Comment by haburka
2 years ago
Isn’t this a bit like irresponsible disclosure? Since this may be considered a security vulnerability. Although it’s all client side, I’m sure there’s some basis for a lawsuit here.
2 years ago
Isn’t this a bit like irresponsible disclosure? Since this may be considered a security vulnerability. Although it’s all client side, I’m sure there’s some basis for a lawsuit here.
How is this a security vulnerability? It's displaying the exact bits Ticketmaster uses and explaining what those bits are. They're not circumventing security systems, just the requirement to use the app.
It requires sniffing your own session credentials first, which I don't see as a security vulnerability.
The only thing it allows you to do is sell your ticket, which is legal to do.
It is my opinion that you do not need to responsibly disclose "security by obscurity"
Additionally, what is irresponsible here? Its not like this gives you the capability to clone tickets without first having a ticket in the first place.
"Responsible disclosure" is poorly defined corporate wishcasting, and certainly not any sort of best practice or legal shield.
The public prosecutor does not pursue cases where responsible aka coordinated vulnerability disclosure was applied. I'd say that's a legal shield of some kind at least, and it is generally also considered best practice in the industry. There's exceptions to everything but, in the general case, I'm not sure where you're getting these viewpoints from
"The public prosecutor does not pursue cases where responsible aka coordinated vulnerability disclosure was applied."
That seems like a pretty substantial claim to make without any sort of "in [country/state/province/etc.]" qualification, let alone a reference.
1 reply →
If it runs on my CPU and shows up on my screen after I paid for it, it's mine and I can do whatever I want. Anybody who thinks otherwise can fuck off outright.
That's exactly the same policy I apply to AGPL software. I paid for it ($0, as mandated by the developer) and it runs on my CPU.
I'm struggling to come up with a good basis for a lawsuit. CFAA abuse is the first thing that comes to mind, but this is a real stretch for that, and SCOTUS shut that stretching down a while ago. DMCA doesn't come into play, since this isn't circumventing any copyright protection schemes. So this kind of leaves you with some form of contract violation, but even that seems like a stretch here. Tortious interference or interference with prospective business? I mean, I don't see any events complaining about this (hell, Ticketmaster itself arguably has some contract liability issues with the fact that their technology relies on cell service which tends to be spotty in dense crowds). So you're kind of left with some individual contract liability issue, which is literally not worth the cost of litigation.
Nah. Ticketmaster is unethical enough that spreading information that harms them or helps them go out of business is ethical.
Responsible disclosure is something you pay for, not something you are entitled to.
Everyone want Ticketmaster to die.
Except for a lot of performers and venue operators. Ticketmaster is paid well to be the bad guy. They often share the fees with both the performer and the venue.
I'm sorry to be that guy but do you have literally any source for this?
Might just be the musicians I like, or the fact that negativity is better for clicks, but I've never seen an artist saying they get any benefit from ticketmaster's fees and other such shenanigans; I've only seen artists and venues saying that they don't get any money or benefits at all from ticketmaster's racketeering.
2 replies →
The app-based barcodes don’t seem to be solving a security problem for customers - they seem to be for the purpose of ensuring that traditional scalping doesn’t work, forcing ticket resale into a market that TicketMaster can profit from.
I would consider it unethical to publish details of an unpatched vulnerability that allowed ticket forgery, but I don’t think it’s unethical to bypass DRM-like controls for personal convenience rather than commercial purposes.
Of course opinions may differ on this.