Lie, Cheat, and Steal Your Way To Burning Man

Image: Simon Davison/Flickr (Creative Commons)

Image: Simon Davison/Flickr (Creative Commons)

“Usually people are hacking to steal things…these people were hacking just to get a chance to spend $400 to get a ticket”

89.3 KPCC radio did an interview with Brian Doherty, author of This Is Burning Man, about the ticket scandal. Listen here.

The media blitz has continued, with MixMag, NY Daily News, Las Vegas Sun, the Bold Italic, NBC Bay Area, the SF Chronicle, the San Jose Mercury News, and hundreds more.

It’s amazing how this narrative is so quickly being spun by BMOrg’s PR machine to “Silicon Valley techies hacked Burning Man and stole tickets from everyone else”, and away from “the ticketing system was not First In First Out and all you had to do to buy tickets was go through Ticketfly’s web site and ignore the queue”. Once again, the Burners get the blame – just for exercising Radical Self Reliance. And BMOrg, rather than accepting responsibility for the unique system they’ve designed and the problems it caused for tens of thousands of their most loyal customers, gets to play the innocent victim.

Despite the story going global, BMOrg haven’t even looked at the report from Ticketfly yet. From SFGate:

While Burning Man organizers confirmed they had been hacked — and that the suspected parties would be stripped of their tickets — they said they needed to see the report from Ticketfly to get into the details. Whether actual hackers posted their exploits on social media was unclear.

“We may have more information later, but Ticketfly is taking the lead on figuring out what happened,” Burning Man spokesman Jim Graham said Monday. “We don’t want to say anything that is incorrect.”

BMOrg confirmed they had been hacked? Not Ticketfly? Hmmm….

I was in at 12:00:56 and didn’t get tickets. Some were there at 12:00:02 and didn’t get them. Others logged in at 12:10 and later and bought tickets. THAT is the biggest problem, and is nothing to do with hackers.

Let’s take a condensed look at the ticket problems, as reported by Burners:

  1. People wrote scripts to connect to the link at exactly 12:00:00
  2. People looked at the source code of BMOrg’s web page and found what the URL would be for the link to the waiting room; entering this URL in their browser meant they didn’t have to wait until the button turned green to get in the queue
  3. Bots were for sale for $750 that automatically bought tickets from Ticketfly
  4. People logged in after the “Pause” and got straight through
  5. People logged directly into Ticketfly, chose Burning Man, and entered their code
  6. People on mobile devices on Verizon got straight through

[if you’re aware of any others, please share]

According to BMOrg, echoed through the world’s media:

200 Burners used sophisticated software hacking techniques to place themselves at the front of the queue

The comments to the WIRED article (and at Burners.Me) have been quite dismissive of the use of the word “hacking” in this story.

None of the numbered examples I listed require any hacking, or any code to be written, although #1 and #2 do require some very basic technical knowledge. So do all these methods get a pass, and there was another hack that we don’t know about? Or is BMOrg trumping up #2 as the scapegoat for all their ticket woes – before they’ve even received the report from Ticketfly? Is this whole story they’re telling simply based on speculation on Reddit“We found these 200 people in the queue before 12:00:00, they must all be hackers”.

Even if there were more techniques used to circumvent the system, including hacking directly into the servers involved…it does not change the appalling delay between the last ticket being sold, and the 60,000 unlucky Burners in the queue being notified that they were only waiting to make a donation. For that one, they can’t blame hackers.

Meanwhile, tickets are now being offered for $1 million each on Stubhub. No word how many Mistresses of Merriment come with a million dollar ticket…

 

Burning Man Hacked!

image from WIRED

The news of hackers exploiting a “back door” in BMOrg’s new ticketing system broke last week on Reddit. We covered it last Wednesday in Ticket Hell. Now, the story has been picked up by a broader media audience, with stories in WIRED, Computer World, Paste Magazine, CBS Local, and SFist.

WIRED:

Burning Man has practically gone mainstream. The once-fringe desert camping festival is now cultural fodder for The Simpsons and Taco Bell commercials. Celebrities and CEOs routinely attend. So it’s no surprise that 40,000 Burning Man tickets sold out in less than an hour last Wednesday when they went on sale.

But software engineers in Silicon Valley hacked into the Burning Man ticketing system powered by Ticketfly to cut to the front of the queue. Who needs luck when you have engineering skills and you’re willing to use ‘em for your advantage?

