- cross-posted to:
- cybersecurity
- cross-posted to:
- cybersecurity
A lawsuit filed in California by concert giant AXS has revealed a legal and technological battle between ticket scalpers and platforms like Ticketmaster and AXS, in which scalpers have figured out how to extract “untransferable” tickets from their accounts by generating entry barcodes on parallel infrastructure that the scalpers control and which can then be sold and transferred to customers.
By reverse-engineering how Ticketmaster and AXS actually make their electronic tickets, scalpers have essentially figured out how to regenerate specific, genuine tickets that they have legally purchased from scratch onto infrastructure that they control. In doing so, they are removing the anti-scalping restrictions put on the tickets by Ticketmaster and AXS.
So Ticketmaster and AXS are suing to maintain their monopoly on scalping?
This is one of those fights where you just hope everyone involved loses. Beyond losing, I’d prefer they all fall into a bottomless pit, but I’m not sure that’s attainable.
I’d
buyscalp tickets to watch that.Nah, I want Ticketmaster specifically to loose. Fuck them.
Scalpers are a problem that transcend Ticketmaster. Heck, they transcend the world of event tickets. Scalpers are a pain in so many areas. Fuck them.
Let’s hope for a long legal flight where Ticketmaster ends up getting broken up, but Ticketmaster drags the scalpers down with them in legal fees.
Jesus, is there any way both sides can lose? Because fuck ticket scalpers, but fuck Ticketmaster too.
I mean Ticketmaster basically are scalpers
Ticketmaster is worse than scalpers.
I’d rather deal with scalpers than this monopolistic bullshit
You’d rather have 2 middle men for your ticket purchase?
I’d rather be able to sell my ticket if I can’t go for at least face value. Ticketmaster sometime won’t let you sell the ticket to another person, or only allows you to sell back to them at 1/10th the face value…just so they can resell it again. Didnt even mention all the convenience fees for all those trades too.
If I had a paper ticket, I could just sell it no problem
Going through a scalper means that the ticket supply is artificially decreased, which pumps up the price. Then you run the risk of your ticket not working when you turn up to the venue.
Not too different from ticketmaster at that point lol
Scalping increases the liquidity of tickets. This establishes a “market price” that can be higher or lower than the face value.
I’m going to go out on a limb and say that at this point Ticketmaster might be one of the most hated company in America.
Eh…
Bank of America, Comcast, Wells Fargo, Amazon, Google…
Just to name a few.
Ticketmaster is in the top 25 for sure.
I miss old-school Consumerist and their annual Worst Company in America brackets.
Most of those have more indirect disgust. They still have some redeeming qualities for their users.
Ticketmaster is almost universally understood to be nothing other than a petty middle man extracting fees for no reason other than they can.
I used to work for Comcast and one time after they had won the “Worst Company in the World” contest two years in a row they sent out a company-wide email telling them to participate in the contest and vote for some other company. Everyone I knew there participated in the contest but we didn’t follow the instructions exactly lol.
deleted by creator
Yah. Pearl Jam spent years in limbo because they thought everyone would join the fight. But no big name artists ever did because no one wanted to rock the boat. During COVID ticketmaster / clear channel/liveNation/ iHeartRadio whatever have continued to consolidate. They own the tickets they own the resell websites they own most of the big venues they can demand merch sales at the venue. If you refuse they can remove you from playing their venues.
At this point it would take 10+ huge artists to final kill this beast. We are talking Taylor Swift / Beyonce big that actually have complete creative control. I don’t even think most top artists have that. They would have to organize everything and they would probably lose union contracts for stage craft and audio, lights, transportation. Basically they would have to start their own ticket & touring companys that outdoor fields and sports areas? and would have to stick it out for years and convince a good majority to stop buying tickets from any place using Ticketmaster.
The big artists don’t fight this because they make more money under the status quo, and Ticketmaster takes all the heat and they can play victim while raking in the cash.
the Cure isn’t exactly huge anymore but they did it. All it takes is the artist to have respect for their fans.
goth bands trying not to take w’s challenge impossible
To them it’s a feature, not a bug.
Fuck ticketmaster. Fuck scalpers also. But ticketmaster are also scalpers so fuck them twice.
Ticketmaster also own Stubhub and provides pre sale services to them before the gen pub gets to even see the tickets
Ticket master (live nation) shouldn’t exist IMO
And there are technical details from the reverse-engineering of Ticketmaster’s ticket format here. tl;dr: it’s two of the TOTP authentication codes you use for 2-factor authentication rolled into a barcode, along with some additional data.
This is equal parts informative and hilarious. Ticketmaster sucks.
The conclusion says it best:
I think we can all agree: Fuck TicketMaster. I hope their sleazy product managers and business majors read this and throw a tantrum. I hope their devs read this and feel embarrassed. It’s rare that I feel genuine malice towards other developers, but to those who designed this system, I say: Shame.
Shame on you for abusing your talent to exclude the technologically-disadvantaged.
Shame on you for letting the marketing team dress this dark-pattern as a safety measure.
Shame on you for supporting a company with such cruel business practices.
Software developers are the wizards and shamans of the modern age. We ought to use our powers with the austerity and integrity such power implies. You’re using them to exclude people from entertainment events.
I absolutely fucking hate Ticketmaster’s way of doing this, because they require access to your phone. And they won’t let me use my normal VPN, or anything that blocks them from having location access. I would rather drive to the goddamn venues–what are about 90 minutes from my home–and buy tickets in person, than to deal with Ticketmaster or AXS “security” measures that attempt to circumvent my security.
