Reverse engineering Ticketmaster's rotating barcodes

Maybe we could just reduce the patent's duration to compensate for the acceleration of information diffusion caused by the internet in the last few decades. Does that seem reasonable to you?

Has been working but check out the ongoing Ukraine-Russia conflict and the sanctions regarding patents[1]. Russia is now allowing their companies to use patents freely.

1. https://www.morganlewis.com/pubs/2022/04/russian-decree-unde...

Yeah seriously, what patents are we talking about here? My understanding is that reason Ticketmaster is a monopoly is through deals with venues

This is what patents used to do, but the economic and technological circumstances under which they did have changed dramatically over the last couple hundred years. All they really do now is entrench the power of the massive corporations with the capital to buy them up and sue anyone that they think encroach. It's not promoting innovation anymore, it's stifling it.

Patents no longer go to individual people. They go to corporations. Perhaps we should ban corporations from getting patents on behalf of people.

1. If you are first to market and still can't make money off your amazing invention, that might be a skill issue. 2. Patents wouldn't be as forceful if they didn't last that long. A decade or more is basically forever in a fast-moving field like tech.

They have an effective monopoly.

That's the secret.

If nobody used them, they would go away.

See Tickets seems to be on the rise recently, which I've been glad for

I did that for several years. I don't really consider it voting though because nobody is counting the votes -- they still sell out of tickets with higher profits each year.

#1 and #3 are related. They make scalping easy so they get all of their money immediately and can pay event organizers ahead of time. I personally think scalping should be straight-up illegal but business schools loove it and consider it an excellent example of helping with liquidity in a system and finding the true "willingness to pay" price of something.

I guess it depends on your definition of scalper. It prevents mom and pop from reselling their unwanted tickets. If they stopped there and prevented all reselling I'd be fine with that even though I'd lose out on some money in this one case.

But then they literally built a whole platform (link in my last comment) for actual scalpers to resell tickets in bulk. So, they're not trying to prevent scalping, they're just ensuring that only their "partners" can scalp.

Do you work at ticketmaster? Otherwise, how do you confirm this?

The whole point of their system isn't to eliminate the possibility entirely it's to make it impractical to get around for the vast majority of concert-goers, and it clearly succeeds at this.

Recording the ticket with a video is everyone's first thought at defeating their restriction, and is no doubt the first thing they thought of when designing it. Hence, the codes expiring too quickly that you'll need a new video before you get through the line at the entrance of the venue. And messing with videos in a pressured line of people in front of a bouncer, is, as others have said, simply not practical for the vast majority of cases.

So it's kind of irrelevant - practically speaking - that it is possible.

Good luck getting enough signal to play a video stream in a large crowd.

> This still offers a slight increase in security over static barcodes, without introducing any new vulnerabilities

It offers nothing to the user, except taking away their rights, and making it all unreliable

You would hope... But they often run the scanners in offline mode (e.g. at temporary / seasonal events) so there can be lag in the backends being updated.

Heard from a friend who got straight into two events in the same city recently - they presumed the show was at one outdoor venue but the scanners let them straight in at the first (wrong) venue. Went to the correct venue and got in there without any issue too (this suggests one or both venues were offline or using offline scanners).

> they will still be marking the ticket as used in their backend.

I assume that's true, but it makes me wonder how their scanners are connected to the server.

I mean, if 10,000 people showing up to an event with smartphones overwhelms wireless networks, wont that also kick their scanners off the network?

They'd probably like to have a system where, if a scanner loses its connection, it can still validate tickets. It could store a copy of validated tickets locally, and upload it when the network connection is restored - that would mean a copied ticket would have to make sure they go to a different door/scanner. But it would allow copying.

Not a lawyer, but "subverting DRM" (even if it's trivial or really stupidly designed) can be a crime in and of itself in the US under the DMCA. There are a bunch of exceptions to this, so I have no idea if OP's work is actually illegal.

Vulnerability to LN business practices. Not a system vulnerability.

Yup exactly. Some events are pretty bad at opening the doors early. The Brooklyn Nets seem to open 30 minutes before the game, so they need to get 20,000 people through 20 metal detectors in 30 minutes. Every second extra they add to the process is a second you don't have to buy a $25 drink, and that's how they make their money.

We check IDs for flights because airline yield management demands that there be no resale, or business travelers would be traveling on leisure fares.