…Several engineers and web developers on a Burning Man Reddit thread speculated that hackers were able to create this backdoor after discovering a few lines of JavaScript code on the ticketing website that gave preeminent access to tickets three minutes before they officially went on sale at noon on Wednesday.

“They left code in the page that allowed you to generate the waiting room URL ahead of time,” said Michael Vacirca, a software engineer at a large defense corporation. “If you knew how to form the URL based on the code segment then you could get in line before everyone else who clicked right at noon.”

Burning Man admits the error and says those hacked tickets will be put back up for grabs during the scheduled last-minute sale in August.

[Read the full story at WIRED]

It’s interesting to watch the corporate spin machine in action. Rather than any sophisticated hacking being required, simply entering your code directly into TicketFly seems to have worked. According to hundreds of Burner comments on the Interwebz, clicking the emailed link ten minutes after noon pretty consistently got Burners in to buy tickets immediately, whereas clicking the link a few seconds after noon led to many Burners being stuck in the queue for 90 minutes with no success.

To me, these are the real issues here: it was definitely not First Come, First Served, and it was trivially easy to bypass the queue – multiple methods were used, and most did not require the ability to write code or hack into systems. The focus on these “200 hacker tickets” is smoke and mirrors around the obvious explosion in the number of tickets being listed on the secondary market. Even BMOrg are now encouraging Burners to get tickets and vehicle passes “on the open market”. With software to automatically buy as many tickets as you want from TicketFly selling for a mere $750 – about the profit margin for a single ticket right now – it seems that there continue to be some serious issues with BMOrg’s ticketing system.

Who would have thought they could make it even worse than the lottery? As BMOrg proved with their Spark movie, perceived ticket scarcity makes a nice story for the media.

WIRED:

The way this year’s sale operated, however, didn’t help to dissipate the resentment. Those interested in purchasing tickets were placed in an online queue as each sale was processed and given a time estimate as to how long they would be kept waiting before they could purchase tickets. The time estimates kept shifting, going from an 24 minute wait, to 46 minutes, back down to 18 minutes, to then “more than an hour,” which might as well have read, “abandon all hope ye who enter here.” At one point, the line was inexplicably “paused” for several minutes, causing another nerve-wracking moment on social media.

This drastic, back-and-forth change in wait times gave those in line the illusion that somehow hackers were cutting in front of them and bumping them out of scoring tickets. Burning Man’s social media team responded by saying that the wait times fluctuated based on how long it took each buyer to complete the purchase. It surely didn’t qualm any anxiety to have used such an unpredictable factor as a counter, instead of a fixed number (“There are 39,999 people in front of you trying to buy tickets”).

See the comments from ZOrg in Emotional Roller Coaster From Hell about why this theory of wait times fluctuating because of some people taking a long time to complete transactions doesn’t add up.

WIRED:

This is not the first time Silicon Valley has been criticized for tampering with Burning Man’s ideals and processes. Last year’s festival garnered unflattering feedback from Burning Man die-hards after venture capitalists, executives and celebrities descended on the desert with air-conditioned camps, personal assistants and other VIP-perks. In recent years, Larry Page, Sergey Brin, Elon Musk, Jeff Bezos and Mark Zuckerberg have all scored tickets to Burning Man.

It seems like now, Silicon Valley is leveraging more than its money to get in front of the line.

[Read the full story at WIRED]

Way to shift the blame to your customers, BMOrg. “Silicon Valley is using its technical might to cheat the system and get Burning Man tickets”: it sure makes a great angle for a story, compared to “some people typed the code into TicketFly”.

Actually it’s BMOrg’s leadership that has been criticized for tampering with Burning Man’s ideals, not Silicon Valley. No-one gives a flying fuck if Zuck brings his P.A., but many Burners do care when some on the Board of Directors are selling $17,000 hotel rooms like it’s some sort of Mega-AirBnB in the desert, and getting an unlimited supply of tickets for their customers and sherpas.

Cancelling 200 tickets will do nothing to fix the problems that occurred in the Directed Group and Individual ticket sales. There is no evidence that it will hurt scalpers, indeed it may even punish some Burners for being radically self-reliant. BMOrg have said they will void these tickets and add them back to the OMG sale – so now there are 1200 tickets left, for 60,000 Burners to attempt to buy in milliseconds on August 5.