do you want, planned economy? How is fixing the price on a ticket different than the soviet union stamping prices directly onto manufactured items. I meant this to be sarcastic, but it's only half so, since I find the comparison appropriate, you know free market and all.
> What do you want, planned economy?
Every world economy is a mix of a market system and a planned economy. No economy is a pure market or a pure planned economy.
Nice reverse engineering! As a hacky way for the non-tech-savvy, couldn't you use a temp account to create ticketmaster account and then buy the ticket and then sell the temp account information to bypass their rules?
This reverse-engineering also breaks if ticketmaster forces venue staff to only scan if the barcode is in the ticketmaster app. Unless you create a lookalike app to trick the staffers.
I am not an expert, but I think one of their layers of protections (that is, to ensure that TM itself gets the greatest share of scalping money) is applying much greater scrutiny to freshly-created accounts when it comes to the in-demand events. I'm not sure how they effectively bootstrap new legit users of course, but I've been offered I think around $100 to sell my Ticketmaster account, which is old. (I can't recall how they found me, perhaps it was an ad just stating that they'd buy an account older than X years).
> bootstrap new legit users
Phone number? The friction/expense of a scalper getting a new one for every sale would seem sufficient. Although I guess the scalper could reclaim (via password reset or whatever) accounts after the show to some extent.
Good luck forcing a check like this at a busy event venue.
I once paid at Starbucks with the Apple Wallet barcode appearing in a photo of my phone displayed on the back of a DSLR. Plopped my not-remotely-iPhone-like Nikon D800 on the counter lens-down, LCD-up, barista scanned it without a second thought.
Great read, though I am compelled to comment on this ad-hoc date/time conversion:
Consider reaching for `date` from GNU coreutils instead:
Fewer keystrokes, faster execution, and the output includes the TZ offset.
Great article indeed, but that python line triggered me too.
It's a good reminder though. We are all smart individuals with wealth of knowledge, but we never know everything.
It's one thing for customers phones' wifi issues to be a problem, but it's an even worse problem if the scanner itself needs reliable connectivity. That makes me wonder if there is some kind of delegated deterministic derivation step in the secrets too (which wouldn't be obvious in this kind of analysis), so that the handheld scanners can avoid an on-line dependency.
They needed reliable connectivity in the previous scenario (checking barcodes against a central db) - they just setup a local private wifi network for the handsets and all the venue devices.
Otherwise I can't see how you would avoid replay attacks.
You can do time-based binding. Many TLS/Quic 0RTT take this approach; where the signature is only valid for a second or so. It's not as good as a real strike register, but probably ok for this kind of environment. Of course the barcodes would need to be more dynamic, but that's doable.
1 reply →
I don't understand how they're allowed to get aorund the first sale doctrine?
Once I buy a ticket, it's my property. I should be able to sell it, by any means I want, to any person I want, at any price we agree upon.
Just addressing the how: the first sale doctrine applies to copies of copyrighted works, not to tickets.
OK, but the "first sale" doctrine really just says that copyrighted works are like any other item that is bought and sold?
So I haven't read their fine print lately---is Ticketmaster is not selling you a ticket, but a non-transferrable license to attend the event?
And they do not have to sell you bulk tickets that makes scalping a viable business
They want to monopolise scalping
v2 of this will require an Android/iOS app which will make use of the platforms secure storage abilities for the key.
On non-rooted devices, those are pretty much impervious to the user trying to inspect their contents.
And this is why those companies love DRM'd (non-rooted) devices and try to detect when you broke this form of DRM: you can't get at your data, not even to make a backup of it; they're in full control. Also for security (can't grant root to malware if you don't have the permission to grant that), but also for everything else
You could extract the barcode at all times in the future by setting the system clock (you can do this on non-rooted phones, and keep it that way at least if you do it in airplane mode).
The Android docs mention a "secure timer" in the hardware security module, but I'm not sure that it can be used to prevent this.
https://developer.android.com/reference/android/security/key...
>Software developers are the wizards and shamans of the modern age. We ought to use our powers with the austerity and integrity such power implies. You’re using them to exclude people from entertainment events.
I can definitely think of worse things programmers are doing aside from making it mildly difficult to see Taylor Swift .
I have personal qualms with working in certain industries because of this, but Ticketmaster ultimately provides a luxury. You don't need to see a concert, and if you have such an issue with their business practices you can do something else with your Friday night .
I've actually never had an issue with Ticketmaster. At a point a certain other ticket provider just blocked me without any explanation, and I had to go down to the box office to buy tickets. That sucked, but compare to airlines who do weird things like print off tickets without the actual seat number, Ticketmaster doesn't bother me too much.
You’re not considering the stagehands and artists who have to live under Live Nation’s vertical monopoly. I was chatting with a former tour guy the other day, someone who’s been a tech for major touring bands since the ‘80s, and he mentioned that he had to quit the business because Live Nation had driven wages down below poverty level while bringing in random unskilled labor to do highly-technical stage setups. (He quit after almost losing a hand to a large piece of unsecured stage equipment.) The enshittification of modern life is an inconvenience to most of us, but life and livelihood to many others.
> Ticketmaster ultimately provides a luxury. You don't need to see a concert
I don't agree. Entertainment/recreation is a need. Music is an important part of the human experience, and seeing it live, with other fans, is really valuable to some people. And the fact is, the value a person places on the experience is totally orthogonal to their ability to use/afford Ticketmaster. And it's not just about Taylor Swift - even local shows can be difficult to access without quarrelsome online portals. (But also, someone being obsessed with Taylor Swift isn't a personality flaw.)
You can find a bar with a band playing. I suggest Kingston Mines if you're in the Chicago area.
Ticketmaster doesn't own have a monopoly on music. You can vote with your wallet.
4 replies →
I agree that experiencing music is a fundamental part of human life, but experiencing specific musicians at specific venues is not. It is very easy to find free live music without Ticketmaster or online portals.
1 reply →
A $COACH_COMPANY in the UK has recently announced that they are moving to only app-purchased tickets. Except tickets purchased directly from the driver, which is VERY expensive.
Well, F.U. $COACH_COMPANY. I don't want to have to install your app for that, but I guess I won't have any other option if I need to get to the airport.
What is one supposed to do if they don't have a smartphone and/or an internationally accepted bank card?