So even if you don't want to do the ID thing, there are alternatives that you see all over the place (like venmo) Have a rotating QR code seeded with a unique to the user id. Then with ticket master, require a login to buy tickets. Register the tickets to the ID and then do the lookup with a combination of the ticket id, rotating qr code, and the user id.

That requires the admitter device to send the challenge back to HQ, but that shouldn't really be much of a challenge. Tickets then become linked to the user's account (perhaps you allow transfer).

This is effectively what Disney does with their ticketing system, along with at the gate them taking a picture of you so they can confirm "Yes, so and so looks like the photo".

But yeah, all of this is ridiculous on its face as the cheaper and easier solution is ticket plus ID. If you are worried about flow have signs up before check in that say "be sure to have your ID ready before you get to the counter".

The ticketmaster solutions are just bad/half assed.

That is to say, if ticketmater had just done TOPS like the article points out, you'd not need the headache they've created with needing a live internet connection to load your ticket.

> Like, they want to improve the flow of traffic through admissions.

But they in turn greatly degraded the flow of traffic by forcing the use of a proprietary always-online app which fails to load when your cellular connection is less-than-ideal. Verifying a photo ID would probably be faster.

> How can you avoid reselling if you don't verify the original purchaser?

A ticket scalper cannot know the names of the people that will later purchase his tickets. So connecting each ticket to a name prevents scalpers.

except Southwest is easily the most expensive carrier these days and other carriers have also adopted flexibility

hopefully their new changes such as allowing their fares to be indexed will make them close to being competitive at some point. but today you really only get near-competitiveness (it's still bad) if you're going to check both pieces of luggage and have no way of getting free luggage on any other carrier.

even buying and throwing away tickets, depending on your probability of travel, might pay for itself in one trip.

What the hell kind of draconian country forces you to always have an id on you? What if I go running with only my watch on (I’ve regularly done this with no malicious intent)

Recent changes are anything but fair and sustainable. Front section tickets have gone from $120 to auction at $400+ at our local venue.

Can no longer pay cash, have a paper ticket, be anonymous. Those are much more important to me than preventing scalping.

Scalpers out front have provided a valuable service to me a dozen times over the years, when I didn’t plan well.

Any solution (I didn’t ask for) that turns concerts in an international flight experience means they are dead to me.

Age was traditionally checked separately and manually. Not put into a database to be bought and sold and breached.

I assume the main reason airlines require ID (for domestic flights) is to prevent ticket resale, and that "security" is just a convenient scapegoat. And I'm not alone[1].

[1] https://www.schneier.com/crypto-gram/archives/2003/0815.html...

Because we ought to do everything in our power to stop the aggressive onslaught of the surveillance state. We already know TSA is security theatre at best, and the time they’ve wasted already justifies more lives lost to terrorism instead.

Practically, I don’t want Ticketmaster having access to the information on my ID, they already leaked lot of my other PII.

Is your argument that people should be unable to attend concerts/etc without presenting ID? I for one am not a fan of that idea

I've been to many [big, small] well-known, legit shows in the US as a kid who was not yet an adult.

I did not have an ID, and none was required to get in.

All-ages shows are definitely things that exist.

I have never had to show ID to get into a concert other than tiny shows at bars. Every larger venue around here (SF) I’ve been to checks IDs to get a wrist band which lets you buy drinks, but you can just skip that if you aren’t drinking.

You know many details about Italian ticketing systems, are you working in the industry?

That's how trains work (here).

Every ticket must have one name and surname on it, no matter how many passengers it covers. That person must be traveling on the ticket.

You're usually asked for some kind of photo anyway because of discounts, which a very significant percentage of train riders are entitled to.

I think this is because tickets must be both printable and verifiable offline in case the train gets into a spot with no connectivity when the inspector is inspecting tickets.

What if you need to arrive separately? Especially for a big event with tens of thousands of people, can be easier to meet up inside the venue on everyone’s timeline.

Yes this exists, it's called lead booker tickets

I was operating under the assumption that the goal was to replace TicketMaster with an open protocol.

I realize that.

But the point of reading a blog post would be to learn something insightful, to see the reasoning or argument by which the poster came to this particular conclusion. Hopefully with some consideration that I'd not thought of before.

This boils a complicated question with nuance and problems and facets of debate into a rather vapid "I like this answer." of a post. It's not worth anything: I come away from it no richer than when I came.

