

Company reaps $25,000,000 hacking TicketMaster & others . . .  - aresant
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/03/01/BAK21C9544.DTL

======
breck
On the surface, this looks ridiculous.

I don't see how this is a criminal suit and not a civil suit. What they did
was clearly against the wishes and TOS of TicketMaster, the MLB, and others.
But criminal? Hardly.

They found a way to buy tickets better than the rest of us.

Why the government is pursuing criminal charges on behest of TicketMaster and
Co. baffles me.

This isn't an industry, and these aren't companies, that I think need a lot of
protection from Uncle Sam.

~~~
jrockway
It's weird. If you went to a store and bought all the apples, the owner of the
store would love you. Do the same thing online, and suddenly you are facing
federal felony charges.

~~~
ramchip
It's not really the online part, it's the tickets part. If you went to the box
office in person and tried to buy all the tickets, they wouldn't let you more
than online.

~~~
olefoo
But if you hired twenty people to go through the line three times each with a
different mustache each time that would be OK?

~~~
jrockway
Sounds like a job for mechanical turk. Have a bunch of people buy tickets, pay
them a dollar via turk, pay the cost of the ticket when you receive it, resell
for profit. Then you are not committing fraud, you are just buying tickets
from your friends that don't want them anymore. "First sale" and all that.

It's clear that TicketMaster doesn't really want to solve this problem. If
they did, they could solve it the same way the airlines did. (Hint: not by
having a captcha on the credit card info page.)

~~~
Maven911
sorry i dont get this..how did the airlines fix people buying all the tickets
for a flight ?

~~~
inklesspen
making it impossible to resell them

------
tdavis
Wow, this is utterly absurd. I'm no lawyer, but couldn't this set a dangerous
precedent that could find people being federally indicted for circumventing
CAPTCHAs and the like?

As far as I'm concerned, a program which automatically purchases tickets
through TicketMaster is more of a feature than a federal crime; the process
for a law-abiding citizen is horrendously convoluted and a complete UX
disaster. Too bad TM gets away with it, thanks to their monopoly.

I've spent enough time in the ticketing industry to know that it's right up
there with "accai berry" and the like in terms of shadiness. Anybody who
thinks StubHub et. al. are "fan marketplaces" is severely delusional; 99% of
all tickets are listed by brokers who do it for a living (most of whom use
less-efficient ways to circumvent TM security, however. That 25MM number is
the only reason this is being prosecuted so vigorously.)

~~~
aresant
At face value definitely seems like it should be civil, not criminal although
I know that components of the "ticketing" business, like scalping tickets on
event sites, can be criminal offenses set state-by-state.

~~~
wgj
"indicted by a federal grand jury on charges..." and "surrendered Monday to
the FBI" definitely make this sound like a criminal case. I agree though, I
wouldn't have thought much about automated purchasing being a federal crime.

~~~
aaronblohowiak
It is the circumventing of security methods and the wire fraud that are FBI
issues, not the automation of purchasing.

------
jfarmer
What? It sounds like they wrote software which automated the buying of tickets
on these sites, presumably looking for arbitrage opportunities.

Hardly "hacking," and I have a difficult time understanding how that is at all
fraudulent. What am I missing?

~~~
Jeema3000
I kinda thought the same thing when I read this. I guess the fraud was that
they intentionally went to great lengths to make it look like individuals were
buying the tickets instead of a single company.

~~~
electromagnetic
Pretending to be someone else to gain profit, is identity fraud regardless of
if you stole a real persons identity or created one.

The reason the FBI is involved heavily is because virtually all identity fraud
is related to organized crime and money laundering, the rest are usually
linked to insurance frauds. Being the first real case of a major identity
fraud online, I wouldn't be surprised if the FBI tries to put their heads on a
pike as an example to everyone else.

Immaterial of what they did it for, identity fraud is taken as an
exceptionally serious crime and as far as I could tell, they performed a
thousand or more 'unlawful identity changes' by operating bots under false
names for illicit means. The one exception to this is the use of a pseudonym
for anonymity, however it's a colossal stretch to claim your bot army are
acting as your pseudonyms for your anonymity reasons.

~~~
xenophanes
How is that a stretch? They wanted to buy a bunch of tickets and not have
anyone know. That's anonymity right there.

------
zackham
Link to the actual indictment, which has a lot more information:
[http://www.justice.gov/usao/nj/press/press/files/pdffiles/Wi...](http://www.justice.gov/usao/nj/press/press/files/pdffiles/Wiseguys%20IndictmentFiled.pdf)

The indictment has lots of interesting technical details about what they were
doing.