> "Screenshots won't get you in"
I'd say this highly depends on the fastidiousness of the ticket taker and the rules of the venue. I purchased Major League Baseball tix recently through my employer which uses a 3rd-party seller site that has restrictions like this (a moving graphic behind the barcode with the admonishment not to take a screenshot because it won't work).
I was unable to attend the event that night so I sent my wife a screenshot of the ticket. Two tickets, in fact. They were taken with zero issue.
> I paid three hundred US dollars for this high-tech experience.
That's a good incentive for companies to keep up with the "high-tech experience".
> Software developers are the wizards and shamans of the modern age.
No they are not. The big difference is that wizards and shamans closely guarded their secrets to keep their position secure, while software developers will happily give them away to as many people as possible.
This means that software developers as such have close to zero leverage.
A system like that could work in an entirely disconnected mode where the "ticket" device has a cryptographic token whose signature can be checked at the door without either side having internet access. The weakness of that system is that you can't "revoke" or sell tickets. Such revocation would be possible though if either the ticket or the validator device is internet connected.
I saw the New York Red Bulls play not long ago and had to use Ticketmaster's system for the first time. I travel with a tablet, not a smartphone, and I was expecting trouble. Turns out the only trouble I had was that they didn't want to let me in with a tablet but they did when I explained my ticket was on my tablet. It did require an internet connection but Red Bull Arena has great WiFi so that was no problem.
> Based on this, it might be reasonable to assume the rawToken is only valid for a 20 hour period
Bet your bottom dollar it’s good for 24h and they added 4h of buffer in their API guidance to handle admissions after the start of the show “for free.”
Not that this really gets you anything, just made me chuckle.
One things this articles kind of misses: You need that unique token... Ok, you can get it in some way.. But ticketmaster should keep it private, then, even if you know the algorithm. You still cant do a lot without the token......
So he reversed engineered it, but its still secure: You need the token.
It's a little bizarre to me that they are annoyed at being dependent on the signal but want to avoid Google Wallet because ... privacy? What privacy do they have so far? I can understand keeping your credit cards off of it, because Google is obviously getting a list of all your purchases. But there's nothing really private about having a ticket to a concert through Ticketmaster. They "take your privacy seriously" and sell your information to commercial partners and send you offers of things they think you're interested in.
What I find really interesting is that there are so many scams that that the rejection of tickets is common enough to go unnoticed. Someone testing out their new "F-ticketmaster" ticket generation tool is free to test it in the real world. If it doesn't work they will simply be turned away the door like so many others who have been scammed. Nobody would notice the test.
But if each ticket is for a particular seat, would ticketmaster notice if too people came with tickets for the same seat? I bet not. I bet they just trust their ticketing system to be foolproof. If anything they might just reject the second ticket without any way to know which was authentic.
Reading this reminded me when last year I found a few old venue printed ticket stubs to concerts I went to the in the late 90's and 00's. I almost threw them out when I realized they weren't really taking up space and could be maybe put into a collage or photo/scrap book. I just suppose I find it laughibly absurd that something as mundane as a ticket stub was replaced by an energy wasting Rube Goldberg contraption that doesn't do anything for the person who wants to go to the concert.
I agree with the bad implement but the opening complaining that "old way of printable tickets was great why change it" have so many problems.
Scalpers are the problem that you have to accept. At the time of purchase, there's no way to tell the difference between a legit purchaser and a scalper or even someone who bought it and simply can't go and needs to resell.
IDs, ticket limiters, CCs, etc, etc. All methods can be circumvented by someone dedicated enough. You can only make it "not scalable" but the tickets still need to be transferable, securely.
Unless we're willing to go ID checking at the gate, there's not going to be a true solution.
Buying something at a low price and selling it at a high price is arbitrage 101 and is free money.
The "true solution" is to sell tickets at their actual market price instead of pretending that the face value of concert tickets isn't increasing due to a larger population and greater demand.
People will scream (including in this thread) that it’s “unfair” that ‘only the wealthy can afford them then’ but their beef is with scarcity and thus with reality. It’s always “unfair” to the 10,001st person who wants to attend the concert with 10,000 capacity. Today it’s a weird lottery with 6 different fan and credit-cardmember presales, which each sell out immediately, and the “backstop” at the end which is the ability to buy expensive scalped tickets.
There are finite tickets but unbounded demand. A lottery means you can slightly adjust the distribution of poor vs rich, but in practice today it still advantages those comfortable enough to sit around refreshing their computers at the right moment, instead of working. And lots of opportunists will snap up those tickets you are hoping poor people will get, to sell them to the wealthy.
In my opinion for in-demand shows it should just be a Dutch auction (all of the highest 10,000 bids win, awarded at some fixed cutoff date before the event). If not enough bids are received, the concert isn’t sold out, so then the rest go on sale for the lowest bid.
3 replies →
> The "true solution" is to sell tickets at their actual market price
That is *a* solution but it isn't *the* solution. The fact that many smart people are not choosing that solution is an indicator that there are some factors to the problem that you aren't considering.
> Buying something at a low price and selling it at a high price is arbitrage 101 and is free money.
A bit of a nit pick, but this isn't "free money" unless you have a guarantee that someone will actually buy at the higher price. You could buy low, be unable to sell, and end up eating the "buy low" cost.
> sell tickets at their actual market price
How do you know what their actual market price is? You have to open it up to a market, where supply/demand get to play out.
IIRC some ticketing company tried doing something to this effect by scaling prices in realtime based on how many people were also trying to buy. I believe it was widely criticized as unfair/exploitive.
So you're back to square one then, where you have to set some price.
1 reply →
It's interesting how the real problem here is that our economic system has no way to sell a product at what the seller will bear, only what the buyer will bear.
I think this is a fascinating feature, a lot of artists would be more than happy to make $X for a show so that their fans can come see them. The problem ends up that a free market has no mechanism for that, the artist can sell the tickets such that they end up with $X but then you get things like scalpers who don't want to see the show but do want money and act like artificial demand. They know that regardless of what the seller wants there are buyers that will pay $X+N and want to capture that $N.
The scalper provides no value to the market, but they get $N, which seems like a market failure to me. The fans lose $N, the artist still only gets $X and they also get reputation damage because fans are upset that things cost $X+N.
