hckrnws
Really good post! I also found this quote which distilled their position in the 404media coverage of the situation.
> “What I can say for sure is that TicketMaster and AXS have had every opportunity to support scam-free third party ticket resale and delivery platforms if they wished: By documenting their ticket QR code cryptography, and by exposing apps and APIs which would allow verification and rotation of ticket secrets,” Conduition told me in an email. “But they intentionally choose not to do so, and then they act all surprised-pikachu when 3rd party resale scams proliferate. They're opting to play legal whack-a-mole with scammers instead of fixing the problem directly with better technology, because they make more money as a resale monopoly than as an open and secure ecosystem.”
from https://www.404media.co/scalpers-are-working-with-hackers-to...
I dug up the court docs referenced in that article, it's pretty interesting-
AXS Group LLC v. Internet Referral Services LLC (2:24-cv-00377) District Court, C.D. California
Amended complaint: https://storage.courtlistener.com/recap/gov.uscourts.cacd.91...
Docket: https://www.courtlistener.com/docket/68163191/axs-group-llc-...
One item of the complaint is regarding the "secure.tickets" site, which I wrote about in an earlier comment below (https://news.ycombinator.com/item?id=40906148#40910690).
Basically, brokers are using the "secure.tickets" and similar websites to proxy ticket barcodes to buyers, without going through the actual ticket transfer mechanisms on the primary ticketer AXS/TM, (similar to how this blogger does). Then resellers are delivering these ticket URLs, hosted on random websites, to Seatgeek and Stubhub customers, and those platforms are supporting their delivery by telling their customers that the tickets are legit. Sounds like AXS is fighting back against this practice.
The underlying issue is that those tickets have a "no resale" provision that doesn't apply when the original seller acts as a broker.
Do other brokers, when they go and work around that limitation break the sales contact? Maybe. The legal system would churn an answer in a few years.
Do AXS et al with their "only we are allowed to engage in a secondary policy" are abusing their monopoly on original sales? The legal system would churn an answer about the legality of this in few years, but I think it's obvious they at least break rules in the spirit.
Monopoly is the keyword here. Ticketmaster and Boeing and all the other nefarious companies here use PATENTS to prevent competitors from eating their lunch. Patents need to be done away with to allow free competition, don't believe the propaganda about patents helping creators
I love it when a system has been working for hundreds of years through by far the most prosperous time in human history but people on the internet are sure it is wrong. No proof, no evidence, not even logic, just certainty.
Also, I don’t think any of the issues with Ticketmaster have anything to do with patents.
Maybe we could just reduce the patent's duration to compensate for the acceleration of information diffusion caused by the internet in the last few decades. Does that seem reasonable to you?
What problem are we trying to solve? Why do we think there is a problem? If the idea behind the system was to give people a financial incentive to innovate, and since the system has been put in place humans have been exponentially more innovative than they were before, why do we think it needs fixing?
Nothing seems reasonable to me on the topic unless it comes with evidence as to how it would improve a system that would appear by any objective measure to be doing incredibly well.
And what does any of it have to do with ticket master? They’re awful in a lot of ways, but I’m not aware of patent trolling to be one of them. If they even have and enforce patents, I’ve not heard of them, and I work in live events so I’m fairly well-informed on that company. Everyone in the industry hates them, it's unlikely they’re doing anything awful that isn’t routinely mentioned.
> If the idea behind the system was to give people a financial incentive to innovate
No, it wasn't. The idea behind the system was to give people a financial incentive to be _open_. Patents are a trade with the commons; you would give up your secrets for a limited time period of exclusivity. People would innovate with or without patents, but they would keep that innovation to themselves.
With software, both sides of that bargain have changed. Secrets are harder to keep, and since everything moves so much faster, any given time period is much more damaging to the commons (e.g., 20 years is forever in software).
(I also don't think Ticketmaster affairs have anything to do with patents, FWIW)
That is an ahistorical view of the history of patents. Openness had never even occurred to anybody when patents were originally invented. Back then, it didn’t matter. Humanity hadn’t come up with much that you couldn’t figure out how it worked if you had one in your hands. It may have taken millennia to invent movable type, for example, but somebody who saw it could have copied it immediately. Its relatively recent that that has not been the case for almost anything.
It was developed to spur innovation, and that is still its main function.
That's an absurdly reductionist take on ancient innovation.
What about chemistry that mad everything from baking recipes, optics for physics, paint for art, forging techniques... The list goes on and on.
There are so many subtle ways of doing things that were silo'd in small communities or regions.
U.S. Constitution at least seems to side with innovation, not openness. Constitution article 1 section 8 says Congress shall have power
"To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries"
This says nothing about publication, only about progress and exclusivity.
It doesn’t say anything about selling patents to third parties to abuse either. It specifies authors and inventors, and rights to their writings and discoveries. At what point does it extend those rights to a random unaffiliated attorney or corporation that engages in zero productive innovation or authorship? I agree that the argument your replying to is flawed, none of this applies to Ticketmaster here specifically, but the contemporary system absolutely is broken in several ways that were seemingly never intended by its original codification.
I would support patents that could only ever belong to the actual inventor.
That’s short-sighted because it misses the fact that inventors are often not product people. There’s a big difference between creating something new and bringing it to market.
The big benefit of a functioning patent system is it allows people to make money just inventing things.
This group seems to have a “throw the baby out with the bath water” mentality when it comes to patents simply because of patent trolls, when the obvious solution is to just fix patent approval/litigation.
Has been working but check out the ongoing Ukraine-Russia conflict and the sanctions regarding patents[1]. Russia is now allowing their companies to use patents freely.
1. https://www.morganlewis.com/pubs/2022/04/russian-decree-unde...
Yeah seriously, what patents are we talking about here? My understanding is that reason Ticketmaster is a monopoly is through deals with venues
If you don't have a patent on an invention then how do you protect it from people who will just steal what you have spent time/money creating?
This is what patents used to do, but the economic and technological circumstances under which they did have changed dramatically over the last couple hundred years. All they really do now is entrench the power of the massive corporations with the capital to buy them up and sue anyone that they think encroach. It's not promoting innovation anymore, it's stifling it.
Patents can be filed for around $2000
Patents no longer go to individual people. They go to corporations. Perhaps we should ban corporations from getting patents on behalf of people.
That would be.. interesting from a compensation & retention (& poaching!) perspective!
So the work of 1000 people at a company may have gone into developing the tech that is to be patented, but we must restrict the patent to being owned by one single individual?
Comment was deleted :(
1. If you are first to market and still can't make money off your amazing invention, that might be a skill issue. 2. Patents wouldn't be as forceful if they didn't last that long. A decade or more is basically forever in a fast-moving field like tech.
>If you are first to market and still can't make money off your amazing invention, that might be a skill issue.
Sounds like something a VC would say.
Have you considered that inventing things and selling them are two different skill sets?
The patent system needs reform, not elimination.
Why would you artificially encumber a significant invention from benefitting the world just because you don't have the wherewithal to sell it?
Seems awfully self-centered.
The patent system certainly needs reform, but I think more along the lines of what gets accepted as a patent. Discovering what I would describe as a 'natural law' should not be patentable (but I think happens everyday), and those ideas should not be kept from human progress, imho. There's a line between research paper and patent, that I believe is blurred for profit.
But a true invention, a novel use of those laws, should be patentable. Are you saying that if you discover a novel use of natural laws, a product that could be capitalized, your own unique idea, that you should not be able to capitalize on it? Maybe this would work in a trek economy, but not with capitalism.
If your worried about innovation, how innovative could we be if discoveries/inventions were squandered because there are no protections if you happen to even mention your idea to someone?
I mean the patent is public information. If you want to have a go at selling it, buy it or license it from me and have at it. Otherwise, invent your own idea or wait for mine to expire.
Or I could lobby for patent reform so one person doesn't hold up the progress of everyone else via selfishness.
What patents does Ticketmaster have that stop competitors from selling tickets?
[flagged]
Not all cryptography is blockchain
Hash chains already existed. But someone created blockchain anyway.
Comment was deleted :(
I'd also like to highlight another bad practice by Ticketmaster.
When you purchase a ticket from them and resell it on their marketplace, once someone purchases it, they(Ticketmaster) hold your funds and only give you the money ~7-14 business days after the event is over. They say this is to verify the validity of the ticket.
On the buyer side, you purchase the ticket from the marketplace and it gets added to your account immediately. (I think) You get the barcode some time ~1 week before the actual event begins.
The confusion for me? Ticketmaster owned the ticket and all logic relating to the validity of it. The logic to validate this shouldn't be complex at all. They OWN the ticket. They KNOW it's legitimate because it never left their database. Yet they double dip and hold both buyer and seller funds. Events can be close to a year in the future but the seller won't see that until after that event ends.
There's another good point in here. Why do they hold the ticket until just before the event? I bought tickets to a concert for my wife's favorite band. Then, my wife's work scheduled an event for that same week and she had to leave town. So, what I really wanted was a refund so someone else could buy the tickets. They don't do that of course. So, then I wanted to sell the tickets for face value... but ticketmaster didn't "deliver" the tickets to my account until the day before the event!
I watched for a month leading up to the event as the ticket prices plummeted while the scalpers were desperate to get at least something for their tickets before my ticket was even delivered to me.
As soon as they take my money, they should update the database to show that the ticket is mine. If I want to sell it, I should be able to do that immediately too.
But, from what I've read, that instant resale ability only belongs to their "partners" who resell a lot of tickets, and you need access to their "TradeDesk" tool to do it: https://tradedesk.ticketmaster.com
Just vote with your pocket and don’t buy tickets from them. I do that - yes I don’t get to go to major concerts but there are still so much more that is not on ticket master. I found a lot of new entertainment and was happy to pay $4 fee instead of whatever TM charges nowadays.
They have an effective monopoly.
On large venues for big name artists.
Granted, I live in NYC, which probably has one of the most vibrant local music scenes in the country. But it's not like nowhere else has local bands that play at small venues.
It feels like a lot of the people that complain about ticketmaster's monopoly have never branched out from Billboard chart artists.
It's weird?
Even the most 'hole in the wall' places around here have deals with LN/TM, short of a bar-band or niche-local joint.
One of the more 'fun' ways that LN/TM did shenanigans at the past I observed: Metal shows at smaller places in the Detroit area like Harpo's (famous place but known for the sketch area) or Token Lounge (literally a bar with a dance floor and stage, pretty fun tho) you'd have one of the local small/startup bands selling tickets, often -below- cost at the box office.
Why? If they sold enough tickets, they got to play as an opener. Yes some scammers would try to fake this, but I never saw anyone actually get 'taken'. And yes I'd buy them if I didn't already have them to help the locals out.
That said, the concerts at those smaller venues, despite being TM/LN, were in the 20-30 dollar range after fees. Not 'top billboard' type stuff per se but Children of Bodom, Lacuna Coil, and other 'popular but niche' bands in the 2005-2007 timeframe.
Comment was deleted :(
There are a lot of musicians that aren't on the charts that play in Ticketmaster-controlled venues.
Not just on tickets, but on venues, catering, security, logistics. It's pretty bad.
... for a completely optional form of entertainment.
At the very least you have the choice not to go to any concerts until there are better options. You can also make that clear to your favorite bands.
lol, people and bands have been complaining about it for 30 years and it’s only gotten worse. Yes, you could skip concerts for the rest of your life, I suppose, to make a point. But it’s not going to fix anything.
Complaining yes, but how many people are actually putting their foot down? As for bands, they may actually be profiting from this scheme where ticketmaster ensures higher prices while taking the blame. If they really cared enough they could chose not to deal with Ticketmaster. Sure, that would limit their choices in venues which could mean lower potential for profit. Probably not going to be a real issue for the the more popular groups.
And yes, if there are no concerts with acceptable terms (and that's really a hypothetical if) then don't go to any for the rest of your life. You make it sound like this is some kind of required part of the human experience when it is just one of many possible ways to spend your time. Even if you are really into music, concerts are just one way to experience it - and when it comes to audio quality, a fairly crappy one.
It's possible you can put your foot down, lots of venues will sell you paper tickets at the box office. It's inconvenient but they also don't charge TM fees sooo. It's what I do since they open the box office during any of their events. Just get tickets for the next few shows right there.
> Even if you are really into music, concerts are just one way to experience it - and when it comes to audio quality, a fairly crappy one.
This fundamentally misunderstands why people go to see live music and honestly maybe what people enjoy about music entirely.
The bands are absolutely profiting.
Ticketmaster is basically “customer punching bag ad a service”.
The bands at the top are absolutely not profiting, they’re losing money over it. Instead of a healthy ecosystem of promoters willing to pay them market rates, they’re dealing with a monopsony that depresses earnings. They HAVE to go through TicketMaster venues, because TM has locked up 85% of large ones, which means they have to accept whatever fee the promoter (LiveNation, same company) is willing to pay them. That’s part of why AEG sued them, they are a giant international promoter who is effectively boxed out of the American market by TMs stranglehold on venues and vertical integration.
Venue owners are profiting. LN/TM can pay them a lot for exclusive rights thanks to their monopoly-inflated profits.
The bands get more than a small cut of the various fees, and especially the upcharge things like Platinum tickets.
No they don’t, that’s not how the money works in concerts. The bands get paid a flat fee by the promoter. You can Google this if you don’t believe me but I know from working with concert promoters.
Why would Ticketmaster/live nation pay them at all? They don’t have to, the bands don’t have any other places to play and they make most of their income from live shows.
Platinum Tickets are priced by the artists who get the bulk of the revenue.
Just to back this up, Robert Smith references Platinum Tickets here https://www.bbc.com/news/entertainment-arts-64975160
Choice quote: "It is a greedy scam and all artists have the choice not to participate. If no artists participated, it would cease to exist."
It doesn’t say it goes to the artists. It says artists can choose not to participate. It says most of the fees go to the venue, which is true, that’s how they get exclusivity.
Perhaps they give artists a little to encourage participation in some ancillary revenue, I don’t know. I’ve mostly worked non-TM venues. But I’m sure the promoter gets most of that too and it’s not a lot of the overall ticket sales.
I can tell you for sure, everyone but the venues feels they would get more without the monopsony. There is not a functioning market for concert promotion once you get to the 10,000+ seat level, and TM is actually even buying up the ones below that too.
Your only end run around it is the festival circuit since a lot of them are out in a field rather than a venue, but guess who is buying those up now also…
Also note how they say ticket master passes on fees to the promoter. That’s a clever way of phrasing because it makes it look like they’re not greedy, but the promoter is almost always LiveNation, which is the same company.
I am fairly sure that’s not true, and also that platinum tickets are a small percent of tickets.
Do you have a source for that statement? The article about it linked below does not back up either assertion. I’m pretty sure they’re dynamically priced by a TM algo, and I’d bet little of it goes to the artists.
The extra fees are shared with venues and bands. Keeps them on TM's side.
That's the secret.
If nobody used them, they would go away.
That's not really possible, because they contractually require venues and performing artists to only perform at their venues
This kind of gross exclusionary contract should be illegal (it's kinda the same BS that Google does with Android OEMs - contractually force them to [1]), but for some reason antitrust avoided acting on the matter (including allowing acquisitions in the space) for quite some time
[1] > Predicating the availability of any of Google’s apps, including the Google Play Store, on OEMs not taking advantage of the open source nature of Android on devices that will not include Google apps seems much more problematic than Google insisting its apps be distributed in a bundle. The latter is Google’s prerogative; the former is dictating OEM actions just because Google can. https://stratechery.com/2018/the-european-commission-versus-...
Our options shouldn’t be see no concerts from successful musicians or pay monopoly pricing. This is something government should solve.
Expecting the US government to properly handle monopolies and anti-trust issues is a fool's errand. It's like saying the US government should solve the issue of gun proliferation in the US: it's simply not going to, in our lifetimes.
I don’t think that’s accurate. They’ve successfully handled plenty of anti trust issues in the past and very recently got on this one.
When was the last time they did it?
I googled "us government anti trust wins" and found a few articles that point out some recent ones, e.g. Adobe and Figma in December 2023, and an Apple lawsuit in March 2024.
Biden's FTC and Justice Department are in the process of suing Apple, Facebook, and Google for antitrust violations. And Ticketmaster.
On the contrary, the US government is probably a lot easier to influence than an entrenched monopoly.
It probably would require less money.
You're right, of course, those shouldn't be our options. But that's just how it is. If you aren't willing to stop playing, the game will never end.
Again, not true, that's a false dichotomy. Political pressure is an alternative. The justice department is already suing. Clearly it can be done.
You writing your congressperson is more likely (albeit, still not at all likely) to make a difference than you not going to your annual concert.
That might have been true in decades past.
They now, having merged with LiveNation, have effective ownership of all major and semi-major venues around the country. They also aren't just doing concerts, they're doing sporting events and other live entertainment as well.
They aren't going anywhere. They are just too big, and too ingrained.
Comment was deleted :(
While this is literally true, solutions in the form of "if everyone would just X" are not solutions at all.
That's why they've done so much to force performers to use them.
See Tickets seems to be on the rise recently, which I've been glad for
[flagged]
I did that for several years. I don't really consider it voting though because nobody is counting the votes -- they still sell out of tickets with higher profits each year.
This began a lot more on third party sites like stubhub due to Covid and the massive amount of cancellations; before most places paid out after the sale, and if the buyer wound up having an issue (due to the seller mistake, selling it multiple times, whatever) they would charge the seller and usually assess a penalty.
But when everything in the world was being cancelled I assume they didn't have all the money just sitting around to reverse and it was a ton of thrash to deal with. As someone who had bought tons of tickets and sold some, it was a mess. I had a ton of credit card refunds back, the third party sites had to reverse payments, etc.
Waiting until after the event is just less overhead. Guarantees the transaction happened without a hitch.
There are some POS and broker sites that still pay on transfer, but none of the "primary" secondary market does.
I’ve never dealt much with TicketMaster, despite them being a monopoly. So my questions here may just be out of naiveté:
1) Why would TicketMaster pay event organizers ahead of time, if the event might be shit and attendees may demand their money back? Rather than having to deal with a lot of chargebacks and making it their own problem with the banks, they might prefer to make sure the event goes off without a hitch and refund people while they still can. Rather than subsidizing the refunds they make the event organizer have to get (and pay for) financing instead, backed by their payout. They might also offer such financing.
2) I get that they hold event organizers hostage by making contracts with the venues for years, that might be an antitrust issue but it’s separate from 1.
3) Why would TicketMaster make scalping easy? Middlemen would just buy up all the tickets and then pump and dump the price, much like early crypto investors in a meme token or altcoin do. So they don’t “deliver” the ticket to you until just before the event, exactly for that reason.
With ChatGPT it’s now easier than ever to impersonate thousands of people at scale, with credit cards and everything. But I will admit, showing up to an event at least once confirms there is a human behind the account. But a first-timer buyer? Shouldn’t be able to resell, no.
#1 and #3 are related. They make scalping easy so they get all of their money immediately and can pay event organizers ahead of time. I personally think scalping should be straight-up illegal but business schools loove it and consider it an excellent example of helping with liquidity in a system and finding the true "willingness to pay" price of something.
willingness to get ripped off LOL
I built a blockchain-based solution.
It features a price discovery mechanism: you auction off M tickets to M people, the price goes up every time after M people buy and the oldest buyer is booted when the others buy, but can buy back in again. Buyers can set a “reserve price” to automatically bid up to that price.
No scalping, because tickets aren’t transferrable.
Similarly, you can disallow transfering of bearer token X but let the user sell it back to the central market maker and someone else buys it. Enforcing commissions on sales.
Blockchain makes all this work, decentralized.
Tbf, this does sound like a fairly efficient anti-scalper strategy, so I guess there's at least some upside to this mess.
I guess it depends on your definition of scalper. It prevents mom and pop from reselling their unwanted tickets. If they stopped there and prevented all reselling I'd be fine with that even though I'd lose out on some money in this one case.
But then they literally built a whole platform (link in my last comment) for actual scalpers to resell tickets in bulk. So, they're not trying to prevent scalping, they're just ensuring that only their "partners" can scalp.
It's simply 0% financing for their business. No more complex than that.
Excellent point. I wonder if Ticketmaster profits by making interest off of holding those funds?
Wonder no more—yes.
Do you work at ticketmaster? Otherwise, how do you confirm this?
Every big corp holds money longer than necessary to maximize interest. It’s free money. We know TM. “Why wouldn’t TM do it” is what you should be asking proof for.
exactly this
Ticketkmaster earns interest on cash they hold[1]
This is cash that ticketmaster is holding
Therefore they will be earning interest on this.
[1] see interest incom on their latest 10-K https://investors.livenationentertainment.com/sec-filings/an...
Rule of thumb when it comes to monopolies: always err on the side of rentierism. In fact, it should be incumbent on their defenders to prove (insert greedy activity) is not practiced by said corporation
1. ticket master holds the money for 14 days before paying the customer
2. there are a lot of customers
3. therefore ticket master holds lots of customer cash in transit (this is called the "float")
4. cash earns 5% interest so this year they will earn about 5% * avg float
>When you purchase a ticket from them and resell it on their marketplace, once someone purchases it, they(Ticketmaster) hold your funds and only give you the money ~7-14 business days after the event is over. They say this is to verify the validity of the ticket.
I imagine it's more about discouraging scalping, regardless of what they may say about it.
Maybe to stop people selling the ticket and still going to the event with a pre-printed one? Solving that would also be easy if they have a central verification system (just invalidate the ticket and issue a new one) but not if it is all p2p.
(disclaimer: I'm a complete outsider, last time I bought anything from Ticketmaster was a really long time ago).
They would need to solve that anyway in case 2 or more friends attempt to get in on the same ticket.
Not at all difficult - simply share screen a third device and display the rotating QR-code through e.g. zoom on individual phones. For additional trickery, try to split the group into joining multiple ticket scanning lines and timing the scan of the ticket to be as close as possible to eachother.
Possibly it's fraud prevention, in case payment for the original ticket was fraudulent and chargeback occurs after the ticket is resold on marketplace?
That does sound like a very reasonable thing to do. Otherwise you have a threat vector of steal card, buy ticket, sell ticket, pocket the cash, card owner disputes, now Ticketmaster has paid a stolen identity who took the money and ran.
Anything that can be used to monetize stolen cards will tend to be used for the purpose even if it's inefficient.
I really, really, really hope Ticketmaster gets broken up. Their shittiness seemingly knows no bounds.
Because you could just print the ticket, then sell it, and still enter the show with it ?
This is literally what the rolling codes prevent.
I hate TM and ridiculous fees as much as anyone, but this article is overly hyperbolic.
There's a section named "Pirating Tickets", that just explains how to re-create a barcode that you already paid for. You're not using this to rob anyone of anything.
