
Hackers Cut in Line at the Burning Man Ticket Sale–And Get Caught - Libertatea
http://www.wired.com/2015/02/hacking-burning-man-tickets/
======
fWnApHU2PY6CPA
I believe I may accidentally be one of these "hackers."

For those of you who don't know how the line worked, TicketFly sent registered
users a link to a page that would allow them to purchase tickets at 12:00pm
PST. Like most people, I clicked the link just before noon and ended up in a
waiting room with a countdown clock and a note explaining that a continue
button would appear at exactly 12:00.

My coworkers and I were curious if the button was simply hidden from view
using JavaScript, so we did what any hackers (in the Hacker News sense) would
do – we viewed the page's source. There it was! In the middle of the page sat
a small javascript function with a link to reveal the button. Curious again,
we clicked it. I believe the waiting room page just refreshed at that point,
and we though nothing of it. A few minutes later, the queue began, and after
sitting in it for about 40 seconds, I was shown the purchasing screen. I
assumed I got lucky and left happy.

When I read this blog post on Saturday evening, I realized what had happened
and freaked out a bit. It appears that clicking that link placed us at the top
of the queue, even though we couldn't actually start the purchasing process
until noon. Because of this, I am probably going to lose my tickets. Yet the
fact that we could cut in line never even occurred to us, because we assumed
that any queuing logic would have happened on the server side to prevent
exactly this kind of exploit.

I feel bad for the users that I apparently cut in front of. I feel equally
crappy, though, because I'm certain that other "hackers" are in similar
situations to me. From what I've read in subsequent reports, using NoScript or
otherwise browsing with Javascript disabled would have revealed the button
before noon. That means that those people, too, will be labeled as hackers and
have their tickets revoked. I'm relatively certain that even having a system
clock running a few minutes early would mark you as a line cutter.

Not sure what to do next. I suppose all I can do is wait. This sucks.

~~~
lawlessone
Thats not accidental.

~~~
frogpelt
It's also not hacking.

Viewing page source and navigating to a URL which is clearly visible is not
subversive in any way.

~~~
Shivetya
By whose definition? So if a site has elements on a page they do not want to
be immediately seen their only choice is to not distribute the content? So if
your circumventing a script that is not the same as circumventing a program?

I look at this way, if it does not occur to the common user to do so then it
is "hacking". Not in any nefarious/sinister sense but the term still should
apply.

~~~
edwintorok
If it is true that people visiting with Noscript or javascript disabled would
see the button immediately then it is a design flaw of the ticketing system,
not hacking. At least they should've used javascript to generate the link and
show it as opposed to hiding it on page load.

~~~
fWnApHU2PY6CPA
Full disclosure, I don't mean to present the Noscript/Disabled Javascript
comment as fact – I read that here:

[https://www.reddit.com/r/BurningMan/comments/2wieta/did_you_...](https://www.reddit.com/r/BurningMan/comments/2wieta/did_you_cheat_the_system_with_the_hidden_link/corv4g9)

EDIT: Typo

------
raldi
_> In recent years, Larry Page, Sergey Brin, Elon Musk, Jeff Bezos and Mark
Zuckerberg have all scored tickets to Burning Man._

Um, Larry and Sergey have been going to Burning Man since at least 1998:

[http://www.theatlantic.com/technology/archive/2013/09/the-
fi...](http://www.theatlantic.com/technology/archive/2013/09/the-first-google-
doodle-was-a-burning-man-stick-figure/279416/)

------
Cthulhu_
And that's why you never put that kind of logic on the front-end. Or if you
do, always make sure there's a back-end double-check. In this case, from what
I gather, an unique key that could only be known if people got it via an email
would've been adequate.

~~~
davidw
> And that's why you never put that kind of logic on the front-end.

I wonder what kinds of goodies all these front end frameworks will lead to,
when they eventually fall into the hands of people who don't understand that
the final arbiter of some things must be on the back end.

~~~
Bahamut
That sounds like poor engineering in general - why would you trust the client
on time sensitive issues? I'm predominantly a frontend engineer, but I make
sure to understand the role of the technology I use and the responsibilities
that need to be addressed by other sectors.

~~~
davidw
> why would you trust the client on time sensitive issues

Because someone only has a superficial understanding of how things work.