And that's just the end of it. The artist literally can not perform for their fans at a venue for $X even if that's what they want, there's just no mechanism in the free market to make that function correctly. I find market failures like this fascinating because it really shows the limits of how "free" markets operate. The only person that isn't free to do what they'd like is the producer of the good being sold, they literally can't sell it for less than the market will bear.
And I suppose this plays out for every part of the market, if I can produce apples and make a profit for $1 a bushel and that's plenty of money for me, I don't want any more, tough shit. Arbitrage will make sure that people pay more for those apples. If people are willing to pay $5 a bushel then someone will snap up my cheap apples, mark them up and make a bunch of money for doing nothing. Even if I were willing to do all the distribution myself, if the person conducting arbitrage adds no value to the system (the common argument being that they deserve the money for finding cheap apples and connecting people that demand apples with a supply of apples), it just can't happen. The incentive to make that free money means everyone loses, I don't get to give people cheap apples, people don't get to enjoy cheap apples, everyone is worse off except for the person doing arbitrage.
12 replies →
IOW the true solution to scamming is to raise prices so high that only the extremely wealthy can afford them, regardless of how accessible the actual concert/act/group/promoter wants the show to be.
The "real" solution here would be for Ticketmaster (or whoever) to actually make a ticket non-transferrable somehow, and then allow for tickets to be transferred directly through the original website for at most the original ticket price, and refund me the money.
For example, if I have a $200 ticket and I can't make it and want to sell it, I can post up a link to the original ticket seller's website (in this case Ticketmaster) where someone else can go buy it, and, if they do, I get a refund of the amount they paid. I can say how much I'm willing to accept (full price, $150, whatever) and someone can go buy "my" ticket, potentially at a loss if I'm willing to accept it. Ticketmaster can make money on these tickets by charging a non-refundable processing fee or whatever to everyone (the original buyer and any subsequent re-buyers). They make a tidy profit, everyone gets what they want.
The only complications are
1. making the tickets non-transferrable but also work offline is a difficult technology problem 2. Ticketmaster is an unregulated monopoly and thus has no incentive to behave in the best interests of the market or its customers when they could rake in millions more by screwing everyone except the scalpers
2 replies →
As far as I understand, this can't be done due to PR.
"evil scalpers are exploiting this poor artist by charging outrageous prices and preventing many fans from going" is a far better look than "evil artist is exploiting their poor fans by charging outrageous prices and preventing many fans from going."
To prevent scalping, you'd need a massive price increase, and very few artists are willing to be the first to do this.
The market sets a clearing price for the ticket as commodity (i.e. for a single event). However, the iterated game that is the spectator-performer relationship, the seller may _strongly_ prefer yielding some of their benefit to the buyer in exchange for long term EV, positive PR, or just plain old goodwill.
The problem is maintaining a mutually-beneficial but economically suboptimal equilibria.
The reason they don't do that is to have an organic fan base of poor people who drive up the prices for the rich people. If you eliminate the poor people, the rich people aren't going to take the band forward. They'll move on to whatever the next shiny thing is. You need a hardcore fan base of poor people to support and grow your valuation.
Buying a single-use item at any price and then selling it on at any price to multiple people is fraud.
Fiddling with the prices does absolutely nothing to fix that problem, because it isn’t a problem with price, but a problem with developing an unduplicatable token.
Ticketmaster is evil, and most resellers are fine, but some are evil and that’s a problem this at least attempts to solve.
It's only free money if there's no risk, and if there's no transaction cost to acquiring at the lower price. If there's no risk in buying something low and attempting to sell it high, then that thing is mispriced.
That's because there isn't a difference between a "legit purchaser" and a scalper except their intentions, which you can't get from amy kind of barcode.
> Scalpers are the problem that you have to accept.
Several European countries ban reselling tickets for more than the original cost.
> TicketMaster markets their SafeTix technology as a cure-all for scammers and scalpers
Scammers - yes; but how scalpers? Does this mean there is no way to resell or give the ticket to another person?
Edit: The answer was couple of sentences later; looks like yes, unless via an official marketplace. I like this even less than scalpers.
"SafeTix makes it harder for people to resell tickets outside of TicketMaster’s closed, high-margin ticket-resale marketplace, where they make a boatload of money by buying low and selling high to customers with no alternative."
> Shame on you for abusing your talent to exclude the technologically-disadvantaged.
Very minor nitpick: I don't like the term "technologically disadvantaged" here. While it is undoubtedly true that there are many people who are without smart phones due to economic reasons, or because their battery died or their phone was just stolen ... there are also lots of people, myself included, who would CHOOSE to forgo a smart phone when attending a concert / event.
My wife and I live in a city with a Caesar's hotel and casino within walking distance. When there are shows and concerts we are interested in, we don't hesitate to buy tickets. When we go to such a show for a date night, we would like to leave our phones at home. Some of this might be due to our being middle aged, and so we're not glued to our phones 24/7, but it's also just a hassle to bring them through security, and to often have to put them in those lock bags because they don't want people recording etc.
So to us, e-tickets are evil for no other reason than the fact that it assumes that we want to have a phone on us and to use it as a ticket. I will happily pay the fee for a physical ticket whenever available.
People always cite exclusivity deals / monopoly power when it comes to Ticketmaster's dominance, but I also recall reading post-mortems about several failed competitors that indicate the problem Ticketmaster solves (massive spikey demand with strict guarantees on the seats selected) is quite technically challenging. I know, it doesn't seem like it would be that hard to solve, you're probably already thinking how you would do it. But you can't ignore that many others have tried and failed.
I got tickets for a concert in UK, which could only be bought if you had UK Ticketmaster app. No, the international version of Ticketmaster app did not have these. Had to get me a blank Android phone, had to initialize it pretending I'm in UK via VPN, so I can see the UK Android Playstore (got my phone number blocked by Google in the process - "too many verifications from this number"). Then, it finally let me get the tickets and actually see the dreadful barcode in the app.
This is horrible. Please stop.
Impressive. I had no idea mobile-only tickets are a thing. For me it's always been the other way around because sometimes some events would insist on a printed ticket even if it comes as a PDF with a barcode. This sort of thing became annoying enough to me that I bought a printer.
But then ticket resale online marketplaces aren't a thing around here either. When people resell event tickets, it's usually an entirely DIY affair.
> They can’t have robust DRM on their tickets if those tickets can still be viewed offline.