And at the end, "Have fun refactoring your ticket verification system". Why? There are no vulnerabilities here. A rotating barcode (even if following a known pattern) is still more secure than a static barcode on a piece of paper.
Piracy here just means you can use it to sell your ticket without using their platform, which is analogous to just sending someone the PDF or handing over the piece of paper as always.
While this has the upside of breaking you free from TM's obnoxious practices, it also obviously opens up for scalpers and all.
Scalping is still possible without understanding the tech - you could just stream a video of the bar codes and sell the stream instead of selling the ticket.
The whole point of their system isn't to eliminate the possibility entirely it's to make it impractical to get around for the vast majority of concert-goers, and it clearly succeeds at this.
Recording the ticket with a video is everyone's first thought at defeating their restriction, and is no doubt the first thing they thought of when designing it. Hence, the codes expiring too quickly that you'll need a new video before you get through the line at the entrance of the venue. And messing with videos in a pressured line of people in front of a bouncer, is, as others have said, simply not practical for the vast majority of cases.
So it's kind of irrelevant - practically speaking - that it is possible.
Good luck getting enough signal to play a video stream in a large crowd.
You don't need to truly stream a video capture of the app, you can have a scanner on the server side decode the barcode in the web/virtualized Android app and then only stream a couple hundred bytes, having the client regenerate the barcode
Sure, it's possible, but come on, it's not practical.
Well, it wasn't practical before this blog post.
Piracy here means that you can sell 50k tickets to the same seat with a real valid rotating barcode.
Are you sure you understood the article? The token is supposed to be a secret and the TOTP generation should happen remotely. This is not the case and this suggest a fundamental lack of security practices at the company.
"Should happen remotely" – according to who? What is the security risk for the end-user?
"this suggest a fundamental lack of security practices at the company" – that's a stretch of a conclusion to make. You're being as hyperbolic as the original post.
What didn't I understand about the article? This still offers a slight increase in security over static barcodes, without introducing any new vulnerabilities.
> This still offers a slight increase in security over static barcodes, without introducing any new vulnerabilities
It offers nothing to the user, except taking away their rights, and making it all unreliable
> the TOTP generation should happen remotely.
It says that it is available offline (if you've viewed it in the last 20 hours), so the TOTP generation can't happen remotely
Well it's more like the "security: they want is fundamentally is incompatible with support for ofline use in this case (as long as we have open computing platforms anyway).
Which would increase the problem he described--too many people trying to get in overloading the local bandwidth.
It's enough to defeat screenshotting and the 20 hour bit would defeat large scale malicious use.
Not good security but probably good enough, especially in stopping the resale of stolen tickets.
It's piracy in a way that's analogous to ripping like Netflix content. You are breaking away from DRM which is piracy. They also cite the potential to have multiple tokens valid per one ticket which would let multiple people get in with the same ticket.
I doubt the second bit is true - they will still be marking the ticket as used in their backend.
They are just trying to prevent scalpers printing off tickets 10 times and selling them outside the venues as a scam, which happened at every large concert I have ever been to until recently (so I assume this is working!).
You would hope... But they often run the scanners in offline mode (e.g. at temporary / seasonal events) so there can be lag in the backends being updated.
Heard from a friend who got straight into two events in the same city recently - they presumed the show was at one outdoor venue but the scanners let them straight in at the first (wrong) venue. Went to the correct venue and got in there without any issue too (this suggests one or both venues were offline or using offline scanners).
Hm. So I guess at a small venue that has 3 door people with offline scanners, you have a 2/3 chance of success if you're the second of two people sharing a barcode. Combined with the obvious 3/3 success being the first person, that averages out to 5/6 chance if both of you (oblivious to each other) schedule your arrival similarly.
My experience from visiting many many of them is that 80-90% of small venues don’t even bother with scanners.
not really offline but someone who works in industry here once detailed out that each scanner has it's own copy of a SQLite database that is being updated as fast as possible based on inserts of other scanners since any downtime is a big deal at these venues
i.e., theoretically duplicate tickets would be identified but not instantly but still pretty quickly
> they will still be marking the ticket as used in their backend.
I assume that's true, but it makes me wonder how their scanners are connected to the server.
I mean, if 10,000 people showing up to an event with smartphones overwhelms wireless networks, wont that also kick their scanners off the network?
They'd probably like to have a system where, if a scanner loses its connection, it can still validate tickets. It could store a copy of validated tickets locally, and upload it when the network connection is restored - that would mean a copied ticket would have to make sure they go to a different door/scanner. But it would allow copying.
Simplest answer is a private wifi network for the scanners.
It's also the best answer.
It's all off-the-shelf electronics and standard protocols. Venue provides some wifi with a "Ticketbastard" SSID (or whatever) at entry points, and the COTS-built barcode-validating devices use that. Easy-peasy.
They might also provide other wireless networks for other purposes (definitely for vendors [$$$], but perhaps also for regular house staff, touring staff, and maybe even the guests who pay for it all!), but they'll all be under the venue's control and coordination: Other than the odd personal hotspot that wanders in, there's not necessarily any meaningful outside interference on 2.4/5GHz wifi bands in a big venue.
It's pretty easy to make short-range wifi work reliably in that kind of RF environment, such as the chokepoints where tickets are validated. (Modern apartment dwellers will have worse interference problems than that.)
There’s actually a ton of interference in the 2.4 GHz space, especially at venues like outdoor festivals. However your solution does work. I work at a festival that provides a WiFi network and an Ethernet drop for the ticket scanners. We have to use multiple APs to cover the main entrance area, but it’s feasible.
I was thinking more along the lines of a stadium crowd than an outdoor festival, but yes: I agree. I've had miserable luck with 2.4GHz stuff in festival environments where people camp out for a few days. :)
I don't pay very much attention to the ticket-scanning devices while I'm getting into a big show (which is generally a rather unpleasant experience on my side), but:
Don't they allow usage of 5GHz bands? Unlike 2.4GHz, I've had tremendous success with 5GHz bands in all kinds of environments -- including outdoor festivals.
I have no idea what connectivity options are available in current scanners, but it sounds like a viable solution could be to use an RF band that customers don't overwhelm, similar to wireless microphones perhaps, with a little hub situated nearby that consolidates the list of already-scanned tickets, possibly standalone or possibly on a wired network that includes other far-away entrances.
Was going to say it shouldn't be hard to run a wire around an entire stadium, but maybe some popup outdoor venues that might be complicated. Could use line of sight towers for fun.
900mhz networks like halow or even lorawan should do
Even at huge venues i dont expect requests would be over 5 rps
5 RPS, per scanner, surely?
No way, scanning tickets is slow because it rarely works seamlessly. It's pretty standard to stand there for a few seconds moving your phone back and forth and/or rotating it. Or when one person has all the tickets for their party and has to scroll to the next one between scans.
I think maybe 4-15 seconds between scans per scanner, at best.
Can you imagine 5 people moving thru scanner in 1 second?
Even at 1 rps that's if we assume 1 meter distance that's 3.6 km/h or a normal walking pace. Do you ever see crowd at ticketing move at walking pace?
Not at all, I was imagining over speccing the system.
E.g. this weekend I went to a show at a 70,000 seat arena. Knowing from experience, there are 4 entrances. This time there were 10 people scanning tickets at the gates I entered. Friends reported the same at the one they came in.
5 RPS per scanner is obviously overkill, but if those 10 at one gate were linked to a hub that could issue 5 RPS I would call that adequate, if barely.
If all 4 gate areas were linked centrally to a system that could do 5 RPS, well, actually, that might explain the throughput I experienced getting through lol
I'd argue that a few extra people sneaking in on the same ticket (assuming this is even possible) is more like sharing your Netflix credentials than ripping Netflix content and having it be shareable with the entire world.
You're also walking into a stadium/concert in plain view of security cameras, so the stakes and deniability are different as well.
Not a lawyer, but "subverting DRM" (even if it's trivial or really stupidly designed) can be a crime in and of itself in the US under the DMCA. There are a bunch of exceptions to this, so I have no idea if OP's work is actually illegal.
Security researchers are an exception, but the title of "security researcher" is undefined
Now this is f*cked up, isn't it?
It would be DRM if the barcode was copyrighted material, which it isn't.
The way this is already being exploited in the wild is that a scalper/scammer buys 1 ticket, then resells the same ticket multiple times. Multiple people believe they have a valid ticket, show up at the event, but only the 1st ticket works. The other people who try to use the ticket are turned away saying that their ticket has already been used.
> The way this is already being exploited in the wild is that a scalper/scammer buys 1 ticket, then resells the same ticket multiple times. Multiple people believe they have a valid ticket, show up at the event, but only the 1st ticket works. The other people who try to use the ticket are turned away saying that their ticket has already been used.
That is one of many ways this is already exploited in the wild.
Do you have a source for this? What platform are they selling multiple copies of the ticket through, and what app are the buyers using that allows multiple buyers to receive and show the same animated barcode?
This way you can sell and have the ticket completely off of ticketmaster. That is a vulnerability. It lets users do something they explicitly don't want to allow.
Assuming that you can actually do that.
If the seller re-opens the TM app and it generates a new token and invalidates the old one, then that's not the case.
Vulnerability to LN business practices. Not a system vulnerability.
He was basically wondering if he could create two tickets each with different tokens. Tokens are valid for 20 hours but it probably doesn’t invalidate the old token (e.g. a request for a new token makes it to the internet but due to congestion, the response never comes back to your phone before timing out) and this could trigger multiple tokens for the same ticket and are all valid.
Thank you for posting this. This article left me super unsatisfied too.
This sort of ticketing thing is a trivially solvable problem. It is solved at every airport in the entire world millions of times per day. You provide the name of each concertgoer when you buy a ticket, and they show up with their ticket and ID. You often need to show your ID at these kinds of venues to prove you're old enough to drink beer anyway.
Yup.
I have to believe the reason the likes of ticket master isn't fixing this is because they are selling/auctioning/reserving some percentage of tickets to scalpers or "3rd party sellers".
Requiring ID is such an obvious solution that I have to believe these convoluted approaches are only there so the secondary market can exist and so ticket master can wash their hands when prices get out of control on that market.
I have to presume that the driving impetus of all of this is that they're trying to avoid the actual requirement of checking the ID. Like, they want to improve the flow of traffic through admissions.
But I mean, obviously, any kind of system like this strikes me as the same sort of thing as DRM. That you can somehow protect the message from the person you're sharing the message to. How can you avoid reselling if you don't verify the original purchaser? It just seemes ridiculous on its face.
Yup exactly. Some events are pretty bad at opening the doors early. The Brooklyn Nets seem to open 30 minutes before the game, so they need to get 20,000 people through 20 metal detectors in 30 minutes. Every second extra they add to the process is a second you don't have to buy a $25 drink, and that's how they make their money.
We check IDs for flights because airline yield management demands that there be no resale, or business travelers would be traveling on leisure fares.
> or business travelers would be traveling on leisure fares.
Don't they already do that anyway? Every time I've gotten on a plane for work purposes, there was no differentiation between "business traveler" v. "leisure traveler" as far as the ticket purchasing process was concerned. Hell, in the most recent case it was even with my own credit card (for which I submitted an expense report to be reimbursed) - so for all the airline knew, I was just taking a week-long vacation to Colorado Springs (in that case) instead of being there for work.
The rates are typically different if you stay a Saturday night. Business travelers go home on Friday night. (SFO-NYC on Friday night was always a tough flight to book. I usually stayed the extra night so I could fly 1st or Business for less money.)
If you could buy someone else's ticket on the secondary market, then you could do a split ticket thing where you both stay Saturday night but neither of you actually do.
Everyone should change their name to Pat Smith and end this scam once and for all.
> The rates are typically different if you stay a Saturday night.
I recently flew from the US to Europe and returning on Thursday or Friday was twice the price of flying home on Saturday or Sunday - the weekend return options actually showed up as free during booking.
>We check IDs for flights because airline yield management demands that there be no resale, or business travelers would be traveling on leisure fares.
Sorry, what? Surely business travelers pay more just by virtue of traveling by business class? Or, if travel through business portals was consistently significantly more expensive than just buying the ticket directly on the airline's website, businesses would just start buying tickets directly from the airline's website?
Is there something about how ticket fares are calculated and paid that I don't understand?
Last minute / next day fares have traditionally been far more expensive than 3 week advance, and that was intended to impact business travel more than leisure. If there was a 3rd party marketplace for airline tickets, last minute tickets would not be nearly as expensive and the airlines would make far less money.
Consider an example where we have a business traveler "Bob" and a leisure traveler "Larry". Bob needs to get to LAX tomorrow to put out a fire at a client site. Larry has a trip booked to LAX tomorrow, but can't go because he's sick. Larry has paid $500 for the trip 3 weeks ago.
Today: Larry cancels his trip, and maybe, if he's lucky, gets an airline credit for the original price of the trip that expires in a year and which may be hard to use for his next trip. When he cancels, a seat opens up on the plane, and the airline sells it to Bob for $1200.
If resale was permitted: Larry auctions off his ticket at an airline ticket reseller. He gets $700 from Bob. So if resale was permitted, Bob's business saves $500, and Larry makes $200, and the airline looses $1200-$1700. You can see why they hate resale.
Okay, but how many business flights are actually last-minute like that? Whenever I've flown for work reasons the tickets were bought at least a week in advance, and usually 3+ weeks in advance.
Likewise, there are plenty of non-business flights booked last-minute like that, too - like, as a personal example, needing to book a same-night flight to help a family member drive cross-country with her kids and personal belongings so she could get out of a dangerous personal situation.
All this being to say: if price differentiation between in-advance v. last-minute bookings is actually intended to make business travel cost more than leisure travel, I'm thoroughly skeptical of that intent being fulfilled in practice. Seems more likely that it's simply a matter of things costing more when they're more scarce (as seats on an airplane would become as it gets closer and closer to the departure time), and that just so happens to impact business travelers more than leisure travelers.
I would guess most of your exposure to business travel is within tech or consulting, which rarely require last-minute booking. I would imagine most last-minute bookings for business travel come from people in sales. I’ve seen many sales people find out a prospective client is open to meet and immediately hop on a flight just to potentially make a sale. The opportunity cost is worth it even for small businesses. My exposure to this was for wholesale and retail distribution of consumer electronics but I’d imagine that this would apply to any business with a sales team.
About half of the work trips I've been on, the tickets were booked at most a couple days in advance. The most expensive ticket I've ever bought was an economy United cross country flight to LAX for $1500 (booked about 14 hours in advance) and I've done a lot of vacations to Europe. We booked it last minute because we didn't know when the project would be ready to deliver and once it was, we had to deliver ASAP. I was on the ground in LA for about 12 hours before flying home. Awful trip. Largest ratio of dollars spent to enjoyment received I've ever experienced.
Or physical world engineering: my brother had to hop on a plane last minute to go fix in place a machine having issues plenty of times.
I almost always book tickets for business travel 1-3 day before the trip. I am completely price insensitive (I do not care if my employer pays $100 or $400 for the ticket), my schedule is hard to predict ahead of time (if there are no important meetings on Monday, I will fly on Monday. If something important pops up I may fly on Sunday or on Tuesday). Downside is smaller seat selection (I mitigate by always checking if aisle seat available before booking) and sometimes convenient flights sell out.
My employer does some kind of credit system so we get cash credits for future trips which we can use for nicer hotels next time. Something like that. I don't fly often/ever. I should clarify the credit is the difference of the expected price vs what we paid. So if flight is normally 300 and we pay 200 we get 100 towards future travel. And then there are upper limits to what we can expense and the credits offset that.
I think Google does it now. One problem is see is that people may optimize for price tickets and not business goals to get bigger credit. Business need is 2 day trip but people may extend it by 2 days to get cheaper air tickets but on balance it will be more for the company due to additional hotel cost.
That sounds pretty easy to game. But I think in these cases, they take what they can get and can’t really game it.
Business travelers != travelers in business class.
Airlines use a fair number of techniques to price discriminate between leisure and business passengers.
Yeah, I don't think that's right either. They don't check your ID at the gate, it's just TSA that checks your id (if you have one).
And they require a boarding pass. Which can’t be changed without the airline’s permission.
Back in the old days, sales like this were common. No ID checks, non-passengers allowed through security, and the classified ads in newspapers would say “round-trip coach ticket May 8-12 JFK to SFO, male name, call 212-555-1234”. So you met them, got your paper ticket, got a boarding pass at the counter or the gate, and flew.
Depends on the departure and arrival city. It is common for ID to be checked at the gate for international flights because airlines are held responsible for transporting passengers that don't have the correct paperwork / visitor permits for the destination country.
Yes, and the airlines don't (generally) let you change the name on a ticket.
Comment was deleted :(
So even if you don't want to do the ID thing, there are alternatives that you see all over the place (like venmo) Have a rotating QR code seeded with a unique to the user id. Then with ticket master, require a login to buy tickets. Register the tickets to the ID and then do the lookup with a combination of the ticket id, rotating qr code, and the user id.
That requires the admitter device to send the challenge back to HQ, but that shouldn't really be much of a challenge. Tickets then become linked to the user's account (perhaps you allow transfer).
This is effectively what Disney does with their ticketing system, along with at the gate them taking a picture of you so they can confirm "Yes, so and so looks like the photo".
But yeah, all of this is ridiculous on its face as the cheaper and easier solution is ticket plus ID. If you are worried about flow have signs up before check in that say "be sure to have your ID ready before you get to the counter".
The ticketmaster solutions are just bad/half assed.
That is to say, if ticketmater had just done TOPS like the article points out, you'd not need the headache they've created with needing a live internet connection to load your ticket.
Disney is collecting pictures of everyone faces. That's pretty creepy.
They only collected my fingerprint last time I went.
Are there no cameras in the fingerprint collection area?
I don't recall. There's probably cameras everywhere. Disney is hardcore.
You don't understand how people at their companies evaluate stuff like this.
Any solution that increases capital or operating expenditures for them or the venues (half of whom they own, if I remember correctly?) is a non-starter if it doesn't generate some increase in revenue.
They will not do anything they don't have to do if it means any impact to their bottom line whatsoever.
We see it as "pennies per transaction."
They see it as "we sell 500M tickets per year so five cents per transaction is $25M/year in lost net."
Well that's where I'd argue they are negatively impacting their bottom line.
> These rotating barcodes on the other hand are far from perfect. I experienced this first-hand last year when I attended another very popular concert where they used a similar rotating-QR-code-ticket system. Numerous people including myself and my friends were floundering at the entry gate citing a bevy of broken barcode problems. ...
> The venue was so crowded that cell-towers and WiFi were overloaded. Internet access was spottier than a Dalmatian with chickenpox.
That is impact to their bottom line. They have admittees waiting at the gate blocking other people from getting in cutting into their concession sales.
If they'd used a bog standard TOPS system (like the op suggests) that would not be an issue at all. But instead because they have the dumb system where you reach out to the ticket master servers to get your code, they've created their own nightmare.
> I experienced this first-hand last year when I attended another very popular concert where they used a similar rotating-QR-code-ticket system. Numerous people including myself and my friends were floundering at the entry gate citing a bevy of broken barcode problems.
That's a different system. The article makes it clear that the Ticketmaster system works offline if you have opened it on the mobile app. Which they don't want to install.
You don't even have to use the app. You can just visit the ticketmaster website and add it to apple wallet straight from there. Can do it months in advance, too.
The website comes up in Safari, and is scannable from there. Don’t need to add to wallet. I used box office wifi to get text and follow url.
I never asked for this BTW, would rather have a paper ticket.
The advantage to using wallet is that you don’t need working WiFi at the event. Everything you need to get in is stored locally.
I bought it at the box office and did need wifi to complete the download. I didn’t need wifi or the wallet at the gate.
Webpages can work offline. Not sure if Apple has allowed this yet.
> Like, they want to improve the flow of traffic through admissions.
But they in turn greatly degraded the flow of traffic by forcing the use of a proprietary always-online app which fails to load when your cellular connection is less-than-ideal. Verifying a photo ID would probably be faster.
True, but when you point out practical realities like this to monopolistic institutions, they don't have to care.
They will instead ask "well why isn't the connection good at the concert? What can we do to fix that?" (ie. "we don't have to change when we can make you change")
It IS true that if you don't have to verify the ID of the ticket holder then admissions will go much faster. So long as they can make that plausible sales pitch, they can use it as justification for whatever byzantine DRM system they can dream up.
> How can you avoid reselling if you don't verify the original purchaser?
A ticket scalper cannot know the names of the people that will later purchase his tickets. So connecting each ticket to a name prevents scalpers.
Yeah I agree, they are not incentivized to fix scaling/bots because they get a fee every time a ticket is sold. It is in their best interest for the ticket to be sold as many times as possible.
[flagged]
But also, the hell with this. I'm still sour enough about the TSA without the concept of, "I'll buy tickets for me and three of my friends then see who wants to go," becoming impossible or gated by ticket transfer fees.
Airlines are preventing a secondary market. Unfavorable for your use case, but also prevents scalping airline tickets (while allowing airlines to attempt to maximize revenue). There are always tradeoffs and compromise.
To hack around this, I've used Southwest Airlines; I can buy tickets for folks and if they can't travel, we cancel the ticket(s) and keep the travel funds banked for another time. I hope this is potentially helpful information.
https://simpleflying.com/why-airlines-dont-allow-name-change...
except Southwest is easily the most expensive carrier these days and other carriers have also adopted flexibility
hopefully their new changes such as allowing their fares to be indexed will make them close to being competitive at some point. but today you really only get near-competitiveness (it's still bad) if you're going to check both pieces of luggage and have no way of getting free luggage on any other carrier.
even buying and throwing away tickets, depending on your probability of travel, might pay for itself in one trip.
People who compare Southwest to Frontier and Spirit are not serious people. Southwest is a premium offering, if folks want to ride cattle car a la carte, I encourage them to, just don't ruin the established brand of SWA. I would rather fly dead on Southwest than alive on another domestic carrier.
First I've heard of southwest being a premium option. Even Wikipedia lists it as a budget airline.
Flying on Southwest is generally a more pleasant experience than flying economy on United, American, or any of the other major carriers IMO. It won't beat flying business class or whatever though, but I'm not that rich.
The seats are more comfortable. Every plane has pretty good in-flight WiFi (paid) and free movies/TV you can watch on your own device. Drinks and snacks included. Two checked bags free. About the only thing I miss from the big carriers is charging/power outlets at the seats, but I hear that's coming.
Value is subjective. I'm going to pay for business or first when the whole plane gets there at the same time? Nah, I'm paying for a great experience if something goes wrong, bags included, and reliable air travel between two points. It's low key white glove service in a world of race to the bottom customer service and trying to remove every touchpoint possible between the business and the customer to save pennies.
https://community.southwest.com/t5/Blog/Southwest-Airlines-R...
https://www.nerdwallet.com/article/travel/is-southwest-airli...