Also very interesting and not mentioned in the article is on page 27: 41. It
was further part of the conspiracy that, in or about 2008, having damaged the
Online Ticket Vendors' ability to distribute Event tickets fairly on a first-
come, first-served basis, defendants LOWSON and KIRSCH would establish and
operate Renaissance Events Management ("REM"), a company that proposed to sell
Event tickets on behalf of artists and venues as a competitor of Online Ticket
Vendors.

------
leftnode
There are a few other comments on here who are surprised by this. How is it
really surprising? The two main points:

a. Wire fraud. They probably had some type of fake bank accounts set up or
something to launder the money because they knew what they were doing was
wrong.

b. The tickets were sold at substantially higher prices than on Ticketmaster.
They were able to do this by gaming the system/or cracking the schemes in
place (captcha's) to prevent people from doing this.

c. On a lighter note, they named their company Wiseguys Tickets. That's like
the Mafia naming themselves Mafia, Inc. - "We Handle The Rough Stuff". A name
like Wiseguys Tickets is just asking to be investigated.

~~~
breck
> a. Wire fraud. They probably had some type of fake bank accounts set up or
> something to launder the money because they knew what they were doing was
> wrong.

If they did that, then I can see the point of this case. But I didn't read the
full suit. Anyone?

> b. The tickets were sold at substantially higher prices than on
> Ticketmaster. They were able to do this by gaming the system/or cracking the
> schemes in place (captcha's) to prevent people from doing this.

Nothing wrong with this. It happens all the time. When I was in college when
course registration opened at 6am, the CS majors always "coincidentally" got
their preferred courses more often than other students.

TicketMaster charges an arm and a leg for the "convenience" of buying tickets
online. I'm happy someone was taking advantage of them.

> c. On a lighter note, they named their company Wiseguys Tickets. That's like
> the Mafia naming themselves Mafia, Inc. - "We Handle The Rough Stuff". A
> name like Wiseguys Tickets is just asking to be investigated.

Haha. I thought the same thing.

~~~
lmkg
I just read through the indictment, albeit rushed and IANAL.

a. Through the use of fake email addresses, domains, and IPs, Wiseguys claimed
to be over 1,000 different people. Whether this is against Ticketmaster's TOS
may be immaterial, since the "fraud" charge applies just to the act of
claiming to be someone else, not the use or material repercussions of the
claim (as opposed to a civil suit). There are also a number of cases where
Wiseguys' bots gained access to tickets nominally only available to exclusive
groups, of which neither the bots (obviously) or Wiseguys were a member.

Additionally, many of the ticket purchases were agreed upon ahead of time with
specific brokers, which probably makes the false-identity charges much
stronger. There's also one shell company run by Wiseguys that claimed to be
selling tickets directly from the venue, which it was not.

b. The tickets say they are not allowed to be resold. I do not know the legal
status of such claims, but you agree to those terms before the purchase, which
removes one of the weak points of TOS enforcement.

On the personal side of things, while TicketMaster isn't my favorite company
either, someone grabbing all their tickets to inflate the prices even higher
by adding two additional middlemen doesn't really help things. I consider
Wiseguys to be the scummier actor here.

~~~
breck
Thanks for reading and sharing.

> a. Through the use of fake email addresses, domains, and IPs, Wiseguys
> claimed to be over 1,000 different people.

If this becomes a crime then we're all in trouble. Who hasn't created a test
account using a fake name, etc.? I don't want to be guilty of perjury or fraud
because I created 2 digg accounts.

> b. The tickets say they are not allowed to be resold. I do not know the
> legal status of such claims, but you agree to those terms before the
> purchase, which removes one of the weak points of TOS enforcement.

I think TicketMaster would have been right to not honor these tickets then,
but not sure how this could be a criminal offense.

------
scotty79
Why is that illegal? Apart from acting against somebody's terms of service and
circumventing some protections?

Selling tickets for fixed price is kinda strange idea. They should put up some
continuous auction. Maybe that would better reflect the actual value of
tickets at different moments in time.

------
ShabbyDoo
I can understand how this might be a valid civil matter if the click-thru
agreements were violated (as I'm certain they were). However, the criminal
charges seem bogus.

What if Subway were to offer subs for a dollar next Tuesday with the
stipulation that each customer could only purchase one. And, like Iraqi voting
procedures, Subway would mark customers' hands to prevent them from making
multiple purchases. Let's say I found some solvent that removed the marking
and was therefore able to purchase 50 subs and sold them on the nearest corner
for a profit. Is this illegal?