Of course they can. All they need is a secret key embedded somewhere that the app can access but you can't. It's just a happy circumstance that they used a simple protocol in which the key is easily extracted. But they could have used a proper PKI protocol instead, which would have made it much harder, if not impossible, to hack.
If the app can access it (offline, on your device), then what stops a developer from using tools to extract the token from the device, either from wherever it's stored in memory or using an interactive debugger to extract it as the app requests it?
Nothing stops a (sufficiently motivated) developer from doing that. But it will stop a muggle.
https://archive.md/hrgE0 / http://web.archive.org/web/20240521005653/https://conduition...
Great post. While I'm all for messing up greedy companies, this is a clear example of why JavaScript should never be used for security. Executing the code locally, plus the ability to read the source code, fundamentally goes against securing your application. It doesn’t mean that not having those will make the application more secure, though.
Another case of abusing ToTK, an excellent technology that promised convenience, security, and offline access. Similarly, Duo builds their stuff off ToTK and then fending off (or makes it very, very hard) you from using a third-party ToTK authenticator with their sites. This company just jettisons the fine promise of available offline that was made by ToTK.
Tears of the Kingdom?
TOTP?
Very cool post, but as someone who has been on the other side of the situation, I do have sympathy for what they are trying to accomplish.
I bought a ticket that someone had double sold, and by the time I got to the door, they turned me away and said the ticket had already been used. So their system has good intentions, they just need to make it work offline.
> This ticket is digital. Saving data offline is the same as copying it to your hard drive. If data can be copied, it can be transmitted. If it can be transmitted, it can be shared. If it can be shared, it can be sold.
Is this still true in the age of locked-down bootloaders, secure enclaves, TPMs etc?
That data might be part of a backup to your Mac. Maybe it’s even just a sqlite file.
Fantastic article. Really easy to understand.
Side note: this is actually a great advertisement for server side rendering! If they didn't do all this client side rendering, exposing data in JSON APIs, then I doubt this reverse engineering would have been possible.
Except then I'd need to have a good data connection at the venue, and the odds of that are infinitesimally small.
I see what you mean. The barcode wouldn't work offline.
It seems like that didn't matter at the venue though? The spotty internet connection not allowing the code to load was the first part of the article wasn't it?
1 reply →
Isn't this vulnerable to ticket 'selling' by simply sharing the username and password of the ticketmaster account?
it's not like a ticketmaster account is 'worth' anything, so the seller can simply set up a new one for their next purchase.
actually, aged ticketmaster accounts are worth something! people will buy them for a few dozen dollars, as they get priority in ticket queues.
Setting up separate accounts for every ticket purchase seems like a LOT of overhead (especially scalpers buying many tickets at once and piecemealing them out), and is easy to defeat, e.g. require out of band auth via the phone number associated with the account before logging in for the first time on a new device.
Based on the highly questionable PS/Xbox accounts sold on eBay, I think that's just what scalpers could do as part of their everyday job.
Well you can transfer the ticket to someone else for free anyway, so not really an issue.
Or you can transfer it to another name and print it out - just the name on Ticketmaster's system has to match some ID you have in the print scenario.
Would be interesting to see the same done for the UEFA ticket app. They use QR codes that are activated/visible only when the user in on site, detected via Bluetooth. They claim that secondary use is then not possible.
> If you take a closer look at your ticket, you may notice that it has a > gliding movement, making it in a sense, alive.
I feel like I am in a Disney movie.
What's the deal with PDF417? Why did they choose it over QR?
Perhaps a better question is: Why not PDF417?
What functional improvement would be had by using a 2D QR code?
One possible reason I can think of is that phone camera apps will not proactively read PDF417 barcodes like they will QR codes, thus discouraging people from thinking they can scan and decode them.
1 reply →
PDF417 has non-square pixels (or rather as it's called in barcode nomenclature "modules") which feels very janky - it was meant for linear scanners after all.
Oh, and quoting Wikipedia:
In practice, a PDF417 symbol takes about four times the area of a DataMatrix or QR Code.
1 reply →
This was a fun read. I wonder if they reported it to a bug bounty program of theirs. Based on his writing how he feels about their business I'm going to guess no.
This isn’t a vulnerability. It has to work this way if offline access is permitted.
> This is a contradiction in TicketMaster’s marketing. They can’t have robust DRM on their tickets if those tickets can still be viewed offline.
The "robust DRM" is called "ID cards". Here in Europe, it's become commonplace to tie soccer tickets to ID cards that are verified at the gates to keep hooligans (or those suspected of being hooligans, which is a status that is way WAY easier obtainable than one might reasonably assume) out, and high-class events that attract scalpers like a pile of dungs attracts flies have been doing that for even longer.
Huh, weird, a turns out an old, low-tech solution is much more secure than Ticketmaster's roll-your-own weird TOT-QR "security" (even considering the magic animation that that makes it "in a sense, alive")
(Not that requiring ID doesn't raise the same and also other consumer rights issues)
The thing is, unlike most of Europe, the US doesn't have a legal mandate for anyone to possess an ID card, and so in practice you got 50 states worth of driver's licenses, library cards, military or government employment IDs that can be used (or faked)... so you can't really use these for legitimately verifying anything unless you want to spend a lot of time and money to train your staff to spot fakes. Banks can do that but no one wants to do that for the goons that run security at venues for minimum wage.
8 replies →
>They can’t have robust DRM on their tickets if those tickets can still be viewed offline.
https://en.wikipedia.org/wiki/Trusted_Computing
I wonder why did they implement this gimmick while having access to all the resources in the world. Or maybe they thought that this is smart.
I can't buy a ticket in my country, because my phone number is foreign. Can I use this to have someone buy it for me and transfer it to me?
Truly a noble cause.
Great post, bummer this will probably mean we can no longer use this as soon as the implement something stronger.
Shitty companies doing shitty things. I think this is the expectation in 2024.
I get the loathing for Ticketmaster and all, but can we just also acknowledge that the only reason they can do what they do because the various entities they collaborate with participate in the monopolistic cartel scheme?
Can we also please acknowledge that if people stop going to the things Ticketmaster sells tickets to, they will stop these practices? No one is forcing people to participate in these things; I don’t.
Lastly, it even calls itself Tomicketmaster. And you didn’t realize you are a Ticketslave? It is right there, in the name! Right in front of your eyes!