I booked a flight a couple of weeks ago. Southwest was still cheaper than American and Delta for the flight I was looking for, even before thinking about two free checked bags. Adding in the fact their seats are bigger and free checked bags, it is definitely a better value to me.
Even allowing that but requiring your valid ID must be taken into the venue by yourself (or by your friends eg if you get sick and can't go) would be a big improvement, meaning ticket scalps would have to actually go or have someone on their team go along with every ticket they resell.
Flying requires an ID. Attending a concert should not. Any solution that is solved by "simple, just require an ID" is not a solution.
Depends a lot on the country you live in. In most European countries "carrying an ID" is legally required if the police stops you anyway (they do need a reason to see it though), so "show an ID at the entrance" is no big deal.
It's to my understanding mainly the US where ID requirements are often side eyed because many people don't have them and there's no national standard (and due to a variety of political reasons there probably won't ever be any.)
What the hell kind of draconian country forces you to always have an id on you? What if I go running with only my watch on (I’ve regularly done this with no malicious intent)
Lots of nations require carrying some form of ID: https://en.wikipedia.org/wiki/List_of_national_identity_card...
In the US, permanent residents are required to carry their green card at all times.
Here's a description of the law for the Netherlands, where I live: https://www.government.nl/topics/identification-documents/co...
There's difference between mandatory possession of ID, and requirement to carry it all the time. This list doesn't distinguish between that.
In my home country (Hungary) it is mandatory if you leave your home more than 500 meters and as far as I know, most European countries have similar rules.
that's really just an opinion. and I'd argue that if people really care about a fair and sustainable concert going, given how ridiculous the live event situation is, you'd support pretty common and standard requirements like ID to be shown. as others said: ID is already required to validate age in many events/venues
Recent changes are anything but fair and sustainable. Front section tickets have gone from $120 to auction at $400+ at our local venue.
Can no longer pay cash, have a paper ticket, be anonymous. Those are much more important to me than preventing scalping.
Scalpers out front have provided a valuable service to me a dozen times over the years, when I didn’t plan well.
Any solution (I didn’t ask for) that turns concerts in an international flight experience means they are dead to me.
Age was traditionally checked separately and manually. Not put into a database to be bought and sold and breached.
> Flying requires an ID. Attending a concert should not.
Why though? Not disagreeing per say because I'd have thought so too, but upon reflection...
I assume the main reason airlines require an ID is safety and security. We maintain a denied parties list and use identity verification to make it as difficult as possible to fly a plane into a crowded venue. Border control is another issue, but there's plenty of intra-country or intra-state flights where this isn't an issue.
Ticketmaster sells unverified access to crowded venues.
I assume the main reason airlines require ID (for domestic flights) is to prevent ticket resale, and that "security" is just a convenient scapegoat. And I'm not alone[1].
[1] https://www.schneier.com/crypto-gram/archives/2003/0815.html...
Because we ought to do everything in our power to stop the aggressive onslaught of the surveillance state. We already know TSA is security theatre at best, and the time they’ve wasted already justifies more lives lost to terrorism instead.
Practically, I don’t want Ticketmaster having access to the information on my ID, they already leaked lot of my other PII.
Is your argument that people should be unable to attend concerts/etc without presenting ID? I for one am not a fan of that idea
I'm not a fan of it either. Just sayin' that concerts and events are where the densest crowds are. Are we protecting people from doing things to events more than the events themselves? I'd hope this is an argument for more granular control. I'd love to fly short-hops without ID, but maybe TSwift concerts should require something? (Edit: Do they? Events/venues do start to have their own security at some point. Flights also have different controls for national vs international.)
I'm also probably overly discounting border control. Traceability in particular. I'm not a fan of this either.
You need to show one to get a drinking wristband anyways (and avoid the hand Xs), or into any 16+, 18+, or 21+ show.
This is not universal.
How are you getting into shows without presenting ID for age? Every (well, every legal...) venue I've been to in NYC cards to see if you are 21.
I've been to many [big, small] well-known, legit shows in the US as a kid who was not yet an adult.
I did not have an ID, and none was required to get in.
All-ages shows are definitely things that exist.
I have never had to show ID to get into a concert other than tiny shows at bars. Every larger venue around here (SF) I’ve been to checks IDs to get a wrist band which lets you buy drinks, but you can just skip that if you aren’t drinking.
Italy solved this. Five years ago, a new law enforced ID-checking when you enter any big events (like concerts with an audience larger than 5000 people).
Tickets have your name on it, and you can only change the name or resell them through the official seller (so, third party resellers are out of the game). Also, every reselling transaction is registered and can be inspected by the Italian Rightsholder Agency (SIAE).
I’d rather not solve it than let the state have more information about my transactions
Because this, and more very strange rules it is very hard for ticketing systems to get into the Italian market. Some examples:
- not allowed to change to time or name of the event after the 1st ticket is sold
- only allowed section names in halls from a know list
- free tickets on events... can only do this under strange conditions
- smart card application, for encryption, must run on a physical server in Italy. You should not be able to log into the ticketing box office if that smart card application is not running.
You know many details about Italian ticketing systems, are you working in the industry?
People often buy tickets without knowing exactly which of their friends are going to attend with them. This is not true of airplane tickets.
One ID for the entire order would be fine. You can buy 4 tickets, and go into the concert with your 3 friends. It often works this way even with no ID involved, I buy two tickets, add them both to my wallet, scan them both when my GF and I go to the show.
You COULD still scalp tickets if the person who bought them from you is going to walk in with you. But the scalper would have to eat the cost of one ticket to do it, and it's probably onerous enough to severly reduce the impact of scalping.
That's how trains work (here).
Every ticket must have one name and surname on it, no matter how many passengers it covers. That person must be traveling on the ticket.
You're usually asked for some kind of photo anyway because of discounts, which a very significant percentage of train riders are entitled to.
I think this is because tickets must be both printable and verifiable offline in case the train gets into a spot with no connectivity when the inspector is inspecting tickets.
Thats interesting to learn.
Here, train tickets need to list every passenger along with their age and gender. This also enables you to cancel for just one person on the ticket without affecting the rest.
The ticketing system basically assumes no network connectivity. Ticket inspectors usually only ask you for your name and match it to their records. And only ask for and id in rare situations (you absolutely need to have yout id with you irrespective of infrequently you actually need to show it).
What if you need to arrive separately? Especially for a big event with tens of thousands of people, can be easier to meet up inside the venue on everyone’s timeline.
Then you should have thought of that when you bought the tickets I guess. Any change to the system to fight scalping is going to inconvenience regular users too.
As a frequent concert goer, I’d happily have to arrive with my group if it meant no Ticketmaster.
So that makes it a shitty system that is really solving nothing. If I hypothetically have a group of 14-15 year olds that I buy Taylor Swift tickets for, does that mean I have to accompany them up through the line? Just dumb.
There are really two options. Tickets are non-transferable, which means you need the name of the person and to check ID, and there's no scalping, like airlines. Or tickets are transferable, and you don't need names or IDS or whatever else but scalping occurs.
If you think scalping isn't enough of a problem to balance out the inconvenience of having to plan the ticket purchases better, well, uh, that's just like, your opinion, man. We'll agree to disagree. But it does mitigate a problem, scalpers inflating prices.
Then assign names to the tickets after purchase. Should be allowed up to 24 hours before the event or something.
That beats the entire purpose of having names on tickets, which is to stop scalers.
No, because at least 1 name has to be assigned on purchase. So the scalper is still out 1 ticket.
Yes this exists, it's called lead booker tickets
Would be awesome if it were true for airplane tickets
That requires a single source of truth for which names go with which tickets. Which is going to be a problem if tickets need to be transferred in contexts where users don't have internet access (but they do have local connectivity between devices) or in contexts where the venue doesn't have internet access. Or in cases where the single source of truth might be vulnerable to attack or doesn't have the resources to handle the load at certain times.
I don't have the solution explicitly, but it seems like it ought to be possible to do this such that PII need not be collected. Tickets could be cryptographic proofs that a chain of custody exists and meets certain criteria. The proofs could be constructed at transfer time and verified at admission, no servers in the loop anywhere. Yeah, we'll come up against the CAP theorem eventually, but we might find that the imposed constraints are workable.
> Which is going to be a problem if tickets need to be transferred in contexts where users don't have internet access (but they do have local connectivity between devices) or in contexts where the venue doesn't have internet access.
You know as well as I do that TicketMaster won't allow any of that, because it means they miss out on selling another ticket.
I was operating under the assumption that the goal was to replace TicketMaster with an open protocol.
I agree, mostly. What do you do for people without an ID (and without a parent)? Think of the number of people at a Taylor Swift concert who are under 18 -- a lot. Also, checking the name between ticket and ID will slow down entrance by 2-5 times, I guess.
I was recently at a Festival that requires ticket + ID (https://www.resurrectionfest.es). The key to success was to put a little more personal at the gates, maybe 15 people instead of 10. But it is also true that we have the ID document issued in our early teens it not before. Each ticket verification takes 3 more seconds extra to verify the ID matches, no big deal.
Said festival does their own ticket re-sale to avoid scalping but mainly to avoid shady sites that are known to allow the selling of counterfeits. You can only cede your ticket, not sell it. It is not perfect (e.g. if you don't find a buyer for the same price, you can't sell it at a lost to recoup some money. You get your ticket back) but at least is not as bad as the one from Ticketmaster.
No, it's not. At my work here we'll all go online to try and get tickets to a big gig. One of us might get in, so that person will get ~8 tickets or whatever the maximum is. And then we split them between us, transfering over cash etc. If we have a few left over we'll sell them to friends for the ticket value.
But none of us have any intention of lining up with the others to get in. We want to go with our partners, our own friends etc.
I want Bob, Terry or Bazzy to by able to buy tickets for me (or me for Bob, Terry or Bazza) but I do not want to have to meet up with Bob, Terry and Bazza and stand in line with them all to get in.
So yea, it's not trivial. I wish it was, I farkin' hate scalpers.
how is this not the same as 8 people trying to find airline tickets for everyone? you can buy tickets for different passengers. some airlines/travel agencies even allow for name change for a fee.
This is trivial and solutions exist in the wild already. If you buy tix for the Paris Olympics, you can transfer them to your friends or you can assign their names to the tickets directly.
The interesting mechanism there is that you can buy a lot of seats at once, but you don’t get to choose where they are exactly, only the section. So in every case you’re going to have people buying big lots of tickets and distributing them to friends and family after the fact.
Hell, you just scan your ID at TSA nowadays. They don't need your ticket.
Or just scan your face with the new Digital ID rolling out. It's actually quite nice.
I flew about 3 days ago and they only asked for my minor children’s boarding passes.
The issue is most likely about throughput. You want to let fans enter the venue as quick as possible. Most venues have lots of gates, but still the latency at each gate has to be a handful of seconds per ticket. Having to validate both ticket and ID would easily double or triple that time.
Today's digital entry experience is far from frictionless. Might as well add a scan of the PDF417 barcode on the back of the latest state ID cards.
I just went to a MLB game yesterday, and the digital process was:
- Open ticket app
- scan ticket 1
- scan ticket 2
- Open ticket app
- scan PDF417
- scan ticket 1
- scan ticket 2Hopefully in the near future (https://nfc-forum.org/news/2024-07-nfc-forum-defines-next-ge...) you would just need to tap you phone once, and get your ID passed to the scanner, along all the tickets for that venue & time.
No more opening app, and showing different tickets and IDs.
That would clear that argument.
For one, this is a problem world wide, but OK, you can try to solve it for the US.
But for another, not everyone has a state ID card. In particular the 7.1% of the population that does not have U.S. citizenship will have varying amounts of US documentation, depending on how long they're in the US for and whether they're there legally.
And you really want to be able to sell tickets to tourists.
I keep reading about this argument but Olympics and World Cup matches are arguably as large events (if not larger) and they place name on ticket and check ID at entrance.
people complain at ticketmaster yet seem to bend over backwards to justify the state of affairs
Not sure how they do it for Olympics and World Cup, they probably compensate with more gates/scanners than a typical venue. I am not advocating either way, which is either keep a ticket anonymous, or tie a ticket to an ID. I guess Ticketmaster would love to tie tickets to ID, so they would know the customers better.
If/when https://nfc-forum.org/news/2024-07-nfc-forum-defines-next-ge... gets implemented by Apple/Google then we could one phone tap, get the ID, the ticket and verify that they match.
But I have no idea when Apple or Google would implement those ?
You can rely on TM to do whatever makes the most money, and they probably know better than us. Also those you list are typically higher security events.
Yes, some events are different, like the Super Bowl for instance, where everyone is screened, and a simple concert, where you just need a ticket that scans.
Some venues do this already and the scalpers buy an additional ticket to burn on themselves so they can get their customer in the gate. It just goes into the cost of doing business. I agree this is probably one of the best ways to stop scalpers but it's not foolproof.
I’ve heard the argument that forcing people to have an ID is anti folks with disabilities and anti-poor since it requires someone to go to an issuing agency to obtain and pay for one, which could be putting someone out who has a mobility disability or doesn’t have a lot of money.
I’m not making the argument but it’s an argument I’ve heard.
If the government needs people to have IDs, then maybe the government should provide those IDs for free...
I happen to agree, but it isn’t only the government that requires IDs if private companies are asking for them as well.
Airlines are starting to use rotating barcodes as well. Heck some are even switching to purely facial recognition.
I’m not sure that would fly in Europe. And I personally don’t want to hand over my id to use a ticket
Exactly. The privacy characteristics of government ID cards are worse than any other solution. When sharing such an ID, a person is providing several global, stable identifiers (e.g. ID number, full legal name). For adtech and data brokers, this is the ultimate fingerprint for tracking and matching.
In a perfect world, the digitization of these IDs would come with modern digital privacy and security. Scanning your ID number would only provide a recipient-specific ID that couldn't be matched with other vendors. Age eligibility and driver's licensing status would be presented as separate signed attestations that share no other data.
We aren't even heading in that direction yet.
I wouldn’t bring my ID to a concert. I don’t have my wallet with me and even if I would they wouldn’t like me to have a backpack. I‘m coming as light and minimal as possible and also would hate to lose my ID jumping around at a concert.
...yet you have a phone (for the moving barcode and whatnot) which is heavier and bulkier than a card?
True. I feel it, it's locked without my face and I can track it.
Have a picture of your ID on your phone, like every other person has. Or bring a photocopy of your ID that you can throw away after entering.
That's not valid. And almost no one would except it. The real digital version is still in the making.
I knew this comment would come. But you're wrong. A photo of your ID is accepted almost everywhere, and especially at a ticketed event where the only purpose is to match your face to the name on the ticket. They're not the police, they just want to check that you're the person who should have the ticket.
Well around here if they ask for an ID, passport or driving license they don't accept copies. You are wrong on the "almost everywhere". Might be true for most places around you.
I don't.
+1 to this. also doesn't Olympics and World Cup class events also face similar issue as concerts, and they allow for fair'ish purchase and resale by private people, but only through their platform?
This improves the security over airline tickets.
There was a recent story of someone taking pictures of other people's boarding passes, and using that to board the plane.
With this ticketmaster scheme, unless the person has access to the secret keys, the pass would only be valid for a few seconds, likely defeating this attack against boarding passes.
https://www.nbcdfw.com/news/local/texas-news/texas-man-board...
How often has this been a problem though? How about not keeping your boarding pass, or ticket, or credit card for that matter, visible for the world? Just put it in your wallet, I don't know.
This is security FUD. Stop solving problems that do not exist to the point where it makes the news when they do happen, once a century.
This DRM scheme concretely creates millions of small annoyances to millions of people and wasting our time as a society.
It also happens that pranksters can cancel your travel if your boarding passes make it on to Twitter or other social media. It's not a non-problem like you make it out to be.
Sure, it won't happen to you or me, because we know it is a risk to expose these documents, but that is not true of most people.
Maybe the DRM is not worth it. I actually think it's obnoxious for concert tickets (I recently had to deal with this system, and I was not thrilled about installing an app from a company that I think is using unfair business practices).
I’d call that a feature, not a bug, since you can’t get a boarding pass until 24 hours before the first leg of a trip. Expensive education, but education nonetheless.
I only use paper boarding passes if they insist on giving them to me when I check my bags or if I’m flying internationally and am worried about connectivity in one of the transfer airports. They go straight into my travel wallet (full-length, large enough for letter or A4 paper folded, with enough space for two passports, several credit cards, a pen, and plenty of cash or other documents). The company that made mine is unfortunately out of business, but https://www.leatherology.com/zip-around-travel-wallet is similar.
> It also happens that pranksters can cancel your travel if your boarding passes make it on to Twitter or other social media.
The security theater of checking ID does nothing to stop this. What's your point?
My point is that rotating expiring barcodes actually can provide some security value.
This is a horrible horrible idea.
It'd then be impossible to buy a few tickets to an event with the intention of finding people to come after the fact.
This has its own problems. It makes it difficult to swap tickets.
A music festival I went to recently charged 30 euro to change the name on a ticket.
A lot of concert goers are under 18 and dint have valid state id.
Yeah, except NO.
A lot of people think live event ticketing is the same problem as airplane tickets, but they really aren't. As an example, there are rules about requiring identification for commercial flight. There are rules against requiring identification for live events.
Where has rules prohibiting it? Maybe will move. :D
Ticketmaster says: NIH
[flagged]
Oh cool, so when I buy a scalped ticket I'll simply order a quality fake ID as well.
Perfect SAAS opportunity.
Buying and using a scalped ticket isn't a crime for the concert-goer, using a fake ID (in most states) is meaning it puts significantly more pressure the consumer to not buy. Also, most people in the US over the age of 21 don't have fake ID's, so it's a reasonable detriment.
GenAI?
The solution doesn't have to be perfect. It just has to be good. Good enough is good enough.
With regards to the end of the article.
> Can I work for a bad company and still be a good person?
> No.
I'm glad we cleared that up. Now all that remains is a good, measurable definition of what a bad company is.
It's like porn. You know it when you see it and also there's quite a lot of it.
As one grows older, they may find that not everything in reality can be quantified or put into words.
And trying to objectify value judgements is another whole area of contention that inevitably leads to itself.
I realize that.
But the point of reading a blog post would be to learn something insightful, to see the reasoning or argument by which the poster came to this particular conclusion. Hopefully with some consideration that I'd not thought of before.
This boils a complicated question with nuance and problems and facets of debate into a rather vapid "I like this answer." of a post. It's not worth anything: I come away from it no richer than when I came.
Like, trivially, someone could write the opposite answer on another blog. And whose answer is right? (They of course need not even bother actually writing it out. A "right" answer is created by argument, not spilled ink.)
> Now all that remains is a good, measurable definition of what a bad company is.
Lets re-invent religion.
You're trying to get quantitative about a qualitative problem.
The problem is that "bad company" is such a nebulous concept as to be useless, as the JSON license showed with their "shall not use this software for evil" clause.
No matter which company you choose, someone somewhere will find a justification for why they are actually not bad. Weapons dealer? Protecting your nation. Destroying local businesses? "They are just adding efficiency to the market". Kill someone with bad practices? "Still safer than the alternative". Ticketmaster? "The scalpers are giving a subvention for those who cannot afford the real price".
Setting up a straw "bad company" and knocking it down doesn't help anyone on the real problem of people working for unethical companies.
That's their point. They're poking fun at how the OP is speaking in absolutes about something subjective/ opinion based.
Speaking in absolutes about an opinion is just fine.
OP wasn't the one trying to define it.
So if you think a company is bad you shouldn’t work for them. Perhaps many of the people working for TicketMaster don’t think they’re a bad company.
If you're asking the above question, it means you already think the company is bad according to your own morals.
I ask myself if my company is bad all the time. They don't get a perfect score, but I feel better about this one than any of the previous ones (that's why I'm here and not there). If the answer is ever a resounding yes, I'll leave this one too.
When most of the relevant work around you is in some way related to ICBM's, you either sell your soul early, or you end up with habits like this. By my reckoning, about 80% of technology companies are bad.
It's not hard if you remove the self delusion. Removing the self delusion is maybe tricky for the individual, but it's easy for people around the individual to see. Societal tools like shame are generally used to encourage people in the right direction, but we don't do a great job of this in America, because money tends to override everything else and I don't think we have good structures around expressing non-monetary values like honor.
Especially on the west coast, we're so passive in our shaming of people that it probably doesn't translate to action. There are people who work at Evil companies like Facebook, etc, who are otherwise nice, but I find myself not including them or turned off to them as friends because this sort of contradiction is hard to square in my brain. Of course I wouldn't communicate to this, being a passive PNW raised wimp, and it's not even super explicit in my mind, it's really more of a bad vibe than anything else. I imagine over time if enough people act like I do, it doesn't actually translate to different decisions from the individual in question, but instead translates to them waking up one day feeling distant and unfulfilled, which is probably the worst of all outcomes. They still work for Bad Company, but are also sad about it, and there's a general sense of malaise pervading life that's hard to pinpoint.
*Obviously this all ignores the people who don't have a choice of employment. But here I'm generally referring to software people who have high pay and career mobility. Things get murkier when the conversation is opened up to people who are just trying to survive.
Yup. I was just discussing this in another comment that Facebook's emotional manipulation of users without consent is ethical wrong. Some people are replying with eh, everybody does it and for 20,000 dollars people will jump to Facebook.
I think the Leetcode grinding, TC optimizing crowd with no real moral judgment which is the majority in tech right now is another reason why things are falling apart. They will happily work for the KKK if they get a larger RSU package.
Your point about them being at least "sad" about it, is a start I guess.
Postmodernism has stripped away fulfillment with the promise of higher pay if you just grind harder.
If you no longer feel pride in your work, then money takes over. In my search, no employer cares about this anymore because the newer generations are only here to grind for gold.
I won't try to define postmodernism, but I'm pretty sure a significant part of it has to do with abandoning traditional modes of operation and freestyling a bit with your worldview.
I don't question that the problems you're describing are problematic, but what do they have to do with postmodernism? It seems like in the cases you're describing, the postmodern approach would be to call into question whether the abstractions in use ("value" in this case) are applicable, and to instead march to the beat of your own drum in some way.
It's not 20k, I know cases of 100k's more
Wait, is the KKK bad? What is your good measurable definition for it being bad? /s
Does this extend to where you live and pay taxes?
Yes.
So, too poor to move means you are evil. Capitalism wins yet again.
I think we should make an exception for saboteurs.
And whistle blowers. And double agents.
Comment was deleted :(
All company's are "bad" in some way... does that mean all employees are bad?
> No.
And pretty much every company is bad. But this is a wrong answer because the question is actually nonsense.