Like, trivially, someone could write the opposite answer on another blog. And whose answer is right? (They of course need not even bother actually writing it out. A "right" answer is created by argument, not spilled ink.)

The problem is that "bad company" is such a nebulous concept as to be useless, as the JSON license showed with their "shall not use this software for evil" clause.

No matter which company you choose, someone somewhere will find a justification for why they are actually not bad. Weapons dealer? Protecting your nation. Destroying local businesses? "They are just adding efficiency to the market". Kill someone with bad practices? "Still safer than the alternative". Ticketmaster? "The scalpers are giving a subvention for those who cannot afford the real price".

Setting up a straw "bad company" and knocking it down doesn't help anyone on the real problem of people working for unethical companies.

That's their point. They're poking fun at how the OP is speaking in absolutes about something subjective/ opinion based.

So if you think a company is bad you shouldn’t work for them. Perhaps many of the people working for TicketMaster don’t think they’re a bad company.

I ask myself if my company is bad all the time. They don't get a perfect score, but I feel better about this one than any of the previous ones (that's why I'm here and not there). If the answer is ever a resounding yes, I'll leave this one too.

When most of the relevant work around you is in some way related to ICBM's, you either sell your soul early, or you end up with habits like this. By my reckoning, about 80% of technology companies are bad.

Yup. I was just discussing this in another comment that Facebook's emotional manipulation of users without consent is ethical wrong. Some people are replying with eh, everybody does it and for 20,000 dollars people will jump to Facebook.

I think the Leetcode grinding, TC optimizing crowd with no real moral judgment which is the majority in tech right now is another reason why things are falling apart. They will happily work for the KKK if they get a larger RSU package.

Your point about them being at least "sad" about it, is a start I guess.

So, too poor to move means you are evil. Capitalism wins yet again.

> You're the one asking the question, you can provide your own scheme

Well, I'm responding to someone else providing their scheme for everyone else to use.

I honestly don't know how to respond to this, it's too vague.

Good/Bad are consensus votes. Its hard to escape their use just because of how deeply ingrained the programming is. We just think it makes "sense" and is "obvious" because its a meme that is already in our head. There is nothing inherently evil or good about any past/present/future animal on this planet.

That really depends if you ask a neo nazi or not.

Due to chaotic effects of causality, most of us would not exist if any significant event from that long ago had happened differently.

If the answer is yes, does that mean a junior web dev who implements user tracking on a shopping portal is equivalent to Hitler? Or is every who does less evil than Hitler "not a bad person"?

I don't think it's useful to say "Hitler was bad." Hitler did a lot of specific evil acts that are more useful to analyze. If anything, it's counterproductive to say "Hitler was bad," because lots of people do bad things and then say "well, at least I'm not Hitler."

Yep, I've bought 3 laser printers over the past 30 years... 1 about every 10 years, and not because I needed to... because I wanted more features. I've passed the old models down to others and they're still running. Toner never dries out, heads don't need cleaning. I would never buy another inkjet. The only use I can see for inkjet is photo printing, and even then I'd rather get them done at CVS or walgreens unless it is a special size or printing material that they can't handle.

A brother laser can often be had for $100 these days.

Another printer lifehack: Goodwill (which has a 'computer' store near me, they send all the best tech stuff there) sells laser printers of all kinds for like $20-40 and that plus a $20 Amazon non-official cartridge will basically have you set for life for the occasional print job. Since they're heavy, the Goodwill route saves most of the cost compared to eBay, though I did get mine on eBay.

I actually recommend HP but Brother is great too. My current HP is at least 10 years old, and it's the second I've owned. My first was a 2000 vintage which I used from 2005-2017. (Its rubber rollers eventually got dried out and I wasn't as skilled a refurbisher as I fancied myself)

Yup, I use my brother laser printer to print probably 20 pages a year and it’s been going strong for 5 years now on the cartridge that it came with when I bought it on eBay.

You should consider thermal printers like the Brother PJ line. A bit expensive but so small you can put it in a drawer, and no cartridge or toner at all. Just thermal paper, which I run off the same pack since I bought the printer 3 years ago.

For sure. Additional info... many libraries also let you stream movies through kanopy.com, and read/listen to e-books through the app Libby.