It always amazes me what they can get away with and people just behave like buffalo on the Serengeti, stampeding through the crock infested river … “those crocks are the worst! Ok, Karl, we are up next”
Instead of chiding your TicketMASTER devs and alpha slave MBAs, maybe stop being a TicketSLAVE altogether. Has that dawned on any buffalo?
Fun fact, to drive the point home. Guess how the predators of the Serengeti are treated when they want to go to an event. You think they deal with Ticketslavery even though the Ticketslaves is how the cabal makes its money?
Mirror this before it gets a DMCA takedown or something.
you can add them to your apple/google wallet and boom internet doesn't matter, but he ignores that.
"besides the fact that I don’t want to install their spyware on my phone."
There's no other mention of spyware in the article - does anyone know what this is referring to?
I think it's just usually any 3rd party app is to be considered spyware nowadays.
OK - just general tin-foil hattery.
I know the discussion has drifted into the larger realm of ethics and civic responsibility. But with respect to the original title, I always thought that it would be trivial to create a software 'tumbler' the logic of which was based on primitive examples, such as this. Edit: each user could have thier own initial state. https://en.wikipedia.org/wiki/Alternating_step_generator granted you'd need to ramp up the bits to make them less crackable. Then all you'd need is some translation to 2-d QR scancode graphics and a silly sliding bar and voila! Ticketmaster hegemony.
But yes, its disgusting that i've needed a phone for events...
The solution to scalping is simply to not buy tickets from scalpers. Never did, never will.
How hard is that really?
> I now know everything I would need to duplicate TicketMaster’s barcodes
Until they change their encoding.
Requiring the installation of a proprietary app to do anything should be forbidden.
> If they had issued me normal, printable PDF tickets I could save offline to my phone
Uhm, you can save the tickets to Google Wallet.
This doesn't work on GrapheneOS.
1000
This is Gold - but also Ticketmaster is a evil monopoly
Disclaimer: This isn’t from a real SafeTix barcode. I don’t want TicketMaster to be able to identify and harass me.
Bullshit, TicketMaster. It’s a CSS animation. Get over yourself.
I think we can all agree: Fuck TicketMaster
super entertaining read! many thanks.
Reverse engineering? More like “reading plain English”!
For a billion dollar corp that is some atrociously poor security
Agreed, fuck Ticketmaster. Sincerely.
nice, more of this please. the constant abuse through everything digital has to be fought
I am sure this is pointed out elsewhere, but ticketmasters business model is based on lying to the public so that the artists and venues don’t have to.
Taylor Swift is a nice-ish person and wants her fans to think they can buy tickets for her shows at about 25 bucks because that’s a lot of money for a 12 year old and she does not want to alienate her fans.
Her manager is an evil cackling bastard and wants to get as much as he can.
He knows if he sells all the tickets for 25 bucks he will lose money in the tour and the people who resell the tickets for 2000 will make 1975 dollars profit.
So he does a deal with ticketmaster.
They will sell 100 seats at 25 bucks, then announce “wow that sold out quickly” and then pretend that the other 5000 tickets they have are sold, and then resell them on secondary sites (ie ticket master is actually selling you orignal tickets through secondary markets).
Then they give the cash to the evil manager who twirls his moustache.
All the rest, the adding extra charges at end of sales process, the ridiculous rush to buy at a given moment in time instead of some auction or lottery, the whole thing of backhanders to venues, all that is secondary to enabling Taylor swift to take a huge cut without seeming like a evil moustache twirling money grabbing manager.
I'm not sure this is true. Most (~80%) large venues are owned and operated by Live Nation, who also owns Ticketmaster. They also have exclusivity agreements with hundreds of others.
It's, in effect, a shell operating as a scalper and a customer service disruptor. This has very little to do with the artist beyond selecting venues.
It's about 60% of large venues. The 80% is Ticketmaster's share of the ticketing marketplace.
I don't think this is accurate. Ticketmaster/LiveNation control most good/big venues so artists have to deal with them in some way. Artists generally don't want to charge market clearing prices to their fans (for niceness and PR reasons) but Ticketmaster is happy to be the bad guy and do that via exorbitant fees. I'm very in favor of breaking up Ticketmaster but we should be clear-eyed about what that will do: it will transfer money from either Ticketmaster to scalpers or transfer money from Ticketmaster to artists.
Fundamentally, if there's someone out there willing to pay up to $x for a space-limited event, they will find someone to give that $x to. I'd rather that person be the artist.
There was an article in the LATimes article a few years ago with the former ceo of Ticketmaster who explicitly confirmed the above. Ticketmaster does a deal with the band to charge as much as possible and take all the negative blowback or whatever about it and then gives them a kickback.
1 reply →
Taylor Swift's manager is a woman. And an artist like TS is going to know exactly how it works behind the scenes
The grandparent is implying that "Taylor Swift" and the "Evil Manager" are two sides of the same coin; they don't need to even be different people. The system lets a (big) artist extract value while keeping their public image clean. It's a shell game, and Ticketmaster plays the role of bad-guy-as-a-service.
Of course, their insane monopoly means they also get to take advantage of smaller artists, venues etc. None of this is good.
Hey now, it's 2024, anyone can twirl their evil mustache if they want to sport one. Just wash your hands afterwards.
If Britney Spears's book is to be believed, the talent can be kept in the dark.
2 replies →
Can you provide a source for artists getting a cut of the greater-than-MSRP resale market?
There are a lot of journal articles about this, but here's a recent NPR story [0] and a Vox article from 2019 [1].
[0] https://www.npr.org/transcripts/154299904
[1] https://www.vox.com/the-goods/2019/7/22/20703858/live-nation...
Why shouldn't the artists get a cut of the greater-than-MSRP resale? Yeah, I realize that some pretend that the MSRP is the real price, but if anyone should get a cut of the jacked up fees, it should the people on the stage or producing the show.
3 replies →
There was a trial in 2009 that had Katy Perry’s contract with Ticketmaster released into the open - cannot find it at the moment but it was explicit about how many tickets would be available for her to sell etc
This is all open and documented in the upcoming prosecution by US attorney - also cannot find atm
> Taylor Swift is a nice-ish person and ...
Face value on tickets for her last tour started at 75.
All that money went to Taylor. ALL OF IT.
How do you pay for support staff, trucking how do you pay to move t-shrits from one venue to the next.