The answer to "What happens when you move faster than light" is not "nothing", it is undefined because the question is invalid. Asking if a person or a company is good or bad isn't a question that can ever have a well-defined answer: the answers we give are rounded according to our own values. To get more specific, not all of us have a huge amount of choice in who we work for.
If apenwarr believes I want to be a good person they should hire me at Tailscale. What's that, they won't? They don't have openings, or I'm not qualified? I guess they're the bad person because now I have to work for a bad company or lose my income. And if I lose my income, my co-habitants lose their housing, and my donations to good causes dry up. Do I just not do enough good for apenwarr? They must be a paragon of virtue. Surely they don't eat meat, or even associate with meat-eaters. Surely they don't fly in airplanes.
It doesn't need a well defined evaluation scheme. You're the one asking the question, you can provide your own scheme, and come up with your own answer. Whether you're honest with yourself in this process is up to you.
It's still useful to point out that IF you think your company is bad THEN you should do something about that. It establishes that "I was just following orders that I know are wrong" isn't a valid excuse (e.g. like if you end up in court for something you did on the job).
> You're the one asking the question, you can provide your own scheme
Well, I'm responding to someone else providing their scheme for everyone else to use.
> the answers we give are rounded according to our own values
I agree with this entirely.
And rounding does not change the answer in most situations.
Something that isn't well-defined can still be mostly-defined.
I have no idea what the point of that strawman is in your last paragraph. It doesn't make sense with or without rounding. Maybe if you round every single value to infinity, but that's not what "rounding" normally means...
I honestly don't know how to respond to this, it's too vague.
I can try to word it better?
You said when people look at moral situations, they use their own values to round their measurement. And I thought that was a good way to describe things.
Then for some reason you acted like "rounding" turns things into strawman-level black and white. The slightest blemish (not hiring a specific good person) qualifying as evil.
Let's say a scale of 0 to 10. If people disagree whether some issue is a 3 or 4, and a few people say 5, and that's 95% of responses, then that disagreement isn't a big deal. It doesn't matter that it's not well-defined, it's sufficiently-defined.
That would be rounding. Showing that the question is not nonsense.
If they disagree whether it's a 0 or a 10 that's a totally different thing that is not rounding.
Appreciate the explanation.
> Then for some reason you acted like "rounding" turns things into strawman-level black and white. The slightest blemish (not hiring a specific good person) qualifying as evil.
This was in direct response to the top-level comment making that very assertion (via a blog post). If I'm understanding you correctly, I think we're actually agreeing that it's absurd. The CEO of a "good" company indirectly, but unambiguously, called me a bad person for not leaving my job. I say, if it's so cut-and-dry, and I want to be a "good" person, why aren't they helping me get a better job? Of course, it's an absurd ask.
Somebody isn't only allowed to be "good" if they do every good thing possible to them. And I am sure said CEO does many acts others would consider "bad", such as eating industrial meat or flying, both of which participate in the generation of immeasurable harm.
---
Also, with regard to your scale - you've given the question too much credit. The question doesn't ask "how much are you good or bad?", it asks and receives a binary answer. And the vast, vast majority of people can't be assigned one of those binary categories of "good" and "bad".
I'm saying that your argument is absurd, but the one in the blog post is not absurd. You made a strawman.
"A good person is obligated to quit a bad company." is a far more reasonable statement than "A good company is obligated to hire every good person."
> Also, with regard to your scale - you've given the question too much credit. The question doesn't ask "how much are you good or bad?", it asks and receives a binary answer. And the vast, vast majority of people can't be assigned one of those binary categories of "good" and "bad".
You can pick a threshold. Your strawman would categorize 99.9% of things as bad, which is obviously the wrong threshold, and very obviously not what the OP meant. The failure of that method doesn't make the entire idea of judging companies invalid.
I'm not giving it "too much credit" to take a sane and quite obvious interpretation.
Alright. I just don't agree with you then. "A good person is obligated to quit a bad company" is a bullshit statement, unless the bar for "bad company" is a lot higher than I see it. I already asserted at the very beginning of the comment chain, almost every company is bad. That went unchallenged, so if that's the context, almost every person is bad, no matter how much they do good in the world. That is absurd.
> unless the bar for "bad company" is a lot higher than I see it.
Yes, the bar is higher (higher means it's harder to qualify as bad, right?) when talking about needing to quit.
> I already asserted at the very beginning of the comment chain, almost every company is bad. That went unchallenged
Because you went on to say it didn't matter anyway, so I focused on the latter part of your post.
Though I'm confused. You showed an argument that sorting companies into good and bad results in absurdity, but it only results in absurdity when the bar is super low. Why is your conclusion that sorting is impossible, rather than "the bar is too low", if you were already seriously considering that the bar needs to be higher?
I don't think the bar should be higher for bad deeds! I prefer a lower bar. I see a lot of stuff happen in the world that I really don't want to happen (on topic: privacy invasions for profit), and it's not publicly called bad nearly enough.
I also thinks it's misleading and not very useful to call people good or bad, in general. I'm more comfortable with calling capitalist corporations "bad" as a blanket statements; resource-hoarding is their utmost priority, and I consider that an evil motivation.
My conclusion isn't that sorting is impossible, it's that people are too complex to be sorted into "good" and "bad", in general... and that it's shitty and incorrect to call ordinary people bad if they aren't willing to risk everything to work for a slightly less evil company in a world made of evil companies.
Well this just sounds like more reason to use a point scale rather than calling the entire idea a waste of time.
In particular 'slightly less evil' is not the goal.
> Well this just sounds like more reason to use a point scale rather than calling the entire idea a waste of time.
Again, I think we're kind of on the same page, but our solutions are different. The original question refused any kind of nuance, and we both seem to agree it's not a question that should ignore nuance. You choose to answer a binary question with a grading system, I choose to substitute a different question.
Well, I think the binary version still works, even if I see possible improvement. While you think the binary version doesn't work. So sort of the same page, sort of not. Shrug.
> Asking if a person or a company is good or bad isn't a question that can ever have a well-defined answer: the answers we give are rounded according to our own values.
Counterexample:
Was Hitler bad?
Good/Bad are consensus votes. Its hard to escape their use just because of how deeply ingrained the programming is. We just think it makes "sense" and is "obvious" because its a meme that is already in our head. There is nothing inherently evil or good about any past/present/future animal on this planet.
So, was Hitler evil?
Yes, most people and most countries are evil. In todays age I'd say the US has the largest concentration of evil.
I hate this website.
Lots of people do.
That really depends if you ask a neo nazi or not.
Due to chaotic effects of causality, most of us would not exist if any significant event from that long ago had happened differently.
How is that related? Other people would exist then. So what?
If the answer is yes, does that mean a junior web dev who implements user tracking on a shopping portal is equivalent to Hitler? Or is every who does less evil than Hitler "not a bad person"?
I don't think it's useful to say "Hitler was bad." Hitler did a lot of specific evil acts that are more useful to analyze. If anything, it's counterproductive to say "Hitler was bad," because lots of people do bad things and then say "well, at least I'm not Hitler."
Comment was deleted :(
It's baffling that you have to carry a mobile phone to access a show. What if you run out of battery? Or if you accidentally break the screen just before entering the venue? The more the technology evolves the more we find horrible uses for it. People should fight back by refraining from purchasing tickets from them, I know is not easy for people to miss their favorite artist but until a monopoly is broken there is no other effective way to prevent them from doing what they want.
I had to use something like this to get into The Killers gig last week at the O2 in London (fantastic gig btw, and Andy Bell from Erasure made a special guest appearance to sing A Little Respect which was the cherry on top, but I digress).
The WiFi in the O2 was woeful, and even on "The best network" EE the app wasn't loading.
Eventually after stepping aside and letting a load of people go in front of us I managed to get it to load, but it was a dreadful experience.
Contrast that with seeing the Pet Shop Boys last month in Birmingham where the ticket was on my phone in Apple Wallet was night and day (and you could print the ticket if you didn't have an iPhone, or wanted a physical version).
I mean Ticketmaster’s current best practice seems to be NFC tickets stored in a mobile wallet which do work offline
You can still print the ticket on paper. Tho nowadays that means a trip to a FedEx store for me, since I refuse to keep buying inkjets I only use a couple times a year.
> I refuse to keep buying inkjets I only use a couple times a year.
Laser printers are the solution, and Brother laser printers seem to remain the most highly-regarded.
Yep, I've bought 3 laser printers over the past 30 years... 1 about every 10 years, and not because I needed to... because I wanted more features. I've passed the old models down to others and they're still running. Toner never dries out, heads don't need cleaning. I would never buy another inkjet. The only use I can see for inkjet is photo printing, and even then I'd rather get them done at CVS or walgreens unless it is a special size or printing material that they can't handle.
A brother laser can often be had for $100 these days.
Another printer lifehack: Goodwill (which has a 'computer' store near me, they send all the best tech stuff there) sells laser printers of all kinds for like $20-40 and that plus a $20 Amazon non-official cartridge will basically have you set for life for the occasional print job. Since they're heavy, the Goodwill route saves most of the cost compared to eBay, though I did get mine on eBay.
I actually recommend HP but Brother is great too. My current HP is at least 10 years old, and it's the second I've owned. My first was a 2000 vintage which I used from 2005-2017. (Its rubber rollers eventually got dried out and I wasn't as skilled a refurbisher as I fancied myself)
Yup, I use my brother laser printer to print probably 20 pages a year and it’s been going strong for 5 years now on the cartridge that it came with when I bought it on eBay.
You should consider thermal printers like the Brother PJ line. A bit expensive but so small you can put it in a drawer, and no cartridge or toner at all. Just thermal paper, which I run off the same pack since I bought the printer 3 years ago.
No, you actually can’t for the tickets the article is talking about. This is increasingly common. It’s insane
> Tho nowadays that means a trip to a FedEx store for me
I've really appreciated my local library for allowing 20ish pages of printing per day, which has allowed me to limp through the no-printer lifestyle. Plus I usually grab a DVD movie while I'm there.
Life's good in the mid-2000s.
For sure. Additional info... many libraries also let you stream movies through kanopy.com, and read/listen to e-books through the app Libby.
Laser printers have solved this - I don’t expect to change the toner for a decade.
I bought a laser printer, I think something around 19 years ago, and it broke before I could finish the toner
Stop buying overpriced ink jets. I get knock off laser cartridges for cheap and they last a couple years each. I did have to push a few random buttons on my Brother to let me do it, but it works now
I worked a summer job in a Ticketmaster box office ten years ago and had access to the whole of their UK customer database in order to print off ticket collections. I’d type in a customer’s post code and up came all of the data Ticketmaster held on them… including their password in plaintext.
I had to create an account just to reply to this; as much as TM has it's faults this is just false, it does not store passwords in any reversible way or at least hasn't for more than 2 years and all evidence removed.
Source: I am an engineer within TM that has worked on integration between various booking products in the UK market.
Well there is an 8 year delta between your timeline and the OPs... so I don't see any contradictions here.
Glad to hear their security has improved since then! This was the 2014 Commonwealth Games and I had only recently learned about password hashing so I was particularly shocked that they were exposing passwords to thin clients used by front line employees.
As an engineer within Ticketmaster, I'd be curious to hear your take on the conclusion of the article.
> I think we can all agree: Fuck TicketMaster. I hope their sleazy product managers and business majors read this and throw a tantrum. I hope their devs read this and feel embarrassed. It’s rare that I feel genuine malice towards other developers, but to those who designed this system, I say: Shame.
> Shame on you for abusing your talent to exclude the technologically-disadvantaged.
> Shame on you for letting the marketing team dress this dark-pattern as a safety measure.
> Shame on you for supporting a company with such cruel business practices.
> Software developers are the wizards and shamans of the modern age. We ought to use our powers with the austerity and integrity such power implies. You’re using them to exclude people from entertainment events.
> Have fun refactoring your ticket verification system.
As a dev working in big tech, I'm sure they do feel embarrassed, and I'm sure there is jack shit they can do about it. Is that how you feel?
I don't know how many times I've reasonably pointed out why our product is extremely user-unfriendly - backed by evidence from user feedback and endless reddit complaints - but I still get shot down, badly. "Disagree and commit" they say, which is just short for "do what we tell you and shut the fuck up". If you bring up issues too many times, you end being treated like an agitator and they make your life hell. This has remained true for the many different industries I've worked in over the last 17+ years. Software developers are effectively powerless in many organizations.
Everybody has their own personal lines in the sand. People need to work for a living because we're not in a magical, post-need society. Every company has its flaws. Each company has some subjective amount of flaws/sins/evil, and everybody makes their own decision about what they're willing to do for money.
Helping a company use some sleazy dark patterns to make some extra money off of Taylor Swift tickets is honestly pretty mild on the scale of evil software engineering jobs, so I imagine their answer is "I built a system to sell entertainment, now my kids get to go to private school, and I sleep great at night."
Ticketmaster sucks, but it's not like he's working for Palantir, Lockheed Martin, or TikTok.
Does anyone knows how Ticketmaster works, really?
I have been to Ticketmaster events that use reasonably priced, printable tickets, you could even buy a printed ticket with cash. In fact, even though there are so many Ticketmaster events, they are not all working the same way. And Ticketmaster doesn't have the monopoly on shitty practices, the article gives a good example in the beginning.
What I suspect is that Ticketmaster is nothing more than a service provider. The venue/event organizer/... looks at the Ticketmaster catalogue and pick the product they want. There are "evil" products in that catalogue, and they are probably the ones with the best returns, but I am sure people have a choice.
I'd even go as far as calling Ticketmaster "Evil as a Service". So people can say "fuck Ticketmaster" instead of saying "fuck Taylor Swift". I would be very surprised if artists (and their agents) at the level of Taylor Swift didn't have a say regarding ticket sale practices, even with Ticketmaster.
Of course, the monopolistic practices of Ticketmaster are a problem, people are most likely paying more than they should because of it, but all the crap with apps, resale platforms, etc... I am pretty sure the event organizers, maybe the artists themselves are as much to blame.
> but I am sure people have a choice
Often, they do not. The DOJ is currently suing TicketMaster because they have exclusive agreements with nearly all of the large venues and that prevents those venues from using other ticket providers. To be fair to TicketMaster, they argue they are not a monopoly because there are many smaller venues that they are not exclusive with.
But, TicketMaster even requires that artists use TicketMaster's promotional agency if they want access to these large venues.
And more evil stuff! Details here...
https://www.justice.gov/opa/pr/justice-department-sues-live-...
I wasn't talking about having the choice of using another agency, Ticketmaster is predatory and this is a problem.
I was talking about using Ticketmaster (for the lack of other choice) but using one of the more consumer friendly services Ticketmaster appear to provide. I am sure Ticketmaster won't mind, they get their share anyways.
What I wanted to say is that Ticketmaster may be responsible for your ticket costing $70 and not $60, but for all the other bullshit, they just do what is asked of them (by the artists, venue, event organizers, etc... maybe even the fans themselves). Or at least, that's how I think it is.
You're missing that Ticketmaster (Live Nation) control and own a substantial portion of the venues, the catering, logistics, tour buses, security and so on.
The venue "choosing" the Ticketmaster product is owned by Live Nation.
> Does anyone knows how Ticketmaster works, really?
For the most part, no. I'm actually shocked by how much understanding you are demonstrating in this post. I did not expect to find that on Hacker News.
Tours have some choices, yes. See the Cure tour last year. But no, paper tickets and non-auction prices (for front section) have been phased out quickly.
Some tiny stragglers perhaps. Went to a tiny venue recently but was goldenvoice.
I'd even go as far as calling Ticketmaster "Evil as a Service".
Correct, except rather than "evil" it's "market-clearing pricing". Of course many people see no distinction there.
I belive I heard that Ticketmaster let the venue set one of the arbitrary fees and then hide it amongst the rest. So I would agree that the rest of what you said sounds likely.
> If you take a closer look at your ticket, you may notice that it has a gliding movement, making it in a sense, alive. That movement is our ticket technology actively working to safeguard you every second.
This part made me want to throw up, preferably a couple of buckets full, right onto the heads of the marketing team who came up with it.
Kudos to the author of the article. Great work and a great read to go with it.
Those little blue bars are some hard workers. They don't even sleep! Just moving back and forth all day, protecting me. <3
How about the “Add to Apple Wallet” option? He did not talk about that at all, but AFAIK the ticket would be fully available offline and not in Ticketmaster app, no? It’s actually an elegant solution IMHO.
Yes, it is available offline if you “Add to Apple Wallet”.
The ticket in Apple Wallet is still revocable if you transfer the ticket to someone else using Ticketmaster’s website, probably through an update that Ticketmaster pushes to the wallet [1].
[1]: https://developer.apple.com/library/archive/documentation/Us...
Just recently dealt with this for a big Ticketmaster event. The Apple ID has to match the email address on the Ticketmaster account, or the ticket will show as Void in the Apple Wallet.
But it does solve the offline issue that the blog author was experiencing.
This sucks because obviously I‘d give them a different email address - just like everyone else. For example with the „login with apple“
OP explicitly states he doesn't want to add the ticket to a google account. Fair to assume they wouldn't want apple either.
If it's a standard .pkpass, they could use it with an offline third-party app that can view those, e. g. PassAndroid [1]. Given Ticketmaster verifies Apple ID though, as mentioned in this thread, I'm not really sure it would work.
I just added a ticket to my Google Wallet for a concert last night and it was very similar to the Ticketmaster/LiveNation app. The PDF417 barcode changed and had an animation around it. My guess is that it is the same or very similar on Apple devices.
Comment was deleted :(
So items inside google/apple wallet don't need to be 'static'?
No, I have flight tickets autoupdate when there is a delay.
I've only seen the flight data change, not the code itself.
Even that isn’t updated correctly very often. There is always at least a gate change that doesn’t update the tickets in my Apple wallet.
I like playing the game of which app has the most correct flight information. Sometimes it isn't the official airline app.
The barcode is just another field in there, so it can be updated the same as anything. Passkit is very simple. For the barcode part you just tell it type of code (from the available types) and value to encode.
With Google Wallet (the only one I have at the moment), it is not static for the ticket. It has a NFC and barcode option. The barcode changes every 15 seconds for me.
They mentioned avoiding google wallet, so we can assume android, and that apple wallet wasn't considered for not being an option for them.
The barcode in apple wallet also auto-updates.
A few months ago I went to Las Vegas to watch U2 at the Sphere. When I learned that I needed to open the app or website in order to get in I panicked in fear of the shitty internet that is common in massive events, so I opened my tickets since I left the hotel. Unless this stuff works completely offline, it is a terrible idea.
I used to work or a mobile event app company that made a lot of the big festival/conference apps. Everything was built to function locally from a sqlite file on your phone that was constantly updated when you did have coverage.
It was 100% expected that you would have no cell signal the entire event and we built in as many mitigations as we could think of.
This was 2013ish, I think there are a lot more mesh network devices that can relay signal nowadays but I'm not involved anymore in that stuff.
It was the best on-call I've ever had because.. nobody had cell signal while the event was on to complain about something.
This person complains that people didn't have network access on their phones when they were at the gate. I can only assume that they waited till they were at the gate to install/use the app so it never got its offline data.
Always open your event apps before getting to the event. Sometimes they're completely bare bones and have to reach out and pull that apps specific database so its sure you have the latest. Most of the event apps are a template that is modified for each event and just has different assets/sqlite.
...or just let us print g*d@mn paper tickets.
There's no way that I trust the developers of a company like Ticketmaster to install their app on my device.
What is the worst that can happen? I have it installed on my iPhone and deny whatever permissions it asks for.
I have enough confidence in the sandbox that "installing an app" is basically never an issue (though I don't out of the principle that most things companies have apps for just shouldn't be apps).
> What is the worst that can happen?
I don't know the worst, but juice is not worth the squeeze in my opinion. If you recall, Ticketmaster was just recently hacked, so the worst pretty much happened in that any data they had collected on their users is potentially been leaked. So if they can't protect that data, then I'm not participating in giving them data.
Sure, but the data you give them is pretty much a condition of attending their shows, not whether you use their app, Chrome, or a PC in the library to buy the ticket. Regardless, they will get some contact and basic financial info for you unless you avoid all their concerts (which is certainly a principled and defensible choice!)
They do not need to know my address, my phone number, credit card number or any of the other BS that "they need" including my name. Their website has a ton of trackers uBlock blocks, so their website is trying to collect even more data than what their "forms" request.
How would an iPhone app (I don’t know about android) collect any of that?
I mean...they tell you they do in the listing in the AppStore. Like, how are you not realizing this?
Of course they list those things as things the app 'collects,' because the app literally asks you for all that info as billing info when you buy tickets in that app and when you provide it, it collects it. The app isn't somehow extracting your personal info from some API. Yes, it's probably got the same adtech as the next app, but overall it's just collecting what you tell it.
How though? My phone does not contain my address, or my credit card number.
You don't trust your OS to sandbox it? With a threat model like that, I wouldn't use any apps other than the browser
If anyone is in the situation that they need to put an untrustworthy app on their android device, the "work profile" feature can segment it off further.
Insular is an app that lets you create and manage one of these profiles on the device itself: https://gitlab.com/secure-system/Insular
Work profile is really neat, yeah. I'm using Shelter for this, it's quite nice: https://f-droid.org/en/packages/net.typeblog.shelter/
Maybe you are using a fully open phone, but mine has an OS made by Google and almost every app tracks my location without my consent.
For the past 9 years, Android has allowed users to disable location permission per app. More recently, you can choose to share "noisy" location, which just provides an approximation of your location.
Google will never stop spying themselves but will give you the ability to stop their competitors from spying on you. Heh..
I'm an app dev. How exactly would I track your location without your consent?
For example, based on my IP address, nearby wifi networks, and camera footage.
> IP address
Great. So an app can plug my IP address into a geolocation query, and might ultimately determine that I'm somewhere in $city. Or maybe the next city over. Or maybe half a continent away.
But sure, this "works" without consent, since there is no extra step to enable networking for an app.
> nearby wifi networks
This doesn't work without consent.
> camera footage
This doesn't work without consent.
Web apps also get your IP. Why aren't you using a VPN if you care about that?
Web apps can also get the rest if you click accept when it asks for camera access. What exactly do you lose by installing an app?
From the AppStore:
Data Linked To You:
Purchases, Location, Search History, Usage Data, Financial Info, Contact Info, Identifiers, Sensitive Info.
Nope Nope Nope.
That explains nothing. I'm pretty sure it's talking about info that you type into form fields in the app. Same reason FB "links" your health info even though it has no access to the health info stored by your OS.
The same applies if you use their website. It'll still ask for that info with a web form.
> Same reason FB
...is not installed on any of my devices
I mean, that horse has already bolted..
https://www.nytimes.com/2024/05/31/business/ticketmaster-hac...