While you’re forced to use ticketmaster you can still avoid installing their app via https://am.ticketmaster.com/
When I go to that right now, from my desktop, I get:
"Your Session Has Been Suspended
Something about your browsing behavior or network made us think you were a bot.
What can I do to resolve this?
Try again from a different device or a different location
Ensure you have enabled JavaScript in your web browser
Remove any third party browser plugins that may be running"
This is because I run all my traffic through a VPN, and Ticketmaster isn’t able to harvest information from me that it wants. It expects me to allow them full access to who I am and where I am, rather than just giving me what I’m paying for.
deleted by creator
Yes they’re TOTP codes and Ticketmaster gives you the secret. You do in fact have the ticket.
In the blog post, Conduition explains that, essentially, these tickets work in the same way as two-factor authentication codes in authenticator apps. These are called “Time-based One-Time Passwords,” and can be generated offline (like a 2FA code). Ticketmaster basically shares a secret, unique token with the person who bought the ticket. This token allows the Ticketmaster app to generate a “new” ticket every 15 seconds based on the time of day. Once the device has this token, it is possible to generate the tickets no matter whether it’s online or not. As Conduition found, if you’ve bought a ticket, this token can be extracted from within the Ticketmaster app (or, in some cases, from Ticketmaster’s desktop website), exported to a third-party platform, and tickets can then be generated on that third-party platform.
Normally I LOATHE scalpers.
But for these guys I’m willing to make an exception.
I make that exception for all, I don’t like scalping but I dislike the attack on the ownership right to resell even more.
Weird Situation to be in… I kinda like breaking ticket masters bullshit, but also fuck scalpers. They are the reason you cant resell your tickets, cause they buy up huge blocks of tickets and exploit peoples intense desire to see a show by selling them for 2,4,8x or more for what they would have cost if the consumer could have bought them directly.
Also fuck ticket master too for exploiting their monopoly to turn 20 dollar tickets into 1000 dollar tickets
Its like watching two groups of awful people fight eachother, where the only good outcome is if they end up killing eachother.
Scalpers exploit a lack of supply, the same as ticket master. Normally the answer would be to increase supply but if being in person is important for concerts then perhaps bigger venues or multiple showings isn’t feasible. A culture shift towards something like watch-parties, like football and other sports, may be the answer in the long-run.
Scalpers are a consequence of freedom and perhaps there are good reasons to limit that here but I see it happening in other fields where I think it shouldn’t and wouldn’t want to encourage it (i.e. hardware and software tied to an online account).
Scalpers exploit a lack of supply
Which they create by bulk buying seats, to hold them hostage unless you are willing to pay extortionately inflated prices.
Scalpers are not heros, or good guys. They are people trying to exploit a situation to everyone elses detriment.
deleted by creator
Still, fuck the scalpers, they did this to get more. I’m fine with the hackers as this fucks over Ticketmaster but also the fans
The original reporting by 404media is excellent in that it covers the background context, links to the actual PDF of the lawsuit, and reaches out to an outside expert to verify information presented in the lawsuit and learned from their research. It’s a worthwhile read, although it’s behind a paywall; archive.ph may be effective though.
For folks that just want to see the lawsuit and its probably-dodgy claims, the most recent First Amended Complaint is available through RECAP here, along with most of the other legal documents in the case. As for how RECAP can store copies of these documents, see this FAQ and consider donating to their cause.
Basically, AXS complains about nine things, generally around: copyright infringement, DMCA violations (ie hacking/reverse engineering), trademark counterfeiting and infringement, various unfair competition statutes, civil conspiracy, and breach of contract (re: terms of service).
I find the civil conspiracy claim to be a bit weird, since it would require proof that the various other ticket websites actually made contact with each other and agreed to do the other eight things that AXS is complaining about. Why would those other websites – who are mutual competitors – do that? Of course, this is just the complaint, so it’s whatever AXS wants to claim under “information and belief”, aka it’s what they think happened, not necessarily with proof yet.
although it’s behind a paywall
Pedantic to call it a “loginwall”/“emailwall”?
404’s reporting is so good, if anyone with that caliber of content made entering an email the standard I’d be okay with that. (I used an anonymous forwarding address, specific to them.) I think it’s worth the time setting up a forwarding address & setting filters as necessary to keep their emails out of your inbox if you can’t stand the thought, hope it helps their metrics.
After one of the researchers published their findings in February, brokers tried to hire the researcher to build ticket transfer services for them.
… so they could be silenced by an NDA.
at this point in life I think I already saw all the bands I wanted in concert. I think I can afford to boycot these mfs and stick to local concerts that dont use that garbage company.
Every year we have a local indie music festival run by our city. It’s free, and bands have their albums available for sale there. That’s where I go for live music, it’s way better than those mega bands anyway.
They got some “fuck you got mine” mentality now?
I don’t buy anything on ticketmaster. I won’t install their app.
I still see people I want to see. I just may have to travel to do so.
generating entry barcodes on parallel infrastructure
I guess that reverse engineering itself isn’t illegal, but creating tickets without the real ticket seller’s authorization seems plain fraud IMHO.
I won’t count it as fruad unless they double sell it. It’s only as far breaching the tos.
You bought the ticket. Selling it isn’t fraud.
You’re not creating tickets that weren’t purchased. You’re just transferring them without their permission.
So if I sell my “Dr.” title to you, then that is OK in your jurisdiction?
Well, around here, it is different.
This is the dumbest analogy anyone has ever written.
Sheldon Cooper uses this phrase, too. Every time when he has been proven wrong.
are you seriously using a tv character analogy to defend your point??? buying a ticket doesn’t require any intense academic background lmao