This is where all those fees come in... It's not the manager grabbing the money (that bit is later), it's the promoter covering the cost of the tour. Paying for staff to haul and set up a stage at every venue, paying for band members, dancers, people to run lights...
The Management (and the artist) will then "hold back" tickets. Most of the best seats are sold one of two ways. Fan club packages, where you pay 3000 bucks to meet the artist, get a photo and get a good seat. - OR - they go directly to the secondary market. This used to be scalpers (who "worked" for management) but now is secondary sales sites.
There are still two more bits: Consessions. Most artist get a pretty hefty kick back after covering venue staffing. These contracts can be weird, but artists, managers and promoters LIKE Ticketmaster being a one stop shop. It lets them negotiate a single deal (and one that is better for the artist) for the whole tour. Then there is merch, this is a gold mine for the artst and management too. Again there is a staffing component but that is covered by the concessions (mostly).
IN a lot of cases a venue will not sell out, and that is FINE. What happens is that the "fans" ran to the front of the line and paid too much for tickets, bought on the secondary market to get good seats. IN many cases there was so much money made at this stage that the monetary value of the rest of the tickets drops to zero....
At that point no one wants an half empty venue... So it gets papered over. They give away tons of free tickets, they "leak" a late box office hold being released... but it's now a fire sale. The nose bleed seats are selling for 5-10 bucks (even in today's market). Because assess in seats sells beer, t-shirts, and a full venue makes it an "experience"
This is the model that Bill Graham built and the vision of the industry he was going towards. TM is still, at its core, Bill Graham Presents.
I used to work in the industry, it's a hot mess and every one is greedy.
Sounds great. Won't be going to any ticketmaster events ever, and you shouldn't either.
I, too, love a good Tuvan throat death-metal band in the outer suburbs of Ulaanbaatar.
1 reply →
Not sure why you are saying Taylor Swift's fans are 12 year olds because they aren't. The average age of a Taylor Swift fan is closer to 30.
And because of Taylor Swift there is now a DOJ investigation of ticketmaster. Taylor Swift is not on the side of ticketmaster like you are conspiracizing.
As much as I dislike Ticketmaster this is pure conspiracy unless you provide sources
I can't confirm what they said, but TicketMaster does have a "partner" reseller program for scalpers where they have tools to help scalpers list and manage resale tickets in bulk. They also have events where they help teach scalpers how to make more money, which is good for TicketMaster since it makes even more money on secondary sales. Ticket scalping used to be illegal, and now TicketMaster is helping facilitate it.
Source: https://www.cbc.ca/news/business/ticketmaster-resellers-las-...
Scalping aside, TicketMaster is taking massive fees each time the same ticket is sold. For example, I went to an event last year and the fee was $50 on each ticket, and these were reseller tickets so TicketMaster had already taken a fee on each of those tickets at least once already (perhaps more than once).
TicketMaster also owns many venues or has exclusive deals with most large venues that prevent those venues from using any other ticket selling platform. The DOJ is currently investigating this monopoly. TicketMaster alleges it is not a monopoly since there are many smaller venues that they are not involved with.
7 replies →
LiveNation (who owns Ticketmaster) acknowledges that they do this with the artist's consent. https://archive.md/1JeG5
Even if it's true it's a conspiracy
> Conspiracy
> a secret plan by a group to do something unlawful or harmful.
It could be true but Ticketmaster is explainable by the purely mundane evil of a monopoly. I could be convinced but I too would want evidence.
> Software developers are the wizards and shamans of the modern age. We ought to use our powers with the austerity and integrity such power implies.
This is one of the most powerful truths underlying the world we currently inhabit. The sooner we can agree to behave accordingly, the better our prospects for ripping the reigns of society from the hands of those whose only animating principles are avarice and exploitation.
I still don't blame the developers, I blame government. It's not the job of rank and file workers to police companies. I wouldn't work for LN, but I'm not going to blame someone else for doing so. We've all gotta feed our families. (I realize there's a line somewhere, you wouldn't excuse a prison guard at Auschwitz the same way, but I can't get too worked up about a developer making a ticketing app even if I hate the ticketing company.)
Developed countries long ago came to the conclusion that companies should not be allowed to have monopolies because it is bad for society as a whole, and it's hard to think of a current monopoly as egregious as this one. There is absolutely no reason one company should have exclusive rights to 85% of large venues, also be an evebt promoter, and also be the ticket seller.
Anything their developers do is not the real issue, a society that allows this to happen in the first place is.
> I still don't blame the developers, I blame government.
Yes, but I think they still have some responsibility, even if they say "I was just following orders!" [1]
[1] https://en.wikipedia.org/wiki/Superior_orders
1 reply →
Even government software has issues (Vienna). I paid a €100+ fine for not having a ticket, even though I spent time going through the purchase flow. I have 100s of tickets purchased. Live agent and support agent just shrugged and told me I don't know how to use the app, washed their hands of any responsibility or need for understanding.
It's like there's no way to make the software human and humans in the loop have a crutch to lean on to not behave as a human. When I contacted the dev team directly, they shrugged too. No refund.
To me it feels like software is the place where society can just exercise its cruelty and indifference, or maybe it is a reflection of society, it's probably just like humans are. What we think software should behave like is not human.
I had more pleasant experiences with London/UK train ticket edge cases and felt like the system is built to deal with user/server errors.
2 replies →
I mean would you say that developers who work for Facebook have crossed that line?
19 replies →
"Developers are blameless" is a uniquely HN take, for obvious site demographic reasons.
I see a worthwhile product as a stool with at least three legs: Technical feasibility, business viability, and ethical acceptability. Take one leg away and the stool should fail. Yet, HN commenters endlessly discuss/debate the first two and largely ignore the third. I think we all have a duty to work on projects that are ethically sound (defining that is a whole other discussion). There are plenty of companies out there and plenty of products to work on--it's not like we have to pick an evil one in order to survive and "feed our families."
5 replies →
I dont think it’s a truth.
Shamans and wizards (never heard this used to describe anyone in history but let’s assume it’s just any kind of supposed magic user) were people at the top tier of their societies in terms of political power. Not kings or chieftains, but above everyone else.
Programmers are just making a living selling their labor power like every other office drone in the world. We’re one of the most common lines of work out there.
If you want the mysticism angle, we are like those kids they used to catch “witches”.