Yeah that has literally nothing to do with their app. If you submitted your data on their website, it'd be leaked just the same
You're implying that the data from the app is stored in a different more secure manner than the data from the website? That makes zero sense. The fact that they got hacked and is the only thing that matters, not which mode of input you provided the data they did not protect.
No, I'm asserting that the app acquires as much data as the website (ie. whatever you typed into their forms) and it gets leaked all the same. Refusing to install the app makes no sense if you still use the website
An app absolutely can track more data than a website. You don't have the website open/active on your phone at all times, but you have the app installed at all times, even when it's not running.
You do know that apps can record data in the background, right?
A website is also sandboxed by your browser in a much stricter manner than an app is on your phone, at least by default.
I don't have specific information on the Ticketmaster app here, but to say that an app is the same as website from a tracking perspective on a phone is absurd.
I'm an app dev. What can I record in the background? What can I track?
If you're an app dev you're more qualified than me to answer that question.
Perhaps you'd like to re-frame your comment or ask a different question?
My point is that you and the other guy are just making stuff up and spreading misinformation. At the API level, an app that doesn't have the user's explicit permission to get location, camera, run in the background, etc is not that different from a web app. My question was obviously rhetorical.
There you go, getting to the meat of it..
So your position is that an app installed on my phone is not able to track or collect any more data, and does not have access to any other information, than a website that I load in my device browser (assuming I log into that website with the same credentials I use in the native app)?
I agree that this might be true in some cases. Note that I never said or implied that an app could do things without permission - but my fault if that wasn't clear.
Now, that said, would it perhaps be fair to say that the average user is much more likely to grant additional permissions to a native app on their phone than they would to a website?
If a website asks for your location, or access to the camera or to your contacts or whatever, I think many people would refuse. There's still a sense that a website is "out there" on the Internet, and you shouldn't necessarily trust it.
But when an app you've installed on your device asks for these things, in order to "operate properly" or provide functionality, then I think people are much more likely to grant it.
After all they've installed the app on their device, they've already trusted the vendor that much, it's only an incremental step at this point.
And once the device does have this elevated access, and access to more data, then there are absolutely more opportunities to collect data on users without their understanding.
I say "understanding" here rather than "consent" because typically consent is given via some long and complicated T&Cs that no one reads. Which is of course on the user, but again if you don't grant permission in the first place (because you're on a website not an app), it's not a problem.
And we have historically seen that some companies (not all companies of course) take advantage of this app access to collect data for themselves without your knowledge. I hope that part isn't up for debate here..
As the article notes, this ticket system does in fact work offline.
Well, as it also notes, it works offline if you remember to open the ticket before you get there, and they don't (or at least didn't used to) give you sufficient warning. I found out that's how it works the hard way when it was new by having to walk a half mile back from the venue to get service to load the tickets.
There's also the chance the ticketmaster app won't work properly later even if you did do it. I've had other apps shit the bed for no apparent reason in offline mode before. I add them to my wallet now just in case.
Sure, I'm just reacting because TOTP is like the textbook example of a system designed to work without interactive access to a networked resource. The whole as TM designed it has crappy affordances, but you could fix that without breaking the design.
Ah, yeah. I’m just hoping the justice dept breaks them up and ticket sales move to something like the airline model.
Why though? Lord knows I hate Ticketmaster as much as everyone else but “airline model” sounds fucking terrible. I hope I never see the day where I’m removing belts and shoes to get into a concert.
To be fair though I always get at least somewhat reasonable concert prices by doing presale. Sign up for the artist’s “presale club” and/or get the credit cards that have presale as a perk. Get in queue ahead of time. You won’t have to deal with the dynamic pricing/public sale shenanigans that we hear about. On Reddit I often see people complaining about paying at least 2x what I paid for similar tickets.
Belts and shoes doesn't have much to do with ticket sales, does it?
I was just going to ignore it since they obviously missed the point entirely (and it's not a hard one to get) or were being disingenous.
Recent experience for a large stadiums event suggests they have fixed the notifications. I got a lot of notifications encouraging me to a) charge my phone and b) download the ticket before arrival.
Yes, they have learned. As much as I hate them they are mostly a well-run company.
Pleas notice the "completely" in my comment.
There's a faire this week in Oregon that draws people in from 500 miles away.
I've been a couple times, and what I've learned that was still not common knowledge to faire vendors as recently as last year is that T-Mobile brings out a mobile cell tower to support the faire, and no other cellular network does.
So if you're trying to accept electronic payments, the whole thing tends to fall over and you only get to sell to people who brought loads of cash and prioritized hitting your booth first. Only the vendors on T-Mobile are able to take purchases for a big part of the day, and a few other people who use the rare billing system that is fine queuing up Visa transactions until after the bulk of people leave. The line for the cash machine sucks up a substantial part of your time budget for the faire, meaning you probably miss out on some things altogether.
That's a pretty smart business move by T-Mobile, I didn't know mobile cell towers were a thing
I’ve never been clear what the main purpose of these things is but they do seem to get deployed for trade shows and such. Maybe for natural disasters?
Then there are microcells, which can be privately owned. I worked at a place that had one when I was in mobile. There was a period of time when one of the carriers would sell you one if you were having connectivity issues. It’s possible for instance, living on a hill, to have a cell signal on your roof but not in the rest of the house and they can work as a repeater.
I first heard of CoWs (cell towers on wheels) from Woodstock '99, when they tried to repeat the debacle of Woodstock '94. (AFAIK, the CoW did not work.)
The idea of cellular networks is simple: Put the "source" of the bandwidth near where the people need it.
The idea of CoWs is also simple: It's the same thing, but it's dynamic and flexible.
---
There was a time in my life when I was using AT&T as an all-you-can-eat LTE provider through a third party as my home Internet access, because reasons (and hear you me, if DOCSIS had been an option then none of this would have happened).
Armed with a hotspot device that had external antenna connectors, band selection, and a Yagi antenna, I found a cell tower that I thought to be about 14 miles away that had consistently good Internet bandwidth. It was a ton better than several other much-closer towers (some only 1 or two miles away), presumably because it had better backhaul(s).
I made quite a study of things to get that dialed in and working reliably. And it was reliable for months. But then: One day, the signal had turned to shit.
So I did the right thing and I drove over to where I thought that tower was, 14 miles out, to have a peek. And the tower was right where I expected it to be.
But there were men actively working on the tower (with ropes and stuff), and a CoW of much-smaller stature was parked there and providing (rather lesser) backup service.
Which, you know: That explained that.
---
They additionally get used some for natural disasters if a tower fails, and also sometimes for other dynamic events like festivals and concerts and such. They're pretty useful when they work, in that a tiny sliver of bandwidth is superior to zero bandwidth. When properly-managed they can reduce contention on neighboring towers so that regular people doing their regular things are less-affected by whatever dynamic event is happening nearby.
Off topic (though the post does go into it a bit): Ticketmaster's current form is entirely due to a failure of government. Decades from now, case studies will be written on how one company managed to have a monopoly on an industry that is so not a natural monopoly.
I recently purchased tickets via SeatGeek and was provided a link to one of these barcodes, which accepted as a querystring parameter an access token that seemingly had a long expiration attached to it. It was hosted on “downloadmytickets.com”, which doesn’t look legitimate and caused me to do this same type of analysis to see how it all worked. Whether or not this was a way to bypass the “security” to enable sale via third parties, or just a very untrustworthy-looking official domain, I don’t know. But in the end it worked fine at the venue. Definitely more stress involved than I would have liked though.
Yes, these systems are getting more popular recently, I believe they are typically being run by large ticket broker platforms.
I don't know about the specific site you mentioned, however the large broker platform Automatiq runs a number of domains like this, where they effectively proxy the original ticket token, recreate it with TOTP just as in this article, and display it to any user who has the right link in a similar format to how TM displays it. They advertise this service as "Transferless Delivery" to their ticket reseller customers. The main Automatiq one is called "secure.tickets".
It reduces work for sellers, because they never even have to transfer the tickets out of their Ticketmaster account anymore. Of course, it's horrible for buyers because they have no idea whether the random website link they were sent is actually going to serve them a barcode corresponding to a real ticket or not, or whether the site will be up, and they have no rights to the ticket as far as the primary ticket issuer (TM) is concerned, buyers don't even know the name on their own tickets.
Seatgeek and StubHub seem to be aware of these systems because of how closely they work with ticket brokers, and just coach customers to accept them if they are from any of the domains known to them. See https://support.seatgeek.com/hc/en-us/articles/2074030716443... the Automatiq site is called out specifically on that page.
> My phone has no internet connection...
Who thought it was a good idea to require an internet connection at an event. For anything, not just ticketing. It is as if the people who designed these apps never went to a large event.
No internet is the rule, not the exception. Sometimes, you can't even send a SMS. Apps designed for use in events should always work offline, and if internet use is justified, take into account latencies in minutes and use bandwith sparingly. Failing to do that will make the experience terrible for everyone, as bandwidth will be saturated by thousands of phones trying to do something with that damn app.
At least Ticketmaster does it somewhat right here. The app is supposed to refresh the ticket 20 hours before the event, to account for the fact that the internet may be unavailable at the gate.
> There’s no risk that your ticket won’t get you in
Isn’t this not true? The risk with printable tickets is that a seller could sell it to multiple people, who all print it out, but then only the first person who uses it can get in?
Even if the venue doesn’t check to see if a ticket has already been used, only one person can sit in the actual seat.
Previous sentence:
> If you bought the ticket off the event’s official ticketing agency (not a sketchy reseller)
> The risk with printable tickets is that a seller could sell it to multiple people, who all print it out, but then only the first person who uses it can get in?
Note that the portion of that you're quoting that you didn't quote is "If you bought the ticket off the event’s official ticketing agency (not a sketchy reseller)"
I.e., we're specifically talking about someone holding a ticket that they purchased from Ticketmaster. If there are multiple copies floating about, presumably at some point the artist (/the actual event) is going to be unhappy that Ticketmaster is screwing their fans/attendees over.
Ticketmaster has a system for transferring tickets, if you want to buy or sell tickets.
There could very well be a reason for someone to only sell a physical ticket, or not transfer it through ticketmaster, but I have yet to find anyone but scammers that want to do that.
The reason is, just as you mention, that scammers will try to sell multiple tickets. Then one (or many) sucker turns up to the avenue, only to discover that the ticket has already been validated.
>Ticketmaster has a system for transferring tickets, if you want to buy or sell tickets
Sure, and it is terrible.
They can block you from transferring the ticket you bought, and can set a minimum resale price (effectively ensuring you cannot recoup anything)
You should to own what you purchase, simple as.
Comment was deleted :(
>is that a seller could sell it to multiple people, who all print it out
They can't "print it out" because it's a rotating code.
> "The risk with printable tickets is..."
Let's face it, the real problem with ticket sales is scalping. OP may not like Ticketmaster, and doesn't want to install the app, but the majority of fans don't have a problem with that. The real problem for most fans are the scalpers who push prices out of their budget.
Of course we all like to dream up all sorts of technical crypto solutions to this, preferably decentralized to remove evil Ticketmaster from the equation. But I don't think the ticket scalping problem is a technical problem per se. I believe it is because tickets are currently sold under the wrong terms, which encourages scalping.
A possible solution could be to make tickets non-transferable, but always refundable. So only you (the buyer of the ticket) can use it, but you can't resell it. But if you decide not to go, you should be able to refund the ticket to the ticket office for full price. The ticket can then be sold again to someone else, for the same price.
Now, of course this is a naive idea. There are many practical and technical challenges to it, not to mention the politics of the entertainment industry. I'm not too familiar with the event industry, so I'm not sure if this would even align all the incentives, but it would benefit the fans and the performers who care about their fans.
> tickets are currently sold under the wrong terms, which encourages scalping
The incentive to scalp arises from the likelihood that a ticket will be worth more in the future (buy low, sell high) and that future worth is established by scarcity (sold out shows). To help eliminate this likelihood, the original price (face value) needs to decrease over time, ideally in such a way that the final original ticket sale occurs right when doors open, because the sooner that occurs, the bigger the opportunity for scalping. "Dutch auction" [0] is one implementation of this concept, though it's typically to find the most money a single buyer will pay, whereas in this case we have thousands of buyers. Perhaps the rate at which the price declines could be dynamically adjusted to aim for N% sold when N% of the on-sale timeline has elapsed, for any N.
The problem is convincing promoters/etc. that this would be as profitable for them as the status quo. But it might be!
This is terrible - right now the random 17 year old middle-class kid at least has a small chance of getting a somewhat reasonably priced ticket to a popular show. In your model, they have zero chance.
Auction models are good for price discovery but this isn’t a price discovery problem, it is a supply problem. Believe it or not, artists don’t always want to maximize revenue from a ticket, they want fans from lower income brackets to be able to attend as well.
Suppose, for simplicity, that you've got 2 types of people: price-sensitive (your 17yo) and price-insensitive (let's call them rich). In reality it's a gradient, complicated by emotional aspects, but I think just 2 cohorts is sufficient for this explanation.
If face value is constant over time (i.e., the current model), scalpers can buy at any time that original tickets remain available. If they predict huge scalping margins, they'll buy up tickets ASAP, competing with the 17yo buying ASAP. And scalpers are more likely to have bots/scripts to help get in the moment tickets go on sale, putting them at an advantage over the 17yo. The 17yo probably ends up finding that the show has sold out to scalpers, so now tickets are too expensive. If the scalpers overbought, they'll eventually let the tickets go at reasonable prices (maybe even below face value) as the event nears, so maybe the 17yo has a chance that way, and many seats will be empty. If the scalpers underbought, great.
If face value decreases over time (i.e., my proposed model) from the original seller, then you've sort of got the exact same thing going on in terms of the rich buying early and the 17yo buying late, except the 17yo has one less middleman to contend with. Less chaos. Authoritative information about how many seats are yet to be filled. Bots that simply react to slow price changes like a human could, instead of bots that rush the release of tickets faster than humans.
In either model, the rich get their way and the 17yo gets whatever is left. But when well-controlled, this gap can be filled through need-based programs, student programs, etc. -- Broadway has some examples. These programs can be layered on top of, as they are orthogonal to, eliminating the incentive to use bad bots for scalping.
I don't have all the answers, but as someone who has been a musician for 30 years, programmer for 24, FoH audio engineer for 21, stock trader for 15, booked several shows, and buys tickets to shows every month or two, this is something I truly think could benefit the ticket-buying experience without excessive downside. The prices don't need to be astronomical (i.e., for the richest of the rich) when they first go on sale. They just need to be set, and reset continuously over time, so as to have N% be sold equal to N% of sale window elapsed, with the window ending at doors; sales would be almost exclusively to genuine show-goers because scalpers would almost exclusively be bag-holders.
Let's make this easy. There's 1000 people who want to go to a concert and there are 100 tickets. Of the 1000 people who want to go, every 100 of them is willing to spend $10 more, starting at $100. So the first 100 will pay $100, the second will pay $110, etc.
If the concert is priced at $120 there are 200 people completely priced out, but there are 800 people who will pay. The tickets are released, they all scramble for the tickets, some from each of the 8 cohorts willing to pay the price are able to attend.
If the concert is priced the way you described it, all 100 tickets would be bought before the price ever goes below $200.
There is simply more demand than supply. The only way to fairly distribute that, if that is what you want to do, is by the lottery-esque system we have now.
If we will have a lottery, then it should be a sensibly managed lottery, not a scramble gamed by bots.
Agreed. So how do we do that? ID verification?
> Let's face it, the real problem with ticket sales is scalping. OP may not like Ticketmaster, and doesn't want to install the app, but the majority of fans don't have a problem with that. The real problem for most fans are the scalpers who push prices out of their budget.
No, the problem is artists wanting to falsely advertise low prices, and using gimmicks like first-come-first-served ticket sales and "scalpers" (usually fake, sometimes hired by the artists themselves) to do it, and the "fans" buying into this whole false narrative. If artists would honestly sell, and fans would honestly buy, at the actual prices, then the whole kabuki play of "evil scalpers" could be avoided.
but how would the artist continue to pretend to be close to The People?
The problem is scalping.
Unfortunately, this "solution" is Ticketmaster cementing their control of the ticket marketplace and spying on their users.
And (and I think you were implying this), Ticketmaster giving themselves complete control over the still existing scalping market which they use to boost their own profits without any benefits over the standard scalping market (arguably also including further downsides).
Yup, they finally outscalped the scalpers. What a windfall the covid push to ban cash and digitize tickets was for them.
Yes, non-transferable tickets would fix the scalping part of it. I'm guessing the face value would go up a lot in that case, and that's fine... at least it's an honest market then and ticketmaster cannot pass the blame on to the scalpers.
> The real problem for most fans are the scalpers who push prices out of their budget.
Isn't that the market sorting itself out? What do you want, planned economy? How is fixing the price on a ticket different than the soviet union stamping prices directly onto manufactured items. I meant this to be sarcastic, but it's only half so, since I find the comparison appropriate, you know free market and all.
> What do you want, planned economy?
Every world economy is a mix of a market system and a planned economy. No economy is a pure market or a pure planned economy.
Nice reverse engineering! As a hacky way for the non-tech-savvy, couldn't you use a temp account to create ticketmaster account and then buy the ticket and then sell the temp account information to bypass their rules?
This reverse-engineering also breaks if ticketmaster forces venue staff to only scan if the barcode is in the ticketmaster app. Unless you create a lookalike app to trick the staffers.
I am not an expert, but I think one of their layers of protections (that is, to ensure that TM itself gets the greatest share of scalping money) is applying much greater scrutiny to freshly-created accounts when it comes to the in-demand events. I'm not sure how they effectively bootstrap new legit users of course, but I've been offered I think around $100 to sell my Ticketmaster account, which is old. (I can't recall how they found me, perhaps it was an ad just stating that they'd buy an account older than X years).
> bootstrap new legit users
Phone number? The friction/expense of a scalper getting a new one for every sale would seem sufficient. Although I guess the scalper could reclaim (via password reset or whatever) accounts after the show to some extent.
Good luck forcing a check like this at a busy event venue.
I once paid at Starbucks with the Apple Wallet barcode appearing in a photo of my phone displayed on the back of a DSLR. Plopped my not-remotely-iPhone-like Nikon D800 on the counter lens-down, LCD-up, barista scanned it without a second thought.
Great read, though I am compelled to comment on this ad-hoc date/time conversion:
$ date=$(python3 -c 'import datetime; print(datetime.datetime.fromtimestamp(1707074879).isoformat())')
$ date -Is -d @1707074879
Great article indeed, but that python line triggered me too.
It's a good reminder though. We are all smart individuals with wealth of knowledge, but we never know everything.
It's one thing for customers phones' wifi issues to be a problem, but it's an even worse problem if the scanner itself needs reliable connectivity. That makes me wonder if there is some kind of delegated deterministic derivation step in the secrets too (which wouldn't be obvious in this kind of analysis), so that the handheld scanners can avoid an on-line dependency.
They needed reliable connectivity in the previous scenario (checking barcodes against a central db) - they just setup a local private wifi network for the handsets and all the venue devices.
Otherwise I can't see how you would avoid replay attacks.
You can do time-based binding. Many TLS/Quic 0RTT take this approach; where the signature is only valid for a second or so. It's not as good as a real strike register, but probably ok for this kind of environment. Of course the barcodes would need to be more dynamic, but that's doable.
Comment was deleted :(
I don't understand how they're allowed to get aorund the first sale doctrine?
Once I buy a ticket, it's my property. I should be able to sell it, by any means I want, to any person I want, at any price we agree upon.
Just addressing the how: the first sale doctrine applies to copies of copyrighted works, not to tickets.
OK, but the "first sale" doctrine really just says that copyrighted works are like any other item that is bought and sold?
So I haven't read their fine print lately---is Ticketmaster is not selling you a ticket, but a non-transferrable license to attend the event?
And they do not have to sell you bulk tickets that makes scalping a viable business
They want to monopolise scalping
v2 of this will require an Android/iOS app which will make use of the platforms secure storage abilities for the key.
On non-rooted devices, those are pretty much impervious to the user trying to inspect their contents.
And this is why those companies love DRM'd (non-rooted) devices and try to detect when you broke this form of DRM: you can't get at your data, not even to make a backup of it; they're in full control. Also for security (can't grant root to malware if you don't have the permission to grant that), but also for everything else
You could extract the barcode at all times in the future by setting the system clock (you can do this on non-rooted phones, and keep it that way at least if you do it in airplane mode).
The Android docs mention a "secure timer" in the hardware security module, but I'm not sure that it can be used to prevent this.
https://developer.android.com/reference/android/security/key...
>Software developers are the wizards and shamans of the modern age. We ought to use our powers with the austerity and integrity such power implies. You’re using them to exclude people from entertainment events.
I can definitely think of worse things programmers are doing aside from making it mildly difficult to see Taylor Swift .
I have personal qualms with working in certain industries because of this, but Ticketmaster ultimately provides a luxury. You don't need to see a concert, and if you have such an issue with their business practices you can do something else with your Friday night .
I've actually never had an issue with Ticketmaster. At a point a certain other ticket provider just blocked me without any explanation, and I had to go down to the box office to buy tickets. That sucked, but compare to airlines who do weird things like print off tickets without the actual seat number, Ticketmaster doesn't bother me too much.
You’re not considering the stagehands and artists who have to live under Live Nation’s vertical monopoly. I was chatting with a former tour guy the other day, someone who’s been a tech for major touring bands since the ‘80s, and he mentioned that he had to quit the business because Live Nation had driven wages down below poverty level while bringing in random unskilled labor to do highly-technical stage setups. (He quit after almost losing a hand to a large piece of unsecured stage equipment.) The enshittification of modern life is an inconvenience to most of us, but life and livelihood to many others.
> Ticketmaster ultimately provides a luxury. You don't need to see a concert
I don't agree. Entertainment/recreation is a need. Music is an important part of the human experience, and seeing it live, with other fans, is really valuable to some people. And the fact is, the value a person places on the experience is totally orthogonal to their ability to use/afford Ticketmaster. And it's not just about Taylor Swift - even local shows can be difficult to access without quarrelsome online portals. (But also, someone being obsessed with Taylor Swift isn't a personality flaw.)
You can find a bar with a band playing. I suggest Kingston Mines if you're in the Chicago area.
Ticketmaster doesn't own have a monopoly on music. You can vote with your wallet.
> even local shows can be difficult to access without quarrelsome online portals
Not all of them, but online ticket is a convenience and then a trap. It isn't going to be outcompeted by me "voting with my wallet." That just betrays an ignorance of situation.
"Fed up with high prices and long lines and ticketing SNAFUs for big shows with your favorite artists?"
"Clearly, the best answer to this is to forget about all of the music you think you like. Just forget all about it."
"Instead, go to the bar and see a band. It doesn't matter if you like the music or not; after all, we know that every live music performance is exactly the same as any other!"