------
jimrandomh
Doing the queue/first-come-first-serve thing only makes sense if you expect
the number of people arriving at exactly the starting moment to be less than
your supply of tickets. Otherwise what you have is a ticket lottery, except
that the "randomization" is being done by ping times rather than anything
explicit. If they can't expand the ticket supply by enough to meet demand,
then they should probably make an explicit ticket lottery.

~~~
legulere
Doing a lottery also has the advantage that you can make some extra rules to
make it more fair. For instance you can prefer people that didn't get tickets
the year before.

------
peterwwillis
Many ticket-limited events have figured out how to run a massive timed
purchasing event like this. TicketFly could have checked out any one of them
to learn how to properly execute this kind of event, and prevent "line-
skipping". (ShmooCon and Playa Del Fuego are two such events i'm familiar
with)

The system is very simple: you open up the ticket purchase page a few minutes
before registration opens. The page reloads at randomish 30-second intervals.
Once registration opens, the backend sets a queue number linked to a unique
ID, and sets a cookie in your browser with that ID. You wait for the page to
finally reload and say "it's your turn to purchase tickets!" And so, through a
delayed system of individual registrations, everyone gets their ticket if they
showed up at the appropriate time.

The 'queue' is a server-side aspect of this system, and it all happens on
servers that have their clocks synchronized. Before accepting anyone into the
queue, the server software needs to check if it's 12:00 yet (or whatever time
registration opens).

Their software did not check the time before populating the queue. Bottom
line: _this was a bug in TicketFly 's software_, not "hacking".

~~~
djcapelis
Uhm. Shmoocon and Playa Del Fuego sell... what, 2,000 tickets? Burning Man is
selling 70,000 this year. 40,000 were sold in this single sale alone.

That's an order of magnitude difference.

~~~
peterwwillis
The design is scalable to any ticket amount, given enough time and servers.
You accept connections and assign queue numbers and then delay purchasing. You
add randomization of various requests and entry in the queue itself to prevent
gaming or latency-derived unfairness.

I've worked on websites that return hundreds of thousands of dynamic content
pages per second, and you don't even need to do that here: all you need is a
landing page that sets cookies, and then you can take all day to actually
allow people to purchase with the reservation number they've got.

The bug has nothing to do with any of that, though...

------
jessaustin
I've never been to this, and I'm pretty sure I wouldn't want to go. (When I go
to the desert, it's not to be around other people.) However, this whole
authority-obedience-fashion-and-privilege episode seems somewhat counter to my
previous media-driven impressions of the event.

If you want to do something fun in the wilderness with your friends, you don't
need anyone's permission for that.

~~~
ChuckMcM

       > you don't need anyone's permission for that.
    

Except in this case the Bureau of Land Management's (BLM) permission. I spent
a lot of time in Las Vegas and for the most part you just drove out into BLM
land and it was fine. But if you have a group greater than a certain size it
requires permits. The tickets process is a way for them to not exceed their
permit limit of 50,000 people. Doing so would get them banned from getting
permitted in the future.

That said, I'm rather surprised at this point that some tech billionaire
hasn't bought a couple of thousand of acres of desert[1] and allowed it to be
run there. But at some point the 'exclusivity' becomes its own value.

[1] Land ownership debates not withstanding.

------
avalaunch
The title seems off. They haven't been caught yet. Burning man officials
simply said they will find and cancel the tickets. That seems like something
they might say regardless of whether they actually could do so.

Can anyone explain to me how they could go about determining who skipped the
line and who didn't? I'm curious.

~~~
fWnApHU2PY6CPA
My understanding is that any users who entered the queue between 11:55ish
(when the waiting room appeared) and 12:00 PST (when purchasing officially
started) will have their tickets revoked.

------
joncalhoun
It's too bad Ticketfly doesn't have a bug bounty program. That payout would
have been interesting.

------
cornewut
I wonder if any of the "hackers" will get sued.

~~~
amckenna
Why would they be sued?

------
WorldWideWayne
Why do people need tickets to go out in the desert and have a big party?

Perhaps my thinking is naive here, but tickets seem to run counter to one of
the main principles of Burning Man which is "Radical Self Reliance". If I'm
paying you for a ticket then I must be relying on someone for security.

~~~
amckenna
The tickets pay for several things including the permits to hold the event on
federal land, the setup and cleanup of basic infrastructure, and the
maintenance of basic facilities such as porta-potties.

They publish a great breakdown of where the money goes here:
[http://burningman.org/event/preparation/ticket-
money/](http://burningman.org/event/preparation/ticket-money/)