> Shamans and wizards (never heard this used to describe anyone in history but let’s assume it’s just any kind of supposed magic user) were people at the top tier of their societies in terms of political power. Not kings or chieftains, but above everyone else.
I don't know where you came by such a notion; Shamans, "Wizards", witches, "wise women/men", are usually shunned from society such that they tend to live near the outskirts of towns or cities, nobody really wants to live close to them; and when "bad things happen" tend to be the first ones to get blamed for it; then they also are commonly used as scapegoats for whatever political, economic or religious effort some corrupt officials try to push.
That doesn't sound very societal top-tier to me.
We're definitely not witches or wizards, at most we are scholars or [specialized] craftsmen. "Knowledge workers" if you will. Not as unlikable as the wise folk that live towards the edge of town, and not as at risk of getting tied to a post and lit on fire because the bishop believes we commune with unclean spirits.
2 replies →
Are there any documented examples of societies where "magics", "shamans" or "wizards" were at the top of the hierarchy? I gotta say, I'm an avid reader of Ancient History and Anthropology and the closest I can think of is the Priest-Kings of Sumeria and your garden variety theocracy and the latter is much more of a priestly bureeacracy than anything else...
3 replies →
I think you don't know what you think you know. My mom is a shaman type. These types often live at the outskirts of society where no well-to-do person would like to be seen. Zero political power but enough utility to keep at an arm's distance -- further if possible while not needed.
Yeah, we are more like masons. We have useful skills that enable building impressive things, but at the end of the day we are building someone else's cathedral.
Agreed. We're the blacksmiths making armor and swords and horseshoes.
Programmers being analogous to wizards or martial artists made more sense back when one used to need to train years or decades to become one.
With age comes wisdom.
There has been a lot of good that came from making coding more accessible; I'm not trying to gatekeep. But I do think that this is one instance where the outcome is worse. The martial arts masters still unquestionably exist among us. It's just that they're now surrounded by younger, less-wise people with guns. Both types can fight an army, but only one has the wisdom to know when it's better not to.
Yes I think there is truth to this. Something I have seen lately with Rust for example, is because the language is harder to learn, the discourse, tutorials, libraries are all much higher quality.
>Programmers being analogous to wizards or martial artists made more sense back when one used to need to train years or decades to become one.
You can be a shitty wizard with only one year of training, same goes for programmers.
2 replies →
The fact we have had less than benevolent wizards and shamans, why would we expect to have modern day equivalent of only benevolent coders? It's such a fairy tale level of expectation that it seems childish. Spending any energy in trying to make real world a fairy tale is just wasted.
We wouldn't. You might expect that on an indivudual level. But at a society level, I would expect any company that's doing things that are specifically allowed by our goverment (who did approve the Ticketmaster Live Nation Merger) to get their jobs filled just like any other. I think Ticketmaster is evil, another developer might not. That's fine, they're not killing people or dumping toxic chemicals into reservoirs, we can agree to disagree.
My outrage is directed entirely at the government agencies whose job it was to stop this, not the developers making a ticketing app.
2 replies →
It's okay to shame bad actors.
In fact, society would likely be better off if e brought back more public shaming
2 replies →
It’s interesting, the more we agree and hold strong, the higher the demand grows for engineers who would help some companies create their hellscape. The incentive will grow higher and higher until people break rank. And you start over.
I cannot agree more. And this is exactly why the old Google motto of "don't be evil" was so important. And the decline of Google is highly correlated with the removal of this motto from its culture.
I sincerely hope all tech companies can take a page from old Google and truly instill an innate rejection of evil among all software engineers.
I personally think we are more like "plumbers but with JSON". I have principles and apply them but I don't expect the others to do that
architect+builder+plumber.
The suits at TM couldn't build the app+backend, even if they could hire someone to maintain and replace parts of it.
> The sooner we can agree to behave accordingly
People don't code out of a sense of duty, they do so to earn money, so there is no mechanism to enforce "behavior."
> our prospects for ripping the reigns of society
There are too many industries that take the mantle of improving society on their back. This is a mistake. There is no natural representative mechanism that ensures your actions are aligned to required outcomes.
This should probably be left to congress. If you're concerned that they won't do it then that should immediately suggest the appropriate course of action to you.
> of those whose only animating principles are avarice and exploitation.
Short term thinking cannot lead to long term rewards without abject manipulation of the marketplace.
Congress is useless, along with the rest of the planetary corporate-fascist oligarch facsimiles of democracy.
If software engineers united behind true ideals of freedom, we could automate the entire stack of "leadership" and raise the floor of society.
Open source implementations of:
Universal cryptographic identification
Decentralized voluntary anonymous voting, verifiable by every voter
Sovereign algorithmic monetary policy
Liquid representation
Complete digitization of all necessary information to audit any authorities, at any time
Full release of privacy for any "public official" -- service to society should be a burden, not a privilege
This, and much, much more can ALL be done with software. An entirely new paradigm of society, with freedom unalienably encoded into the fabric of the social machine.
Our rights digitized, our privacy, speech, and pursuit of happiness made into software.
I would say software may have an impact, and the thinking of this impact extends far beyond the next quarter of profits. This mindset can extend into a multi-planetary society and beyond. A continuously evolving, open source mechanism of human governance.
2 replies →
Except it's not truth.
You want truth?
The Golden Rule: "He who has the gold, makes the rules."
Truth is that money is all that matters. Nothing else in the world of business matters not relationships, not customers, not Boards of Directors or CEOs. Money.
Until a person realizes this, they will be forever caught in a cycle of thought that is not truth.
"Follow the money!" is the best way to see how society works, and is why every government wants their hands in our money. Meaningful change in this world requires money. No amount of idealism or 'using our powers' can change that.
Do the wizards have 'F-Off' money? No. Will they ever? No.
This is a wild take. Software developers do the dirty work. We're one step below wall street.
This is not only a truth of the world we currently inhabit, it has always been a truth, of all the worlds we have inhabited. Power and greed go hand in hand for a reason and the struggle to find the balance is, and will always be present.
It was not true of this world 150 years ago that any person with sufficient learning could tap buttons to create an experience to be found in the hand of the majority of living humans.
I agree power and greed go hand in hand - absolute power corrupts, absolutely - but this bit? This is new.
https://www.amazon.com/New-Kingmakers-Developers-Conquered-W... ("The New Kingmakers: How Developers Conquered the World")
https://web.archive.org/web/20200915000000*/https://try.newr... [pdf]
Ah yes, The Roads Must Roll.