I bought a laser printer, I think something around 19 years ago, and it broke before I could finish the toner

As a dev working in big tech, I'm sure they do feel embarrassed, and I'm sure there is jack shit they can do about it. Is that how you feel?

I don't know how many times I've reasonably pointed out why our product is extremely user-unfriendly - backed by evidence from user feedback and endless reddit complaints - but I still get shot down, badly. "Disagree and commit" they say, which is just short for "do what we tell you and shut the fuck up". If you bring up issues too many times, you end being treated like an agitator and they make your life hell. This has remained true for the many different industries I've worked in over the last 17+ years. Software developers are effectively powerless in many organizations.

Everybody has their own personal lines in the sand. People need to work for a living because we're not in a magical, post-need society. Every company has its flaws. Each company has some subjective amount of flaws/sins/evil, and everybody makes their own decision about what they're willing to do for money.

Helping a company use some sleazy dark patterns to make some extra money off of Taylor Swift tickets is honestly pretty mild on the scale of evil software engineering jobs, so I imagine their answer is "I built a system to sell entertainment, now my kids get to go to private school, and I sleep great at night."

Ticketmaster sucks, but it's not like he's working for Palantir, Lockheed Martin, or TikTok.

This sucks because obviously I‘d give them a different email address - just like everyone else. For example with the „login with apple“

OP explicitly states he doesn't want to add the ticket to a google account. Fair to assume they wouldn't want apple either.

No, I have flight tickets autoupdate when there is a delay.

With Google Wallet (the only one I have at the moment), it is not static for the ticket. It has a NFC and barcode option. The barcode changes every 15 seconds for me.

> What is the worst that can happen?

I don't know the worst, but juice is not worth the squeeze in my opinion. If you recall, Ticketmaster was just recently hacked, so the worst pretty much happened in that any data they had collected on their users is potentially been leaked. So if they can't protect that data, then I'm not participating in giving them data.

If anyone is in the situation that they need to put an untrustworthy app on their android device, the "work profile" feature can segment it off further.

Insular is an app that lets you create and manage one of these profiles on the device itself: https://gitlab.com/secure-system/Insular

Maybe you are using a fully open phone, but mine has an OS made by Google and almost every app tracks my location without my consent.

From the AppStore:

Data Linked To You:

Purchases, Location, Search History, Usage Data, Financial Info, Contact Info, Identifiers, Sensitive Info.

Nope Nope Nope.

I mean, that horse has already bolted..

https://www.nytimes.com/2024/05/31/business/ticketmaster-hac...

Sure, I'm just reacting because TOTP is like the textbook example of a system designed to work without interactive access to a networked resource. The whole as TM designed it has crappy affordances, but you could fix that without breaking the design.

Recent experience for a large stadiums event suggests they have fixed the notifications. I got a lot of notifications encouraging me to a) charge my phone and b) download the ticket before arrival.

I first heard of CoWs (cell towers on wheels) from Woodstock '99, when they tried to repeat the debacle of Woodstock '94. (AFAIK, the CoW did not work.)

The idea of cellular networks is simple: Put the "source" of the bandwidth near where the people need it.

The idea of CoWs is also simple: It's the same thing, but it's dynamic and flexible.

---

There was a time in my life when I was using AT&T as an all-you-can-eat LTE provider through a third party as my home Internet access, because reasons (and hear you me, if DOCSIS had been an option then none of this would have happened).

Armed with a hotspot device that had external antenna connectors, band selection, and a Yagi antenna, I found a cell tower that I thought to be about 14 miles away that had consistently good Internet bandwidth. It was a ton better than several other much-closer towers (some only 1 or two miles away), presumably because it had better backhaul(s).

I made quite a study of things to get that dialed in and working reliably. And it was reliable for months. But then: One day, the signal had turned to shit.

So I did the right thing and I drove over to where I thought that tower was, 14 miles out, to have a peek. And the tower was right where I expected it to be.

But there were men actively working on the tower (with ropes and stuff), and a CoW of much-smaller stature was parked there and providing (rather lesser) backup service.

Which, you know: That explained that.

---

They additionally get used some for natural disasters if a tower fails, and also sometimes for other dynamic events like festivals and concerts and such. They're pretty useful when they work, in that a tiny sliver of bandwidth is superior to zero bandwidth. When properly-managed they can reduce contention on neighboring towers so that regular people doing their regular things are less-affected by whatever dynamic event is happening nearby.