~~~
electromagnetic
If you're pretending to be another person, and not just reentering another
sotre as Joe Smith then yes, yes it's very illegal hence the criminal charges
here. Wiseguys claimed to be thousands of people to game the system, that
accounts to a thousand charges of identity fraud.

~~~
erlanger
Honestly, if I owned a store I really wouldn't care if you felt like wearing a
different disguise every day as long as you were buying stuff.

------
mattmaroon
I still don't understand why Ticketmaster doesn't just sell all tickets as
dutch auctions with some minimum price. They'd then easily cut out these
brokers in the middle for popular events.

~~~
defen
Because then everyone would have a bunch of taxable income to report. Much
better to distribute the good tickets to your buddies and other insiders who
can sell them on Craigslist for huge profits, tax-free.

~~~
mattmaroon
I think I'd rather pay taxes on $100 than taxes on $50 if I were Ticketmaster.

~~~
defen
I'm suggesting a situation where you pay taxes on $50, with revenue of $100,
vs. paying taxes on $50 with revenue of $50.

------
reynolds
How is this different from automated trading by investment banks? I've written
really basic articles on cracking captchas and this has me considering
removing that content and code.

~~~
ig1
Because automated trading is done on exchanges that permit it, doing it on an
exchange that didn't permit it could expose you to much more serious criminal
financial abuse charges.

------
tbgvi
Interesting, I always thought reCAPTCHA randomly combined words for each
instance. These guys were able to get around it because each CAPTCHA has an
id. Have some people from mechanical turk build a database of responses and
you're set.

Assigning a non-unique id to CAPTCHAs that are reused kind of defeats the
purpose I guess.

------
joshu
Would this even be a problem if tickets were auctioned?

~~~
ntoshev
Probably no. But there is more complex psychology and economics involved:

<http://www.jimmyatkinson.com/papers/ticketscalping.pdf>

------
DougBTX
Ugh, why does almost every paragraph end in "xxx said"? Dull reporting.

~~~
grinich
This is Associated Press Style.

Not all news needs to be a sensational narrative.

~~~
jrockway
Why even bother with English then? Might as well just make it an RDF file, so
it's boring _and_ machine-readable.

------
korch
Holy shit, this hits really close to home! I almost worked for this company a
year ago! No really—here's proof: <http://i.imgur.com/nrGSm.png>

I was a dev at Ticketmaster for 2 years(Perl, blech!), got laid off(during the
worst job market of all time, thanks!), then out of the blue got a call from a
recruiter to interview with this company. They were going by the name "REM",
one of their shell companies. Their office was Beverly Hills adjacent on a top
floor in the AIG building, across the street from the fancy hotel where the
President stays when he's in LA. Snazzy real estate indeed, so they were
obviously making a lot of dough to afford that kind of rent. I interviewed
with Ken, the company owner and primary defendant in the DOJ's doc, for a
little over an hour.

I realized pretty quickly into it that this wasn't a legit smaller indie
ticketing company, but an all out scalper company. Ken did talk too openly
about his operations, so my spidey-sense was going off that it wasn't legit.
Having been in the ticketing industry, I was able to have a more detailed
conversation with him about various practices. It was pretty clear all his
money was coming from scraping TM. I think the first thing he said that set
off my red alarm was "every programmer I have is paired with an off-shore
Romanian programmer who does the work." (My mind's translation: "Uh-oh, run,
you'll be miserable here, at yet-another company that doesn't really get nor
care about software.")

I did find it fascinating to hear about ticketing from the other side of the
fence, after being at TM, where the daily war of attrition against brokers &
bots is permanent and unwinnable, the scalpers attain an aura of mystery &
annoyance. If you sell a lot of tickets, but don't lock down your site with
captchas and go all out with engineering clever session/identity persistence
strategies, the scalper bots of the world will absolutely kill you on traffic,
while continuously holding up your entire inventory, and ruin your real
customer's experience.

After realizing it was a scalper company and deducing that they were making
millions on a startup-sized skeleton team, I thought why the hell not go work
for them, for a few months maybe, it'll be awful (the ticketing industry sucks
to develop in because you can't do anything customers really want), but nobody
else in West LA was hiring and I was desperate that month. The way I see it,
merely scraping a web site violates TOS, not criminal law. I had no idea that
the logistics of this kind of enterprise also involved complex financial
fraud, so I wouldn't have pursued this if I knew that aspect. I figured at the
time that if I was going to do thankless development for a scam company
getting rich off of skimming off of an even bigger unofficial monopolist who
themselves are skimming off from the general public under a blind and
lumbering gov't regulator, who just got rid of my job at the height of all-out
market panic, all in an industry I want to get out of, and in a niche where I
can't be open about anything I do and where loyalty is valued more than my
programming-wizardry, then I better charge those jerks a high price.