It's worth remembering that folks who can be bought, can be bought off and spend a lot of time enjoying their riches while true believers are somewhat more difficult to convince and don't take any time off.
That's important because all of the big evils have been perpetrated by true believers in pursuit of their "one true way." (Yes, some large evils have been perpetrated by folks chasing money. I'm talking about things like wholesale slaughter of as many people as they could lay their hands on.)
"In effect, we conjure the spirits of the computer with our spells"
t. Introduction of SICP
The worst are the programmers of the mobile games for kids.
[dead]
[dead]
[flagged]
> I remember a time when printable tickets were ubiquitous. One could print off tickets after buying them online or even (gasp) in-person, and bring these paper tickets to get entry into the event when you arrive
I go to 1-2 concerts a month so I'm well aware of how scummy TM is, but the problem with PDF tickets is that people sell fakes or sell the same ticket multiple times. I know multiple people who've been scammed this way. I get not wanting to use your phone for everything, but the changing barcode isn't just technology for the sake of technology, it's actually there to solve a problem.
> PDF tickets work even if your phone loses internet connection
So do the digital barcodes if you add them to your phones wallet.
TM even sends you an email before every event that says:
>> If you haven't already, download the Ticketmaster app or sign into your Ticketmaster account via mobile web. From My Events, tap view then add tickets to your phone's wallet for easy access at entry.
TM's help page for the Mobile Entry tickets also says (https://help.ticketmaster.com/hc/en-us/articles/978659778561...)
>> We encourage you to download your tickets to your digital wallet before you leave for your event. This ensures that you can always access your tickets.
> If you bought the ticket off the event’s official ticketing agency (not a sketchy reseller), you know for sure that they’re real.
The problem is that that isn't how the real world works. Ignoring the massive scalping problem currently happening (that TM is complicit in) sometimes plans change or people learn about events after the initial sale. Personally, any time I have to buy or sell through a reseller, I use StubHub, but I know plenty of people who don't want to use them as they charge high fees and they aren't much better than TM from a moral stand point.
Also, I get the impression that if TM locked all tickets so that they could only be resold on TM, the author of this article would have a problem with that.
Exactly all of this.
I found the article really interesting from a tech perspective.
And I have no love for TicketMaster, but the migration from paper/PDF tickets to scannable changing QR codes is inevitable, precisely to combat scammers.
TicketMaster does a lot of bad things, but this doesn't seem to be one of them. And learning to download the digital tickets in advance -- either to the app or your Apple wallet -- is just a thing you learn to do, the same way you learn to download a bunch of podcasts before your airline flight that charges for (or doesn't have) WiFi. (And if your ticket was a PDF, you'd similarly be stuck if you couldn't get internet at the venue and hadn't downloaded it in advance.)
>So do the digital barcodes if you add them to your phones wallet.
??? Last I heard the adding the barcode to the phone's wallet did not work, or at least not reliably. Some older folks I know struggled with it, and I specifically help setup the ticket master app and download the barcode. They mentioned that the app eventually logged them off when they got on site and had to struggle with poor wifi. Eventually got it to work but IIRC it took several minutes before they had a stable enough connection for it.
Does it need an actually Google/Apple wallet or something setup?
Yes, "phone's wallet" actually means Google Wallet or Apple Wallet.
Stuff I add there works for me instantly every time, even with crowded venues and zero connectivity -- as long as I get it ready in advance.
(Not that I am defending this. I'd rather carry a paper ticket, since paper is more durable and far less complex than a phone is.)
People here have no clue how much it costs to pay for a tour.
Up to $1M per week.
Isn’t this a bit like irresponsible disclosure? Since this may be considered a security vulnerability. Although it’s all client side, I’m sure there’s some basis for a lawsuit here.
How is this a security vulnerability? It's displaying the exact bits Ticketmaster uses and explaining what those bits are. They're not circumventing security systems, just the requirement to use the app.
It requires sniffing your own session credentials first, which I don't see as a security vulnerability.
The only thing it allows you to do is sell your ticket, which is legal to do.
It is my opinion that you do not need to responsibly disclose "security by obscurity"
Additionally, what is irresponsible here? Its not like this gives you the capability to clone tickets without first having a ticket in the first place.
"Responsible disclosure" is poorly defined corporate wishcasting, and certainly not any sort of best practice or legal shield.
The public prosecutor does not pursue cases where responsible aka coordinated vulnerability disclosure was applied. I'd say that's a legal shield of some kind at least, and it is generally also considered best practice in the industry. There's exceptions to everything but, in the general case, I'm not sure where you're getting these viewpoints from
3 replies →
If it runs on my CPU and shows up on my screen after I paid for it, it's mine and I can do whatever I want. Anybody who thinks otherwise can fuck off outright.
That's exactly the same policy I apply to AGPL software. I paid for it ($0, as mandated by the developer) and it runs on my CPU.
I'm struggling to come up with a good basis for a lawsuit. CFAA abuse is the first thing that comes to mind, but this is a real stretch for that, and SCOTUS shut that stretching down a while ago. DMCA doesn't come into play, since this isn't circumventing any copyright protection schemes. So this kind of leaves you with some form of contract violation, but even that seems like a stretch here. Tortious interference or interference with prospective business? I mean, I don't see any events complaining about this (hell, Ticketmaster itself arguably has some contract liability issues with the fact that their technology relies on cell service which tends to be spotty in dense crowds). So you're kind of left with some individual contract liability issue, which is literally not worth the cost of litigation.
Nah. Ticketmaster is unethical enough that spreading information that harms them or helps them go out of business is ethical.
Responsible disclosure is something you pay for, not something you are entitled to.
Everyone want Ticketmaster to die.
Except for a lot of performers and venue operators. Ticketmaster is paid well to be the bad guy. They often share the fees with both the performer and the venue.
3 replies →
The app-based barcodes don’t seem to be solving a security problem for customers - they seem to be for the purpose of ensuring that traditional scalping doesn’t work, forcing ticket resale into a market that TicketMaster can profit from.
I would consider it unethical to publish details of an unpatched vulnerability that allowed ticket forgery, but I don’t think it’s unethical to bypass DRM-like controls for personal convenience rather than commercial purposes.
Of course opinions may differ on this.