Honestly you might even have a better time vs paying for seats where you can't even see the act.
https://help.ticketmaster.com/hc/en-us/articles/978498452737....
I go to a lot of concerts. Ticketmaster covers half of the shows I go to. They're not that much worse than others who also tack on fees amounting to 20% of the purchase price.
I'm not opposed to basic regulation, but let's not act like Ticketmaster is some uniquely evil company.
Nope.
I'm going to keep going to see Big Rock Shows because that's what I enjoy the most. And I'm going to keep getting GA tickets (what seats?), because I am nowhere near old enough to stay out of the pit once my pant legs start flapping from a grotesquely overbuilt PA.
And in my neck of the woods, bands at bars can't scratch that itch.
So that means paying (and complaining about) Ticketmaster.
I agree that experiencing music is a fundamental part of human life, but experiencing specific musicians at specific venues is not. It is very easy to find free live music without Ticketmaster or online portals.
> It is very easy to find free live music without Ticketmaster or online portals.
Oh okay, nevermind then. Heck, I just found some under my couch. How does Ticketmaster even make any money?!
A $COACH_COMPANY in the UK has recently announced that they are moving to only app-purchased tickets. Except tickets purchased directly from the driver, which is VERY expensive.
Well, F.U. $COACH_COMPANY. I don't want to have to install your app for that, but I guess I won't have any other option if I need to get to the airport.
What is one supposed to do if they don't have a smartphone and/or an internationally accepted bank card?
> "Screenshots won't get you in"
I'd say this highly depends on the fastidiousness of the ticket taker and the rules of the venue. I purchased Major League Baseball tix recently through my employer which uses a 3rd-party seller site that has restrictions like this (a moving graphic behind the barcode with the admonishment not to take a screenshot because it won't work).
I was unable to attend the event that night so I sent my wife a screenshot of the ticket. Two tickets, in fact. They were taken with zero issue.
> I paid three hundred US dollars for this high-tech experience.
That's a good incentive for companies to keep up with the "high-tech experience".
> Software developers are the wizards and shamans of the modern age.
No they are not. The big difference is that wizards and shamans closely guarded their secrets to keep their position secure, while software developers will happily give them away to as many people as possible.
This means that software developers as such have close to zero leverage.
A system like that could work in an entirely disconnected mode where the "ticket" device has a cryptographic token whose signature can be checked at the door without either side having internet access. The weakness of that system is that you can't "revoke" or sell tickets. Such revocation would be possible though if either the ticket or the validator device is internet connected.
I saw the New York Red Bulls play not long ago and had to use Ticketmaster's system for the first time. I travel with a tablet, not a smartphone, and I was expecting trouble. Turns out the only trouble I had was that they didn't want to let me in with a tablet but they did when I explained my ticket was on my tablet. It did require an internet connection but Red Bull Arena has great WiFi so that was no problem.
> Based on this, it might be reasonable to assume the rawToken is only valid for a 20 hour period
Bet your bottom dollar it’s good for 24h and they added 4h of buffer in their API guidance to handle admissions after the start of the show “for free.”
Not that this really gets you anything, just made me chuckle.
One things this articles kind of misses: You need that unique token... Ok, you can get it in some way.. But ticketmaster should keep it private, then, even if you know the algorithm. You still cant do a lot without the token......
So he reversed engineered it, but its still secure: You need the token.
It's a little bizarre to me that they are annoyed at being dependent on the signal but want to avoid Google Wallet because ... privacy? What privacy do they have so far? I can understand keeping your credit cards off of it, because Google is obviously getting a list of all your purchases. But there's nothing really private about having a ticket to a concert through Ticketmaster. They "take your privacy seriously" and sell your information to commercial partners and send you offers of things they think you're interested in.
What I find really interesting is that there are so many scams that that the rejection of tickets is common enough to go unnoticed. Someone testing out their new "F-ticketmaster" ticket generation tool is free to test it in the real world. If it doesn't work they will simply be turned away the door like so many others who have been scammed. Nobody would notice the test.
But if each ticket is for a particular seat, would ticketmaster notice if too people came with tickets for the same seat? I bet not. I bet they just trust their ticketing system to be foolproof. If anything they might just reject the second ticket without any way to know which was authentic.
Reading this reminded me when last year I found a few old venue printed ticket stubs to concerts I went to the in the late 90's and 00's. I almost threw them out when I realized they weren't really taking up space and could be maybe put into a collage or photo/scrap book. I just suppose I find it laughibly absurd that something as mundane as a ticket stub was replaced by an energy wasting Rube Goldberg contraption that doesn't do anything for the person who wants to go to the concert.
I agree with the bad implement but the opening complaining that "old way of printable tickets was great why change it" have so many problems.
Scalpers are the problem that you have to accept. At the time of purchase, there's no way to tell the difference between a legit purchaser and a scalper or even someone who bought it and simply can't go and needs to resell.
IDs, ticket limiters, CCs, etc, etc. All methods can be circumvented by someone dedicated enough. You can only make it "not scalable" but the tickets still need to be transferable, securely.
Unless we're willing to go ID checking at the gate, there's not going to be a true solution.
Buying something at a low price and selling it at a high price is arbitrage 101 and is free money.
The "true solution" is to sell tickets at their actual market price instead of pretending that the face value of concert tickets isn't increasing due to a larger population and greater demand.
People will scream (including in this thread) that it’s “unfair” that ‘only the wealthy can afford them then’ but their beef is with scarcity and thus with reality. It’s always “unfair” to the 10,001st person who wants to attend the concert with 10,000 capacity. Today it’s a weird lottery with 6 different fan and credit-cardmember presales, which each sell out immediately, and the “backstop” at the end which is the ability to buy expensive scalped tickets.
There are finite tickets but unbounded demand. A lottery means you can slightly adjust the distribution of poor vs rich, but in practice today it still advantages those comfortable enough to sit around refreshing their computers at the right moment, instead of working. And lots of opportunists will snap up those tickets you are hoping poor people will get, to sell them to the wealthy.
In my opinion for in-demand shows it should just be a Dutch auction (all of the highest 10,000 bids win, awarded at some fixed cutoff date before the event). If not enough bids are received, the concert isn’t sold out, so then the rest go on sale for the lowest bid.
A dutch auction is really hard because different tickets have different prices, different people have different requirements about where they want to sit (a committed disabled fan may be willing to pay any price, but they can't do standing only) and there are many different price tiers.
A better idea is an airline-style dynamic pricing system that considers different variables, current demand, projected demand, type of seat etc. If it looks like the show is about to begin and there are still lots of tickets left unsold, be like Ryanair and sell them at a massive discount. If there are more people on your page than there are seats available, make the price go up until that changes.
The simplest way of implementing dynamic pricing is a resale market, where the price of tickets changes based on supply and demand.
Sure, it perfectly sets the market clearing price at all times, but it has the inefficiency that the performer can end up with only a fraction of the total amount the attendees are willing to pay. All those middlemen add value not in a way that feels fair, like collecting a percentage fee. Rather, they get all the upside whenever popular shows sell out. I can see why artists don't like that.
> The "true solution" is to sell tickets at their actual market price
That is *a* solution but it isn't *the* solution. The fact that many smart people are not choosing that solution is an indicator that there are some factors to the problem that you aren't considering.
> Buying something at a low price and selling it at a high price is arbitrage 101 and is free money.
A bit of a nit pick, but this isn't "free money" unless you have a guarantee that someone will actually buy at the higher price. You could buy low, be unable to sell, and end up eating the "buy low" cost.
> sell tickets at their actual market price
How do you know what their actual market price is? You have to open it up to a market, where supply/demand get to play out.
IIRC some ticketing company tried doing something to this effect by scaling prices in realtime based on how many people were also trying to buy. I believe it was widely criticized as unfair/exploitive.
So you're back to square one then, where you have to set some price.
I mean, it may very well have been criticized, but how is it any less fair than the alternative? As for being exploitative, that's kind of the point. The company figures for most shows it's leaving money on the table for scalpers to take. The other side of it is that if a show bombs the ticket prices can be reduced to encourage people to come.
To be honest, it seems overall a better solution.
It's interesting how the real problem here is that our economic system has no way to sell a product at what the seller will bear, only what the buyer will bear.
I think this is a fascinating feature, a lot of artists would be more than happy to make $X for a show so that their fans can come see them. The problem ends up that a free market has no mechanism for that, the artist can sell the tickets such that they end up with $X but then you get things like scalpers who don't want to see the show but do want money and act like artificial demand. They know that regardless of what the seller wants there are buyers that will pay $X+N and want to capture that $N.
The scalper provides no value to the market, but they get $N, which seems like a market failure to me. The fans lose $N, the artist still only gets $X and they also get reputation damage because fans are upset that things cost $X+N.
And that's just the end of it. The artist literally can not perform for their fans at a venue for $X even if that's what they want, there's just no mechanism in the free market to make that function correctly. I find market failures like this fascinating because it really shows the limits of how "free" markets operate. The only person that isn't free to do what they'd like is the producer of the good being sold, they literally can't sell it for less than the market will bear.
And I suppose this plays out for every part of the market, if I can produce apples and make a profit for $1 a bushel and that's plenty of money for me, I don't want any more, tough shit. Arbitrage will make sure that people pay more for those apples. If people are willing to pay $5 a bushel then someone will snap up my cheap apples, mark them up and make a bunch of money for doing nothing. Even if I were willing to do all the distribution myself, if the person conducting arbitrage adds no value to the system (the common argument being that they deserve the money for finding cheap apples and connecting people that demand apples with a supply of apples), it just can't happen. The incentive to make that free money means everyone loses, I don't get to give people cheap apples, people don't get to enjoy cheap apples, everyone is worse off except for the person doing arbitrage.
The scalper provides no value to the market
The scalper allows the devoted fan who is gladly willing to pay $X+N to actually get a ticket rather than having to wake up at 6am and repeatedly refresh the site and probably still not get one.
I find market failures like this fascinating because it really shows the limits of how "free" markets operate.
How would central planning handle this better? There are more people who want to buy a ticket at $X than there are seats available; lots of people are going to be unhappy regardless of how they get distributed.
A devoted fan will have no issue to wake up a 6am and try to buy a ticket. They'll have more chance to get one if they don't have to compete with scalpers. Half the tickets could be sold as first arrived, first served, and half as a lottery system. The ratio might be adjusted.
If we agree that scalpers are a problem, we can make it illegal to resell ticket over the original price. Enforcement is always a problem, so to help with that it could be required to have an ID matching the ticket name and resell can only be performed on official platform.
To grantee having a ticket with this system, a wealthy or connected devoted fan can have private arrangement with the artist manager or event organizer to get tickets.
> To grantee having a ticket with this system, a wealthy or connected devoted fan can have private arrangement with the artist manager or event organizer to get tickets.
This is the system we have right now. Ticketmaster is the event organizer.
"A devoted fan will have no issue to wake up a 6am and try to buy a ticket."
Oh really? What if they are at work at 6am? So take a day off work? You just greatly increased the dollar cost of the ticket, which is exactly the thing you are trying not to do. And even if they take the day off to click at 6am they aren't guaranteed to get a ticket because of everyone else clicking at 6am. There's always a cost
Well just to be clear, I didn’t say central planning would solve this problem. A careful reading of my post would show a distinct lack of the term “central planning”
You can be interested in market failures without proposing an alternative. Complex systems are fascinating and their boundaries and failure conditions are fascinating. That’s all I’m talking about.
Fair enough!
I also wanted to say that I appreciate your original reply and your civility. Sadly a rare thing these days.
People don't understand that the free market system is essentially a law of physics. You saying that a producer/seller of a limited good (in this case, space in a concert venue) cannot choose their own price is true, like it's also true that a person can't decide whether gravity pulls them down or not. You explained it pretty well yourself, the effect of supply and demand is unavoidable
I wonder though does it have to be limited. Like imagine I could make enough apples to fully satisfy the market demand for apples and I’m also willing to sell to anyone.
I want to sell those apples for $1 each. There’s plenty of apples to satisfy the demand. But let’s say that the market would bear a higher price, people would love to buy apples for $1 but due to a love of apples would be willing to pay up to $5.
In that scenario, the arbitrage opportunity still exists. Apple scalpers knowing that people would be willing to pay up to $5 would want to buy up lots of cheap apples and make the $4 profit that I’m leaving on the table for themselves.
And there’s just nothing we can do about it. I think we’d say that when the equilibrium price of $5 is met that the market is efficient but it’s a market where the producer of the good can fully satisfy the demand of the market for $X and yet the consumers have to pay $5X and this arbitragers get $4X.
It’s just interesting is all.
If you are able to perfectly meet demand why would anyone pay more than your price? What service or improvement are the arbitragers providing above and beyond what you are providing that incentivizes people to pay more than your price?
If you have 10,000 people willing to pay $X to see a concert, but you only have 5000 seats to sell at $X, not everyone is going to get a ticket.
Our economic system (arbitrage!) increases the price of the apple by $N until only one person is willing to buy that apple at $X+N.
If you make arbitrage illegal and implement a price ceiling at $X, one of two things will happen. If $N is greater than the cost of breaking the rules, people will start a black market to sell at $X+N (like in many communist countries). As mentioned in the article, this is already occurring with Ticketmaster because they take such a large tax on tickets; arbitrageurs are realizing they can avoid Ticketmaster's system by just sending around PDFs.
If $N is less than the cost of breaking the rules (Ticketmaster benefits from $N>$X), there will be shortages of seats because not everyone willing to pay $X for a seat can get one.
The market system works great when people who derive the most value from tickets are the ones who pay the most money. This works even better with arbitrage because people can just pay what they value the ticket at.
The market failure here is caused by wealth inequality, because there are people with unfathomable amounts of money who will pay tens of thousands of dollars to see a musician they sort of like.
Personally, I like how box seats deal with the problem. They have a high level of luxury that costs little to implement compared to price + is very scalable (you can stack boxes directly on top of each other and you're paying more to sit farther away!), and that's helping soak up a lot of demand.
Thanks for the thoughts they are also interesting.
Sorry I saw your comment after I wrote this reply to someone else, I’d be interested to hear your take on this hypothetical situation too if you don’t mind. https://news.ycombinator.com/item?id=40911779
I agree with you though about the idea that the market works well when those that receive the most value spend the most money. While we have very high rates of wealth inequality, which also seems to be something of an emergent property of this system, once you have even medium amounts of inequality the system becomes interesting. I think expanding on your thoughts it comes down to the relative value of money being different for different people. If I have $100 then $10 is a LOT of money, it’s 10% of all my money. If I have $1000 then $10 is probably not a lot of money to me, not trivial but it’s only 1%.
Now this is an order of magnitude but if you asked someone if a system where the wealthy had 10x as much money as the poor they’d probably say that the inequality wasn’t so bad. But even in that case the guy with $1000 would probably be willing to spend $11 on some good that the other guy wants maybe infinitely more, just because that guy can’t really afford it.
It’s a fascinating way of looking at things I hadn’t quite ever thought about in terms of relative value of money itself. I don’t have any real point I’m making here, just thanks for contributing I found your reply interesting and it made me think.
IOW the true solution to scamming is to raise prices so high that only the extremely wealthy can afford them, regardless of how accessible the actual concert/act/group/promoter wants the show to be.
The "real" solution here would be for Ticketmaster (or whoever) to actually make a ticket non-transferrable somehow, and then allow for tickets to be transferred directly through the original website for at most the original ticket price, and refund me the money.
For example, if I have a $200 ticket and I can't make it and want to sell it, I can post up a link to the original ticket seller's website (in this case Ticketmaster) where someone else can go buy it, and, if they do, I get a refund of the amount they paid. I can say how much I'm willing to accept (full price, $150, whatever) and someone can go buy "my" ticket, potentially at a loss if I'm willing to accept it. Ticketmaster can make money on these tickets by charging a non-refundable processing fee or whatever to everyone (the original buyer and any subsequent re-buyers). They make a tidy profit, everyone gets what they want.
The only complications are
1. making the tickets non-transferrable but also work offline is a difficult technology problem 2. Ticketmaster is an unregulated monopoly and thus has no incentive to behave in the best interests of the market or its customers when they could rake in millions more by screwing everyone except the scalpers
Can’t someone hack your system by selling access to the link you mentioned for $500? Thus getting you the refund Ticketmaster knows about, and the private payment from the desperate buyer. Also, credit card processing fees used to be refunded when you refunded a transaction, but now I think some processors have now decided to start keeping the fees, because why not. Another 3% margin to apply at each sale (though that can be included in the transfer fee you suggest)
>Can’t someone hack your system by selling access to the link you mentioned for $500?
Not if they index the resales on their website and make them searchable.
People could still perform arbitrage by snapping up any resales significantly under the original price and reselling them at the original price, but at that point they're not making that much money and people are paying less than the original price, so the impact is just that you can't get a discounted resale. Which still sucks, but it sucks a lot less.
As far as I understand, this can't be done due to PR.
"evil scalpers are exploiting this poor artist by charging outrageous prices and preventing many fans from going" is a far better look than "evil artist is exploiting their poor fans by charging outrageous prices and preventing many fans from going."
To prevent scalping, you'd need a massive price increase, and very few artists are willing to be the first to do this.
The market sets a clearing price for the ticket as commodity (i.e. for a single event). However, the iterated game that is the spectator-performer relationship, the seller may _strongly_ prefer yielding some of their benefit to the buyer in exchange for long term EV, positive PR, or just plain old goodwill.
The problem is maintaining a mutually-beneficial but economically suboptimal equilibria.
The reason they don't do that is to have an organic fan base of poor people who drive up the prices for the rich people. If you eliminate the poor people, the rich people aren't going to take the band forward. They'll move on to whatever the next shiny thing is. You need a hardcore fan base of poor people to support and grow your valuation.
Buying a single-use item at any price and then selling it on at any price to multiple people is fraud.
Fiddling with the prices does absolutely nothing to fix that problem, because it isn’t a problem with price, but a problem with developing an unduplicatable token.
Ticketmaster is evil, and most resellers are fine, but some are evil and that’s a problem this at least attempts to solve.
It's only free money if there's no risk, and if there's no transaction cost to acquiring at the lower price. If there's no risk in buying something low and attempting to sell it high, then that thing is mispriced.
That's because there isn't a difference between a "legit purchaser" and a scalper except their intentions, which you can't get from amy kind of barcode.
> Scalpers are the problem that you have to accept.
Several European countries ban reselling tickets for more than the original cost.
> TicketMaster markets their SafeTix technology as a cure-all for scammers and scalpers
Scammers - yes; but how scalpers? Does this mean there is no way to resell or give the ticket to another person?
Edit: The answer was couple of sentences later; looks like yes, unless via an official marketplace. I like this even less than scalpers.
"SafeTix makes it harder for people to resell tickets outside of TicketMaster’s closed, high-margin ticket-resale marketplace, where they make a boatload of money by buying low and selling high to customers with no alternative."
> Shame on you for abusing your talent to exclude the technologically-disadvantaged.
Very minor nitpick: I don't like the term "technologically disadvantaged" here. While it is undoubtedly true that there are many people who are without smart phones due to economic reasons, or because their battery died or their phone was just stolen ... there are also lots of people, myself included, who would CHOOSE to forgo a smart phone when attending a concert / event.
My wife and I live in a city with a Caesar's hotel and casino within walking distance. When there are shows and concerts we are interested in, we don't hesitate to buy tickets. When we go to such a show for a date night, we would like to leave our phones at home. Some of this might be due to our being middle aged, and so we're not glued to our phones 24/7, but it's also just a hassle to bring them through security, and to often have to put them in those lock bags because they don't want people recording etc.
So to us, e-tickets are evil for no other reason than the fact that it assumes that we want to have a phone on us and to use it as a ticket. I will happily pay the fee for a physical ticket whenever available.
People always cite exclusivity deals / monopoly power when it comes to Ticketmaster's dominance, but I also recall reading post-mortems about several failed competitors that indicate the problem Ticketmaster solves (massive spikey demand with strict guarantees on the seats selected) is quite technically challenging. I know, it doesn't seem like it would be that hard to solve, you're probably already thinking how you would do it. But you can't ignore that many others have tried and failed.
I got tickets for a concert in UK, which could only be bought if you had UK Ticketmaster app. No, the international version of Ticketmaster app did not have these. Had to get me a blank Android phone, had to initialize it pretending I'm in UK via VPN, so I can see the UK Android Playstore (got my phone number blocked by Google in the process - "too many verifications from this number"). Then, it finally let me get the tickets and actually see the dreadful barcode in the app.
This is horrible. Please stop.
Impressive. I had no idea mobile-only tickets are a thing. For me it's always been the other way around because sometimes some events would insist on a printed ticket even if it comes as a PDF with a barcode. This sort of thing became annoying enough to me that I bought a printer.
But then ticket resale online marketplaces aren't a thing around here either. When people resell event tickets, it's usually an entirely DIY affair.
> They can’t have robust DRM on their tickets if those tickets can still be viewed offline.
Of course they can. All they need is a secret key embedded somewhere that the app can access but you can't. It's just a happy circumstance that they used a simple protocol in which the key is easily extracted. But they could have used a proper PKI protocol instead, which would have made it much harder, if not impossible, to hack.
If the app can access it (offline, on your device), then what stops a developer from using tools to extract the token from the device, either from wherever it's stored in memory or using an interactive debugger to extract it as the app requests it?
Nothing stops a (sufficiently motivated) developer from doing that. But it will stop a muggle.
Great post. While I'm all for messing up greedy companies, this is a clear example of why JavaScript should never be used for security. Executing the code locally, plus the ability to read the source code, fundamentally goes against securing your application. It doesn’t mean that not having those will make the application more secure, though.
Another case of abusing ToTK, an excellent technology that promised convenience, security, and offline access. Similarly, Duo builds their stuff off ToTK and then fending off (or makes it very, very hard) you from using a third-party ToTK authenticator with their sites. This company just jettisons the fine promise of available offline that was made by ToTK.
Tears of the Kingdom?
TOTP?
Very cool post, but as someone who has been on the other side of the situation, I do have sympathy for what they are trying to accomplish.
I bought a ticket that someone had double sold, and by the time I got to the door, they turned me away and said the ticket had already been used. So their system has good intentions, they just need to make it work offline.
> This ticket is digital. Saving data offline is the same as copying it to your hard drive. If data can be copied, it can be transmitted. If it can be transmitted, it can be shared. If it can be shared, it can be sold.
Is this still true in the age of locked-down bootloaders, secure enclaves, TPMs etc?
That data might be part of a backup to your Mac. Maybe it’s even just a sqlite file.
Fantastic article. Really easy to understand.
Side note: this is actually a great advertisement for server side rendering! If they didn't do all this client side rendering, exposing data in JSON APIs, then I doubt this reverse engineering would have been possible.