So I told Ken I wanted at least $125k/yr and I never heard back from him after
he said he wanted to make me an offer. I figured good riddance, no sense in
getting involved with a crap job if they won't put their money where their
mouth is—company's who talk big are a dime a dozen. However, I was puzzled why
he didn't complete the offer, as everything they were doing was stuff I knew
all about from my time at TM, so I thought I was his ideal candidate. Based on
the DOJ pdf case file, they were making $40 million a year, making my salary
request mere pocket change to them.

As you can see from my linked email screenshot, they weren't looking for any
specific technical skills, but were instead soliciting blind loyalty above
all. If that's the primary skill you need from your devs, then it's another
red flag indicating a pretty bad working environment and crappy development
process.

Ultimately I think he didn't hire me because of something I said during the
interview along the lines of "TM could put you out of business overnight if
they just knew you existed, because scraping simply isn't a technically
feasible solution on a growing scale large enough for it to work
indefinitely." Scam artists hate being outed by smarter people, so I proved I
wasn't a lackey-type. Knowing TM's system, it simply can't be scraped on a
wide scale without privileged insider access(i.e. scalping your own tickets,
ala the Ticketsnow fiasco) without getting noticed and shut down. Plus they
have the greatest security-by-obscurity of any other company I know: there's
an entire 2nd back-end, behind the entire customer facing LAMP stack, of
emulated VAXen running legacy Pascal code originally written in 1982 and left
running since then. Yes, when you buy a ticket from TM, the tickets come out
of a VAX, which is embarrassing as far as "innovation", considering it's now
2010.

I think it's really too bad the DOJ went after these guys instead of truly
fixing the broken ticketing industry. This action by DOJ helps TM more than it
helps anyone else(getting the gov't to kill your competition is sweet deal and
an ancient tactic). I think the DOJ has their priorities backwards. Ultimately
the consumers lose because they pay higher prices for lower quality, non-
innovative services. They knock out one of the little parasites, who's botnet
was probably causing huge headaches for TM, yet allow the LN+TM merger to go
through, creating a whole new type of unfair monopoly. It's forrest for the
trees, man.

Ideally I'd like to see the ticketing market resemble a stock exchange, and
not an airline. I wish some startup would build this site! Every ticket that
can be sold should be publicly listed, so nobody can unfairly profit by having
private information about ticket inventory and price levels. (This ideal can
be proven using game theory with asymmetric information!) There would be a few
more mechanisms to design the right way to balance out the dynamics of the
system and keep it fair, similar to how financial companies are regulated.
Right now TM has a sweetheart deal, getting to play both sides of the
fence—being an unregulated, de-facto market-maker, while not having to make
the same kinds of fair concessions to the pubic in exchange for being allowed
to be a market-maker(such as no front-running like Goldman Sachs).

Also, if on the off-chance anyone out there is thinking about doing something
innovative with ticketing platforms + web + iphone, and if your plan is "crazy
enough that it just might work", and if you're in LA, and if you're hiring,
and if you're using Rails, hit me up! I'm looking for a job! I keep an eye out
for this type of idealized ticketing company. I think it'll be a few more
years until I see it, when some player can get enough leverage to take on
LN+TM, both of whom truly are technical dinosaurs just waiting to get taken
down by a pure Internet company. The real get-rich mystery to solve is what
form that leverage will appear in. Really, the ticketing industry really is
that inefficient, it's like someone left $100 million dollars just sitting
there, for anyone to take, if they can spot how.

~~~
korch
One more thing: reading the linked PDF case file and seeing all the emails
clearly establishing criminal fraud, it looks like this company could have
benefited grealy by the infamous advice:

"Never write when you can talk, never talk when you can nod, and never nod
when you can wink, and never write an e-mail because it's death."

\-- Eliot Spitzer

Spitzer also should have ironically added "and never leave a tangled financial
trail that can be unravelled back to yourself."

------
mos1
The activity described isn't hacking... it's just creating an alternate, more
efficient interface to the website, to increase their ticket purchasing
efficacy.

I wish the article had more details, so I could confirm or refute my suspicion
that nothing was "hacked".

~~~
ig1
Circumventing security measures to make a computer behave in unintended ways
sounds pretty close to the definition of hacking, at least the Computer Misuse
Act has a definition which is close to that.

~~~
izend
"including computer code that was intended to defeat security measures that
online ticket vendors put in place to prevent automated ticket purchasing"

That just describes a bot...