Except then I'd need to have a good data connection at the venue, and the odds of that are infinitesimally small.
I see what you mean. The barcode wouldn't work offline.
It seems like that didn't matter at the venue though? The spotty internet connection not allowing the code to load was the first part of the article wasn't it?
The article goes into that. If you open up the app ahead of time and download the ticket, it gets enough information to re-generate the barcode every 15 minutes. It's only a problem if you don't go into the app and fetch the data ahead of time.
Isn't this vulnerable to ticket 'selling' by simply sharing the username and password of the ticketmaster account?
it's not like a ticketmaster account is 'worth' anything, so the seller can simply set up a new one for their next purchase.
actually, aged ticketmaster accounts are worth something! people will buy them for a few dozen dollars, as they get priority in ticket queues.
Setting up separate accounts for every ticket purchase seems like a LOT of overhead (especially scalpers buying many tickets at once and piecemealing them out), and is easy to defeat, e.g. require out of band auth via the phone number associated with the account before logging in for the first time on a new device.
Based on the highly questionable PS/Xbox accounts sold on eBay, I think that's just what scalpers could do as part of their everyday job.
Well you can transfer the ticket to someone else for free anyway, so not really an issue.
Or you can transfer it to another name and print it out - just the name on Ticketmaster's system has to match some ID you have in the print scenario.
Would be interesting to see the same done for the UEFA ticket app. They use QR codes that are activated/visible only when the user in on site, detected via Bluetooth. They claim that secondary use is then not possible.
> If you take a closer look at your ticket, you may notice that it has a > gliding movement, making it in a sense, alive.
I feel like I am in a Disney movie.
What's the deal with PDF417? Why did they choose it over QR?
Perhaps a better question is: Why not PDF417?
What functional improvement would be had by using a 2D QR code?
One possible reason I can think of is that phone camera apps will not proactively read PDF417 barcodes like they will QR codes, thus discouraging people from thinking they can scan and decode them.
That's may be a good reason.
My phone's default camera app can recognize QR and UPC (and certainly other things; but I have other tools that I usually use when actually-using barcodes so I'm not that familiar with this part of the camera app), but it doesn't seem willing to do anything with PDF417.
PDF417 has non-square pixels (or rather as it's called in barcode nomenclature "modules") which feels very janky - it was meant for linear scanners after all.
Oh, and quoting Wikipedia:
In practice, a PDF417 symbol takes about four times the area of a DataMatrix or QR Code.
Yes. They're clearly different things.
Which of these aspects offers a functional improvement in this application?
("Feels janky" doesn't quite cut the mustard, I don't think.)
This was a fun read. I wonder if they reported it to a bug bounty program of theirs. Based on his writing how he feels about their business I'm going to guess no.
This isn’t a vulnerability. It has to work this way if offline access is permitted.
> This is a contradiction in TicketMaster’s marketing. They can’t have robust DRM on their tickets if those tickets can still be viewed offline.
The "robust DRM" is called "ID cards". Here in Europe, it's become commonplace to tie soccer tickets to ID cards that are verified at the gates to keep hooligans (or those suspected of being hooligans, which is a status that is way WAY easier obtainable than one might reasonably assume) out, and high-class events that attract scalpers like a pile of dungs attracts flies have been doing that for even longer.
Huh, weird, a turns out an old, low-tech solution is much more secure than Ticketmaster's roll-your-own weird TOT-QR "security" (even considering the magic animation that that makes it "in a sense, alive")
(Not that requiring ID doesn't raise the same and also other consumer rights issues)
The thing is, unlike most of Europe, the US doesn't have a legal mandate for anyone to possess an ID card, and so in practice you got 50 states worth of driver's licenses, library cards, military or government employment IDs that can be used (or faked)... so you can't really use these for legitimately verifying anything unless you want to spend a lot of time and money to train your staff to spot fakes. Banks can do that but no one wants to do that for the goons that run security at venues for minimum wage.
Sure, but realistically no one is going to get a fake ID with a certain name on it so they can go to a concert with that person's tickets.
The problem isn't scams.
The problem is that Americans are not required to have an ID -- at all. No federal law requires it, and there is none issued by default.
(This is not the same as saying "Americans don't have to carry an ID" even though that is also true.)
Americans aren't required to have an ID, but that is only relevant to government related services. Private businesses like concert venues are within their rights to card you in some manner, and refuse admittance if you don't provide ID.
Yes, that's all true.
But none of that somehow makes this side of the pond the same as the other side of the pond.
An idea that works in one place doesn't necessarily work in the other.
How hard is it to get access to a database to confirm that a scanned ID is valid, and corresponds to the name written on it?
Easy if you're government (every random cop on a traffic stop must be able to do that after all) but really REALLY hard for private entities.
The exception is anything that is accepted by airports for international travel aka, for you Americans, only a passport - ICAO 9303 is very detailed on how you can access the data stored on them. The specs and a basic understanding on how to communicate with smartcards are decent enough to get you to a readout in maybe a weekend worth of work. The authentication is either via a code derived from the MRZ or a dedicated access code printed on the document.
Hopefully pretty hard.
Not a database you can trawl for your own uses, just something that if you scan an ID pops up validating(/rejecting) it and lists the associated name.
I guess you could abuse that to turn partial IDs into more realistic ones? But that feels like a stretch. I can't see it being that useful for much more than confirming that an ID isn't a fake, which seems hard to abuse.
>They can’t have robust DRM on their tickets if those tickets can still be viewed offline.
I wonder why did they implement this gimmick while having access to all the resources in the world. Or maybe they thought that this is smart.
I can't buy a ticket in my country, because my phone number is foreign. Can I use this to have someone buy it for me and transfer it to me?
Truly a noble cause.
Great post, bummer this will probably mean we can no longer use this as soon as the implement something stronger.
Shitty companies doing shitty things. I think this is the expectation in 2024.
I get the loathing for Ticketmaster and all, but can we just also acknowledge that the only reason they can do what they do because the various entities they collaborate with participate in the monopolistic cartel scheme?
Can we also please acknowledge that if people stop going to the things Ticketmaster sells tickets to, they will stop these practices? No one is forcing people to participate in these things; I don’t.
Lastly, it even calls itself Tomicketmaster. And you didn’t realize you are a Ticketslave? It is right there, in the name! Right in front of your eyes!
It always amazes me what they can get away with and people just behave like buffalo on the Serengeti, stampeding through the crock infested river … “those crocks are the worst! Ok, Karl, we are up next”
Instead of chiding your TicketMASTER devs and alpha slave MBAs, maybe stop being a TicketSLAVE altogether. Has that dawned on any buffalo?
Fun fact, to drive the point home. Guess how the predators of the Serengeti are treated when they want to go to an event. You think they deal with Ticketslavery even though the Ticketslaves is how the cabal makes its money?
Mirror this before it gets a DMCA takedown or something.
you can add them to your apple/google wallet and boom internet doesn't matter, but he ignores that.
"besides the fact that I don’t want to install their spyware on my phone."
There's no other mention of spyware in the article - does anyone know what this is referring to?
I think it's just usually any 3rd party app is to be considered spyware nowadays.
OK - just general tin-foil hattery.
I know the discussion has drifted into the larger realm of ethics and civic responsibility. But with respect to the original title, I always thought that it would be trivial to create a software 'tumbler' the logic of which was based on primitive examples, such as this. Edit: each user could have thier own initial state. https://en.wikipedia.org/wiki/Alternating_step_generator granted you'd need to ramp up the bits to make them less crackable. Then all you'd need is some translation to 2-d QR scancode graphics and a silly sliding bar and voila! Ticketmaster hegemony.
But yes, its disgusting that i've needed a phone for events...
The solution to scalping is simply to not buy tickets from scalpers. Never did, never will.
How hard is that really?
> I now know everything I would need to duplicate TicketMaster’s barcodes
Until they change their encoding.
Requiring the installation of a proprietary app to do anything should be forbidden.
> If they had issued me normal, printable PDF tickets I could save offline to my phone
Uhm, you can save the tickets to Google Wallet.
This doesn't work on GrapheneOS.
1000
This is Gold - but also Ticketmaster is a evil monopoly
Disclaimer: This isn’t from a real SafeTix barcode. I don’t want TicketMaster to be able to identify and harass me.
Bullshit, TicketMaster. It’s a CSS animation. Get over yourself.
I think we can all agree: Fuck TicketMaster
super entertaining read! many thanks.
Reverse engineering? More like “reading plain English”!
For a billion dollar corp that is some atrociously poor security
Agreed, fuck Ticketmaster. Sincerely.
nice, more of this please. the constant abuse through everything digital has to be fought
I am sure this is pointed out elsewhere, but ticketmasters business model is based on lying to the public so that the artists and venues don’t have to.
Taylor Swift is a nice-ish person and wants her fans to think they can buy tickets for her shows at about 25 bucks because that’s a lot of money for a 12 year old and she does not want to alienate her fans.
Her manager is an evil cackling bastard and wants to get as much as he can.
He knows if he sells all the tickets for 25 bucks he will lose money in the tour and the people who resell the tickets for 2000 will make 1975 dollars profit.
So he does a deal with ticketmaster.
They will sell 100 seats at 25 bucks, then announce “wow that sold out quickly” and then pretend that the other 5000 tickets they have are sold, and then resell them on secondary sites (ie ticket master is actually selling you orignal tickets through secondary markets).
Then they give the cash to the evil manager who twirls his moustache.
All the rest, the adding extra charges at end of sales process, the ridiculous rush to buy at a given moment in time instead of some auction or lottery, the whole thing of backhanders to venues, all that is secondary to enabling Taylor swift to take a huge cut without seeming like a evil moustache twirling money grabbing manager.
I'm not sure this is true. Most (~80%) large venues are owned and operated by Live Nation, who also owns Ticketmaster. They also have exclusivity agreements with hundreds of others.
It's, in effect, a shell operating as a scalper and a customer service disruptor. This has very little to do with the artist beyond selecting venues.
It's about 60% of large venues. The 80% is Ticketmaster's share of the ticketing marketplace.
I don't think this is accurate. Ticketmaster/LiveNation control most good/big venues so artists have to deal with them in some way. Artists generally don't want to charge market clearing prices to their fans (for niceness and PR reasons) but Ticketmaster is happy to be the bad guy and do that via exorbitant fees. I'm very in favor of breaking up Ticketmaster but we should be clear-eyed about what that will do: it will transfer money from either Ticketmaster to scalpers or transfer money from Ticketmaster to artists.
Fundamentally, if there's someone out there willing to pay up to $x for a space-limited event, they will find someone to give that $x to. I'd rather that person be the artist.
There was an article in the LATimes article a few years ago with the former ceo of Ticketmaster who explicitly confirmed the above. Ticketmaster does a deal with the band to charge as much as possible and take all the negative blowback or whatever about it and then gives them a kickback.
Fees split into thirds, (TM, performer, venue) is my recollection.
Taylor Swift's manager is a woman. And an artist like TS is going to know exactly how it works behind the scenes
The grandparent is implying that "Taylor Swift" and the "Evil Manager" are two sides of the same coin; they don't need to even be different people. The system lets a (big) artist extract value while keeping their public image clean. It's a shell game, and Ticketmaster plays the role of bad-guy-as-a-service.
Of course, their insane monopoly means they also get to take advantage of smaller artists, venues etc. None of this is good.
Hey now, it's 2024, anyone can twirl their evil mustache if they want to sport one. Just wash your hands afterwards.
If Britney Spears's book is to be believed, the talent can be kept in the dark.
Britney Spears ended up forced into a conservancy. Taylor Swift is much more savvy (gets songwriter credit on everything, successfully rereleased her early tracks to get better royalties from her back catalog, manages her fanbase really well in general). She definitely knows the game with Ticketmaster.
Britney Spears is not your typical situation. She was legally incompetent and in a conservatorship control by her dad until very recently.
Can you provide a source for artists getting a cut of the greater-than-MSRP resale market?
There are a lot of journal articles about this, but here's a recent NPR story [0] and a Vox article from 2019 [1].
[0] https://www.npr.org/transcripts/154299904
[1] https://www.vox.com/the-goods/2019/7/22/20703858/live-nation...
Why shouldn't the artists get a cut of the greater-than-MSRP resale? Yeah, I realize that some pretend that the MSRP is the real price, but if anyone should get a cut of the jacked up fees, it should the people on the stage or producing the show.
I don’t think anyone is arguing otherwise. The frustration is the inaccurate pricing and other monopolistic behavior from TM et al.
I mean, they should have that revenue, and a lot of us want them to just raise the prices for that reason. What's arguably kinda dishonest is when they have deals with Ticketmaster's scam of a resale scheme that result in them getting a large amount of the 'scalping margin' while also yelling about how they price their tickets SO low, and it's scalpers to blame for 'stealing the tickets from all you Real Fans!'
[dead]
There was a trial in 2009 that had Katy Perry’s contract with Ticketmaster released into the open - cannot find it at the moment but it was explicit about how many tickets would be available for her to sell etc
This is all open and documented in the upcoming prosecution by US attorney - also cannot find atm
> Taylor Swift is a nice-ish person and ...
Face value on tickets for her last tour started at 75.
All that money went to Taylor. ALL OF IT.
How do you pay for support staff, trucking how do you pay to move t-shrits from one venue to the next.
This is where all those fees come in... It's not the manager grabbing the money (that bit is later), it's the promoter covering the cost of the tour. Paying for staff to haul and set up a stage at every venue, paying for band members, dancers, people to run lights...
The Management (and the artist) will then "hold back" tickets. Most of the best seats are sold one of two ways. Fan club packages, where you pay 3000 bucks to meet the artist, get a photo and get a good seat. - OR - they go directly to the secondary market. This used to be scalpers (who "worked" for management) but now is secondary sales sites.
There are still two more bits: Consessions. Most artist get a pretty hefty kick back after covering venue staffing. These contracts can be weird, but artists, managers and promoters LIKE Ticketmaster being a one stop shop. It lets them negotiate a single deal (and one that is better for the artist) for the whole tour. Then there is merch, this is a gold mine for the artst and management too. Again there is a staffing component but that is covered by the concessions (mostly).
IN a lot of cases a venue will not sell out, and that is FINE. What happens is that the "fans" ran to the front of the line and paid too much for tickets, bought on the secondary market to get good seats. IN many cases there was so much money made at this stage that the monetary value of the rest of the tickets drops to zero....
At that point no one wants an half empty venue... So it gets papered over. They give away tons of free tickets, they "leak" a late box office hold being released... but it's now a fire sale. The nose bleed seats are selling for 5-10 bucks (even in today's market). Because assess in seats sells beer, t-shirts, and a full venue makes it an "experience"
This is the model that Bill Graham built and the vision of the industry he was going towards. TM is still, at its core, Bill Graham Presents.
I used to work in the industry, it's a hot mess and every one is greedy.
Sounds great. Won't be going to any ticketmaster events ever, and you shouldn't either.
I, too, love a good Tuvan throat death-metal band in the outer suburbs of Ulaanbaatar.
I would _totally_ go to that show.
Not sure why you are saying Taylor Swift's fans are 12 year olds because they aren't. The average age of a Taylor Swift fan is closer to 30.
And because of Taylor Swift there is now a DOJ investigation of ticketmaster. Taylor Swift is not on the side of ticketmaster like you are conspiracizing.
Comment was deleted :(
As much as I dislike Ticketmaster this is pure conspiracy unless you provide sources
I can't confirm what they said, but TicketMaster does have a "partner" reseller program for scalpers where they have tools to help scalpers list and manage resale tickets in bulk. They also have events where they help teach scalpers how to make more money, which is good for TicketMaster since it makes even more money on secondary sales. Ticket scalping used to be illegal, and now TicketMaster is helping facilitate it.
Source: https://www.cbc.ca/news/business/ticketmaster-resellers-las-...
Scalping aside, TicketMaster is taking massive fees each time the same ticket is sold. For example, I went to an event last year and the fee was $50 on each ticket, and these were reseller tickets so TicketMaster had already taken a fee on each of those tickets at least once already (perhaps more than once).
TicketMaster also owns many venues or has exclusive deals with most large venues that prevent those venues from using any other ticket selling platform. The DOJ is currently investigating this monopoly. TicketMaster alleges it is not a monopoly since there are many smaller venues that they are not involved with.
> Scalping aside, TicketMaster is taking massive fees each time the same ticket is sold. For example, I went to an event last year and the fee was $50 on each ticket, and these were reseller tickets so TicketMaster had already taken a fee on each of those tickets at least once already (perhaps more than once).
So your evidence is that you were charged a $50 fee on a separate transaction that didn't involve TicketMaster?
This is not the compelling evidence that you think it is.
I think you can probably re-read and understand that their entire post is about the fact that Ticketmaster hosts, processes, and charges fees on resale tickets.
I know that you already know this, based on your other posts on this thread.
The technology referenced in the post above is, at least in part, to prevent you from reselling the ticket without involving TicketMaster. That may be justified as a way to prevent selling the same ticket more than once, but it’s certainly the case that this is one of many possible approaches, and it’s the one that most favors this business.
It would probably be criminal for the company to act any other way, so I’m not claiming any evil doing here.
> I think you can probably re-read and understand that their entire post is about the fact that Ticketmaster hosts, processes, and charges fees on resale tickets.
Yup. I misread the comment.
Actually, TicketMaster was involved in each transaction. Let's revisit the first paragraph: "TicketMaster is taking massive fees each time the same ticket is sold."
I'll lay it out in detail so it's more clear: TicketMaster sold the original ticket to the scalper. Then the scalper listed the ticket on TicketMaster's secondary market. Then I bought the ticket on TicketMaster's secondary market and TicketMaster collected a $50/ticket fee from me. TicketMaster also collected a fee on each ticket the first time TicketMaster sold those tickets to the scalper.
TicketMaster also charges the scalper a fee to list the ticket, so TicketMaster actually made more than the $50/ticket fee that they collected from me.
It's also possible that the ticket was sold on TicketMaster's secondary market several times before I bought it on TicketMaster's secondary market, which would allow TicketMaster to collect many fees on the same ticket.
Yes, I misunderstood what you wrote.
There are plenty of scalpers who sell tickets outside of TicketMaster, despite their best efforts. Do you think the $50/ticket fee that you paid would have been lower if you'd done your transaction outside of TicketMaster's platform?
I have purchased secondary tickets outside of TicketMaster many times and the fee has always been lower. But, that's anecdotal of course... there's no reason why they couldn't be higher. But, let's leave the actual fee amount aside for a moment...
I'm slightly less concerned with the actual amount of the fee and more concerned with the fact that ticket scalping has apparently become legal and that the original ticket seller is not only in on it, but getting even higher fees on the scalped tickets than the original tickets.
It's disturbing that it's illegal to scalp a single ticket in person outside an event, but if someone does it online with hundreds of tickets then they're a "ticket broker" and that's legal (in California at least).
> It's disturbing that it's illegal to scalp a single ticket in person outside an event, but if someone does it online with hundreds of tickets then they're a "ticket broker" and that's legal (in California at least).
Legal space around ticketing is... insane. The laws protecting "ticker brokers" are cloaked as consumer friendly regulations, and ironically TicketMaster actively lobbies against online "ticket brokers".
> I have purchased secondary tickets outside of TicketMaster many times and the fee has always been lower. But, that's anecdotal of course... there's no reason why they couldn't be higher.
In general, TM's share of resell is much smaller, and the resell market is heavily fee sensitive, as the brokers like to keep as much of the money as they can, so the fees tend to be set by the market (and they didn't go up when TM got in to the business).
LiveNation (who owns Ticketmaster) acknowledges that they do this with the artist's consent. https://archive.md/1JeG5
Even if it's true it's a conspiracy
> Conspiracy
> a secret plan by a group to do something unlawful or harmful.
It could be true but Ticketmaster is explainable by the purely mundane evil of a monopoly. I could be convinced but I too would want evidence.
> Software developers are the wizards and shamans of the modern age. We ought to use our powers with the austerity and integrity such power implies.
This is one of the most powerful truths underlying the world we currently inhabit. The sooner we can agree to behave accordingly, the better our prospects for ripping the reigns of society from the hands of those whose only animating principles are avarice and exploitation.
I still don't blame the developers, I blame government. It's not the job of rank and file workers to police companies. I wouldn't work for LN, but I'm not going to blame someone else for doing so. We've all gotta feed our families. (I realize there's a line somewhere, you wouldn't excuse a prison guard at Auschwitz the same way, but I can't get too worked up about a developer making a ticketing app even if I hate the ticketing company.)
Developed countries long ago came to the conclusion that companies should not be allowed to have monopolies because it is bad for society as a whole, and it's hard to think of a current monopoly as egregious as this one. There is absolutely no reason one company should have exclusive rights to 85% of large venues, also be an evebt promoter, and also be the ticket seller.
Anything their developers do is not the real issue, a society that allows this to happen in the first place is.
> I still don't blame the developers, I blame government.
Yes, but I think they still have some responsibility, even if they say "I was just following orders!" [1]
Everyone bears some responsibility if you've ever interacted with any entity that profits off of TM or helps TM make profit. I don't find it's particularly useful to spend any thought on what people with minuscule responsibility should do differently. It's just bike-shedding when there are important problems to solve.
Even government software has issues (Vienna). I paid a €100+ fine for not having a ticket, even though I spent time going through the purchase flow. I have 100s of tickets purchased. Live agent and support agent just shrugged and told me I don't know how to use the app, washed their hands of any responsibility or need for understanding.
It's like there's no way to make the software human and humans in the loop have a crutch to lean on to not behave as a human. When I contacted the dev team directly, they shrugged too. No refund.
To me it feels like software is the place where society can just exercise its cruelty and indifference, or maybe it is a reflection of society, it's probably just like humans are. What we think software should behave like is not human.
I had more pleasant experiences with London/UK train ticket edge cases and felt like the system is built to deal with user/server errors.
That’s just reflection of your culture. I.e. I come from Eastern Europe where cheating is so engrained and “i made an oopsie” would never fly. Beurocracy is face to face and takes ages
Now living in NZ I get tons of slack for something like “verify youre local for free museum entry” or “get your passport by post”. Life is so much easier when societal trust is high.
Societal trust is extremely valuable. Policy decisions that weaken it should be scrutinised extremely strictly.
I mean would you say that developers who work for Facebook have crossed that line?
...by doing what? FB is one of the largest employers of people on this site. If you ran a poll, I'd expect the majority to answer "no" to your question. Of the people who answered "yes", I bet the majority would still accept an offer from FB if it was just 20k more than the next best offer.
One small example: In 2012 Facebook emotionally manipulated people in the name of science without anybody's consent by controlling positive / negative posts on their news feed.
Right? Wrong? Discuss.
Textbook case of unethical conduct of research. The key here is lack of informed consent by the study participants.
The APA put out a press release about this study violated their code of ethics.
https://www.apa.org/news/press/releases/2014/06/informed-con...
I can't put any facebook developer in the same bucket as a guard at a concentration camp.
Because a concentration camp guard would be jailed or killed for refusing service, but a FB dev would lose a few $thousand in opportunity?
Working at a faang level company is associated with a large enough increase in income that it could support a handful of families in developing countries. I don't know what purpose it serves to downplay just how substantial that amount of money is.
I think that was wrong. At the same time, drawing lines of good/bad at the boundaries of the people working at facebook is, imo, not useful.
I don't see the issue. Every social media site does this, FB was just naive enough to share their research
The issue is the lack of informed consent. This is pretty basic ethical conduct of research stuff.
I have never seen a social media site ask for consent for A/B testing their new things. Everyone does this, I am pretty sure even the big news sites that wrote those headlines also does this without asking. The only thing facebook did differently was calling it research rather than A/B testing.
And this just proved my point. During the Nazi regime, everyone was hating the jews. And everyone was doing fascism.
Now to bring this to a close, people like you, who will jump companies for 20_000 and have lost the ability to see a clear ethical violation will be holding the guns and guarding the gas chambers when the next Hitler comes along. Meditate on this.
Also this XKCD is dumb. Previously the feed was chronological post of friends which was definitely more ethical. But of course that didn't make people addicted enough.
Did you get informed consent from me regarding the methods by which you constructed your comment? Or are you manipulating my emotions unethically?
If that proved your point, you didn’t have a point. If you can’t see the difference between genocide and lack of informed consent on a social network algorithm experiment you can’t be helped.
I’m all for moral relativism, but there’s no future in which Facebook’s current actions aren’t at least reasonably debatable, and no past in which Auschwitz was.
If you wanted an example of where the line gets blurry (it does sometimes, just not in either of these) I’d go with pharmaceuticals.
One thing I have learned from the internet is that if you mention the Nazis or the Jews, you lose, good day sir, even if you are right.
People are illogical.
Yeah I was only trying to give an extreme example of someone being unethical working an immoral job, contrasting that with, say, working for Ticketmaster, which, as much as I despise them, is hard to equate with the Holocaust, given that one killed millions of civilians and one just costs me a little money. I should have known better.
They seem very different to me and anymore, I almost think that’s a valid test of the reasonable person standard.
> people like you, who will jump companies for 20_000
???
I said I don't find A/B tests unethical. Literally every tech company runs A/B tests just like that one. Why would I ask for 20k more?
> Previously the feed was chronological post of friends
Yeah, before they measured the impact of a good recommendation algorithm.
And back when you could log into Facebook and see a feed of all of your friends’ posts quickly. Facebook eventually got to the point where for most people the feed would have been much longer than the time they wanted to spend on site, and so showing them just the most recent few is somewhat random. Much better for engagement to show them posts they like.
Depends on when they joined
No. Not even close.
"Developers are blameless" is a uniquely HN take, for obvious site demographic reasons.
I see a worthwhile product as a stool with at least three legs: Technical feasibility, business viability, and ethical acceptability. Take one leg away and the stool should fail. Yet, HN commenters endlessly discuss/debate the first two and largely ignore the third. I think we all have a duty to work on projects that are ethically sound (defining that is a whole other discussion). There are plenty of companies out there and plenty of products to work on--it's not like we have to pick an evil one in order to survive and "feed our families."
There should be more choices rather than "find another company". The problem is that it is an economically valid argument to say "if I don't, someone else will".
I believe that professions should have codes of ethics, and people should be expected to adhere to those codes of ethics. Right now there is no licensing or apprenticeship or registration associated with the profession of "software developer". There are some organizations that issue professional certifications in adjacent areas (MCSE, CISSP, etc.) that have codes of ethics associated with them, but I rarely see disciplinary action associated with them, and in any case employability is not linked to these certifications.
Conversely, lawyers have bar associations that evaluate complaints and can withdraw permission to practice.
Doctors have the Hippocratic Oath, but I'm not sure that it's enforced for medical licensure. However doctors do have medical licensing boards and licenses can be revoked.
Pilots have revocable licenses but I'm not sure they have a code of ethics.
Civil engineers have codes of ethics and licensure, but licensure revocation appears associated with legal malpractice, not ethical malpractice.
In any case, there are societal mechanisms that could be used to associate codes of ethics with software developers, if we as a profession and a society chose to, which I'm not optimistic will happen.
Sure, but the issue is, someone might not think ticket master is evil. And I’d argue the things they do that should at least be illegal (in my view) have nothing to do with developers.
Take away their exclusive rights (on both sides of the business) to 80+% of large live music venues and they’re just another ticket platform.
Yeah, but only one of those legs controls the money. At least in the US, no money means no food, no shelter, no healthcare, etc, so it is not a viable choice for most. So rightfully most of the blame should be assigned to those that control the money: management and executives. Rarely hear of required ethics guidelines and handwringing about ethics from the MBA types.
I'll accept a share of developer blame in places with strong unions and the ability for workers to strike.
And the developer job market has changed. We can act like everyone can just go get a job that pays well somewhere else, but I’ve got friends who are very senior developers who’ve been laid off and had a hard time finding a good job in recent years.
The market isn’t what it once was and while overall still good, we do all have bills to pay.
I guess I'd turn it around and ask those developers: Are there any projects you wouldn't do, no matter how much you needed the money, because you found them ethically unacceptable? If the answer is yes, then they actually agree with me, and we're maybe just discussing where the evilness threshold line should be drawn. I don't know many actual people who would say "No, I would willingly work on absolutely any project, no matter how harmful or depraved it is, as long as I get paid," but then again maybe I don't know enough truly desperate people.
I dont think it’s a truth.
Shamans and wizards (never heard this used to describe anyone in history but let’s assume it’s just any kind of supposed magic user) were people at the top tier of their societies in terms of political power. Not kings or chieftains, but above everyone else.
Programmers are just making a living selling their labor power like every other office drone in the world. We’re one of the most common lines of work out there.
If you want the mysticism angle, we are like those kids they used to catch “witches”.
> Shamans and wizards (never heard this used to describe anyone in history but let’s assume it’s just any kind of supposed magic user) were people at the top tier of their societies in terms of political power. Not kings or chieftains, but above everyone else.
I don't know where you came by such a notion; Shamans, "Wizards", witches, "wise women/men", are usually shunned from society such that they tend to live near the outskirts of towns or cities, nobody really wants to live close to them; and when "bad things happen" tend to be the first ones to get blamed for it; then they also are commonly used as scapegoats for whatever political, economic or religious effort some corrupt officials try to push.
That doesn't sound very societal top-tier to me.
We're definitely not witches or wizards, at most we are scholars or [specialized] craftsmen. "Knowledge workers" if you will. Not as unlikable as the wise folk that live towards the edge of town, and not as at risk of getting tied to a post and lit on fire because the bishop believes we commune with unclean spirits.
Perhaps they were referring to a time when nomadic people started settling into "villages," before organize religion solidified?
> and not as at risk of getting tied to a post and lit on fire because the bishop believes we commune with unclean spirits
We're on our way to get there, though, with that "can't solve social problems with technology" infectious meme, and the other one that makes the public blame programmers for socially-problematic tech, while ignoring or praising the business people who imagined, commissioned, and decided to deploy those technologies.
Are there any documented examples of societies where "magics", "shamans" or "wizards" were at the top of the hierarchy? I gotta say, I'm an avid reader of Ancient History and Anthropology and the closest I can think of is the Priest-Kings of Sumeria and your garden variety theocracy and the latter is much more of a priestly bureeacracy than anything else...
Perhaps not at the top in terms of day to day decision making and wealth, but the first that came to mind would be celtic druids and bards.
I'd love to know more, can you point me to some sources?
I'm sorry it's just a vague intuition from watching a lot of documentaries about the Celts and very light internet research.
But generally speaking Druids had an oral tradition of maintaining knowledge in Celtic society. They had inter-tribe gatherings and went through long and difficult training.
Specifically also law. So they had at least the power of judges and to some degree law makers.
Perhaps you can find out more with some of these keywords.
I think you don't know what you think you know. My mom is a shaman type. These types often live at the outskirts of society where no well-to-do person would like to be seen. Zero political power but enough utility to keep at an arm's distance -- further if possible while not needed.
Yeah, we are more like masons. We have useful skills that enable building impressive things, but at the end of the day we are building someone else's cathedral.
Agreed. We're the blacksmiths making armor and swords and horseshoes.
Programmers being analogous to wizards or martial artists made more sense back when one used to need to train years or decades to become one.
With age comes wisdom.
There has been a lot of good that came from making coding more accessible; I'm not trying to gatekeep. But I do think that this is one instance where the outcome is worse. The martial arts masters still unquestionably exist among us. It's just that they're now surrounded by younger, less-wise people with guns. Both types can fight an army, but only one has the wisdom to know when it's better not to.
Yes I think there is truth to this. Something I have seen lately with Rust for example, is because the language is harder to learn, the discourse, tutorials, libraries are all much higher quality.
>Programmers being analogous to wizards or martial artists made more sense back when one used to need to train years or decades to become one.
You can be a shitty wizard with only one year of training, same goes for programmers.
that's kind of exactly OP's point. you can get hired and call yourself a "programmer" after a year of training today ... that was not true in quite the same way 30/40 years ago. and we're in agreement that someone with a year of training is probably not all that good.
>you can get hired and call yourself a "programmer" after a year of training today
That might be true 3 or 4 years ago, but I find that difficult to believe in the current job market. All the programming jobs that have come across my screen lately require a 4-year CS degree. Companies aren't hiring noobs lately. They're laying off more than hiring.
The fact we have had less than benevolent wizards and shamans, why would we expect to have modern day equivalent of only benevolent coders? It's such a fairy tale level of expectation that it seems childish. Spending any energy in trying to make real world a fairy tale is just wasted.
We wouldn't. You might expect that on an indivudual level. But at a society level, I would expect any company that's doing things that are specifically allowed by our goverment (who did approve the Ticketmaster Live Nation Merger) to get their jobs filled just like any other. I think Ticketmaster is evil, another developer might not. That's fine, they're not killing people or dumping toxic chemicals into reservoirs, we can agree to disagree.
My outrage is directed entirely at the government agencies whose job it was to stop this, not the developers making a ticketing app.
Ultimately developers type the code in and hit "deploy." They have to share at least a fraction of the blame and accept at least a fraction of the outrage. Without them, the product wouldn't exist.
There's a lot of blame to be spread around though. The developers themselves, their management chain all the way up to the decision makers, shareholders that demand ever increasing profits, governments who provide the legal framework and allow these huge, destructive companies. Everyone should get their share of the blame.
It's nice to think that might be true, but there are always plenty more devs willing to work on anything for a paycheck than there are devs with strict morals. There's a lot of egos, but at the end of the day, no matter who you are, you are not irreplaceable.
It's okay to shame bad actors.
In fact, society would likely be better off if e brought back more public shaming
I think that this is predicated upon a reasonably well informed and educated public. And my estimation is that the general populous is not informed enough on cryptography to be in a position to shame Ticketmaster engineers.
Also, my impression is that there is already copious amounts of public shaming. Some social media sites seem largely devoted to that. And unfortunately, I don't think most people fully deserve the verdict that they get in the court of public opinion.
This is certainly not true. Can you name an existing or historical shame-based society that you would actually want to live in?
It’s interesting, the more we agree and hold strong, the higher the demand grows for engineers who would help some companies create their hellscape. The incentive will grow higher and higher until people break rank. And you start over.
I cannot agree more. And this is exactly why the old Google motto of "don't be evil" was so important. And the decline of Google is highly correlated with the removal of this motto from its culture.
I sincerely hope all tech companies can take a page from old Google and truly instill an innate rejection of evil among all software engineers.
I personally think we are more like "plumbers but with JSON". I have principles and apply them but I don't expect the others to do that
architect+builder+plumber.
The suits at TM couldn't build the app+backend, even if they could hire someone to maintain and replace parts of it.
> The sooner we can agree to behave accordingly
People don't code out of a sense of duty, they do so to earn money, so there is no mechanism to enforce "behavior."
> our prospects for ripping the reigns of society
There are too many industries that take the mantle of improving society on their back. This is a mistake. There is no natural representative mechanism that ensures your actions are aligned to required outcomes.
This should probably be left to congress. If you're concerned that they won't do it then that should immediately suggest the appropriate course of action to you.
> of those whose only animating principles are avarice and exploitation.
Short term thinking cannot lead to long term rewards without abject manipulation of the marketplace.
Congress is useless, along with the rest of the planetary corporate-fascist oligarch facsimiles of democracy.
If software engineers united behind true ideals of freedom, we could automate the entire stack of "leadership" and raise the floor of society.
Open source implementations of:
Universal cryptographic identification
Decentralized voluntary anonymous voting, verifiable by every voter
Sovereign algorithmic monetary policy
Liquid representation
Complete digitization of all necessary information to audit any authorities, at any time
Full release of privacy for any "public official" -- service to society should be a burden, not a privilege
This, and much, much more can ALL be done with software. An entirely new paradigm of society, with freedom unalienably encoded into the fabric of the social machine.
Our rights digitized, our privacy, speech, and pursuit of happiness made into software.
I would say software may have an impact, and the thinking of this impact extends far beyond the next quarter of profits. This mindset can extend into a multi-planetary society and beyond. A continuously evolving, open source mechanism of human governance.
> If software engineers united behind true ideals of freedom
You'd have better luck trying to remove jealousy from the human heart. If you can suggest a mechanism for actually making this happen, enforcing it in the face of economic incentives, and measuring it's actual impact then I'll take the ride with you. Until then it is an absolute fools errand.
> we could automate the entire stack of "leadership" and raise the floor of society.
Autonomous societies have been tried before. They have no mechanism to correctly align their long term objectives so none of them have ever lasted. Planning to build another one based on nothing other than assumption is flawed.
> with freedom unalienably encoded into the fabric of the social machine.
Guns exist. The social machine is secondary to force. You have no plan for this.
> This mindset can extend into a multi-planetary society and beyond.
Older people sell younger people pure unadulterated fantasies in order to extract cheap labor from them.
> If you can suggest a mechanism for actually making this happen, enforcing it in the face of economic incentives, and measuring it's actual impact then I'll take the ride with you.
:)
Except it's not truth.
You want truth?
The Golden Rule: "He who has the gold, makes the rules."
Truth is that money is all that matters. Nothing else in the world of business matters not relationships, not customers, not Boards of Directors or CEOs. Money.
Until a person realizes this, they will be forever caught in a cycle of thought that is not truth.
"Follow the money!" is the best way to see how society works, and is why every government wants their hands in our money. Meaningful change in this world requires money. No amount of idealism or 'using our powers' can change that.
Do the wizards have 'F-Off' money? No. Will they ever? No.
This is a wild take. Software developers do the dirty work. We're one step below wall street.
This is not only a truth of the world we currently inhabit, it has always been a truth, of all the worlds we have inhabited. Power and greed go hand in hand for a reason and the struggle to find the balance is, and will always be present.
It was not true of this world 150 years ago that any person with sufficient learning could tap buttons to create an experience to be found in the hand of the majority of living humans.
I agree power and greed go hand in hand - absolute power corrupts, absolutely - but this bit? This is new.
https://www.amazon.com/New-Kingmakers-Developers-Conquered-W... ("The New Kingmakers: How Developers Conquered the World")
https://web.archive.org/web/20200915000000*/https://try.newr... [pdf]
Ah yes, The Roads Must Roll.
It's worth remembering that folks who can be bought, can be bought off and spend a lot of time enjoying their riches while true believers are somewhat more difficult to convince and don't take any time off.
That's important because all of the big evils have been perpetrated by true believers in pursuit of their "one true way." (Yes, some large evils have been perpetrated by folks chasing money. I'm talking about things like wholesale slaughter of as many people as they could lay their hands on.)
"In effect, we conjure the spirits of the computer with our spells"
t. Introduction of SICP
The worst are the programmers of the mobile games for kids.
Comment was deleted :(
Comment was deleted :(
[dead]
[dead]
[flagged]
> I remember a time when printable tickets were ubiquitous. One could print off tickets after buying them online or even (gasp) in-person, and bring these paper tickets to get entry into the event when you arrive
I go to 1-2 concerts a month so I'm well aware of how scummy TM is, but the problem with PDF tickets is that people sell fakes or sell the same ticket multiple times. I know multiple people who've been scammed this way. I get not wanting to use your phone for everything, but the changing barcode isn't just technology for the sake of technology, it's actually there to solve a problem.
> PDF tickets work even if your phone loses internet connection
So do the digital barcodes if you add them to your phones wallet.
TM even sends you an email before every event that says:
>> If you haven't already, download the Ticketmaster app or sign into your Ticketmaster account via mobile web. From My Events, tap view then add tickets to your phone's wallet for easy access at entry.
TM's help page for the Mobile Entry tickets also says (https://help.ticketmaster.com/hc/en-us/articles/978659778561...)
>> We encourage you to download your tickets to your digital wallet before you leave for your event. This ensures that you can always access your tickets.
> If you bought the ticket off the event’s official ticketing agency (not a sketchy reseller), you know for sure that they’re real.
The problem is that that isn't how the real world works. Ignoring the massive scalping problem currently happening (that TM is complicit in) sometimes plans change or people learn about events after the initial sale. Personally, any time I have to buy or sell through a reseller, I use StubHub, but I know plenty of people who don't want to use them as they charge high fees and they aren't much better than TM from a moral stand point.
Also, I get the impression that if TM locked all tickets so that they could only be resold on TM, the author of this article would have a problem with that.
Exactly all of this.
I found the article really interesting from a tech perspective.
And I have no love for TicketMaster, but the migration from paper/PDF tickets to scannable changing QR codes is inevitable, precisely to combat scammers.
TicketMaster does a lot of bad things, but this doesn't seem to be one of them. And learning to download the digital tickets in advance -- either to the app or your Apple wallet -- is just a thing you learn to do, the same way you learn to download a bunch of podcasts before your airline flight that charges for (or doesn't have) WiFi. (And if your ticket was a PDF, you'd similarly be stuck if you couldn't get internet at the venue and hadn't downloaded it in advance.)
>So do the digital barcodes if you add them to your phones wallet.
??? Last I heard the adding the barcode to the phone's wallet did not work, or at least not reliably. Some older folks I know struggled with it, and I specifically help setup the ticket master app and download the barcode. They mentioned that the app eventually logged them off when they got on site and had to struggle with poor wifi. Eventually got it to work but IIRC it took several minutes before they had a stable enough connection for it.
Does it need an actually Google/Apple wallet or something setup?
Yes, "phone's wallet" actually means Google Wallet or Apple Wallet.
Stuff I add there works for me instantly every time, even with crowded venues and zero connectivity -- as long as I get it ready in advance.
(Not that I am defending this. I'd rather carry a paper ticket, since paper is more durable and far less complex than a phone is.)
People here have no clue how much it costs to pay for a tour.
Up to $1M per week.
Isn’t this a bit like irresponsible disclosure? Since this may be considered a security vulnerability. Although it’s all client side, I’m sure there’s some basis for a lawsuit here.
How is this a security vulnerability? It's displaying the exact bits Ticketmaster uses and explaining what those bits are. They're not circumventing security systems, just the requirement to use the app.
It requires sniffing your own session credentials first, which I don't see as a security vulnerability.
The only thing it allows you to do is sell your ticket, which is legal to do.
It is my opinion that you do not need to responsibly disclose "security by obscurity"
Additionally, what is irresponsible here? Its not like this gives you the capability to clone tickets without first having a ticket in the first place.
"Responsible disclosure" is poorly defined corporate wishcasting, and certainly not any sort of best practice or legal shield.
The public prosecutor does not pursue cases where responsible aka coordinated vulnerability disclosure was applied. I'd say that's a legal shield of some kind at least, and it is generally also considered best practice in the industry. There's exceptions to everything but, in the general case, I'm not sure where you're getting these viewpoints from
"The public prosecutor does not pursue cases where responsible aka coordinated vulnerability disclosure was applied."
That seems like a pretty substantial claim to make without any sort of "in [country/state/province/etc.]" qualification, let alone a reference.
Comment was deleted :(
If it runs on my CPU and shows up on my screen after I paid for it, it's mine and I can do whatever I want. Anybody who thinks otherwise can fuck off outright.
That's exactly the same policy I apply to AGPL software. I paid for it ($0, as mandated by the developer) and it runs on my CPU.
I'm struggling to come up with a good basis for a lawsuit. CFAA abuse is the first thing that comes to mind, but this is a real stretch for that, and SCOTUS shut that stretching down a while ago. DMCA doesn't come into play, since this isn't circumventing any copyright protection schemes. So this kind of leaves you with some form of contract violation, but even that seems like a stretch here. Tortious interference or interference with prospective business? I mean, I don't see any events complaining about this (hell, Ticketmaster itself arguably has some contract liability issues with the fact that their technology relies on cell service which tends to be spotty in dense crowds). So you're kind of left with some individual contract liability issue, which is literally not worth the cost of litigation.
Nah. Ticketmaster is unethical enough that spreading information that harms them or helps them go out of business is ethical.
Responsible disclosure is something you pay for, not something you are entitled to.
Everyone want Ticketmaster to die.
Except for a lot of performers and venue operators. Ticketmaster is paid well to be the bad guy. They often share the fees with both the performer and the venue.
I'm sorry to be that guy but do you have literally any source for this?
Might just be the musicians I like, or the fact that negativity is better for clicks, but I've never seen an artist saying they get any benefit from ticketmaster's fees and other such shenanigans; I've only seen artists and venues saying that they don't get any money or benefits at all from ticketmaster's racketeering.
From the Ticketmaster website:
> ticket fees (which can include a service fee, order processing fee, and the occasional delivery fee) are determined by and shared between the parties who have a hand in making live events happen including venues, Ticketmaster, sports teams, leagues and promoters
When the artist doesn't want their fans to be charged big fees - they have some say in it. Robert Smith of The Cure made a stand on this last year and got Ticketmaster to refund a bunch of money.
> they have some say in it
That's a very carefully crafted sentence. How much, exactly, do artists have a say? Do artists equally have the same amount of "say"?
And why are we even discussing all these nonsense in the first place?
The app-based barcodes don’t seem to be solving a security problem for customers - they seem to be for the purpose of ensuring that traditional scalping doesn’t work, forcing ticket resale into a market that TicketMaster can profit from.
I would consider it unethical to publish details of an unpatched vulnerability that allowed ticket forgery, but I don’t think it’s unethical to bypass DRM-like controls for personal convenience rather than commercial purposes.
Of course opinions may differ on this.
Crafted by Rajat
Source Code