Schneier on Security
A blog covering security and security technology.
« Partial Fingerprints Barred from Murder Trial |
| Untwirling a Photoshopped Photo »
October 25, 2007
World Series Ticket Website Hacked?
The Colorado Rockies will try again to sell World Series tickets through their Web site starting on Tuesday at noon.
Spokesman Jay Alves said tonight that the failure of Monday's ticket sales happened because the system was brought down today by an "external malicious attack."
There was a presale that "went well":
The Colorado Rockies had a chance Sunday to test their online-sales operation in advance.
Season-ticket holders who had previously registered were able to log in with a special password to buy extra tickets.
Alves said the presale went well, with no problems.
But some people found glitches, such as being told to "enable cookies" and to set their computer security to the "lowest level." And some fans couldn't log in at all.
Alves explained that those who saw a "page cannot be displayed" message had "IP addresses that we blocked due to suspicious/malicious activity to our website during the last 24 to 48 hours. As an example, if several inquiries came from a single IP address they were blocked."
Certainly scalpers have an incentive to attack this system.
EDITED TO ADD (10/28): The FBI is investigating.
Posted on October 25, 2007 at 11:52 AM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I cry BS. They weren't DOS'd, they weren't hacked, they just couldn't handle the load...
I agree. I was getting "page cannot be displayed" intermittently, just like I would if a server was unable to process the request.
I also got the "enable cookies" message a few times. I wonder if that has something to do with the fact that they were forwarding requests to different servers.
And this was doing exactly what the page instructed me to do, waiting for the timer to countdown to 1.
This story wreaks of inadequate capacity, not a malicious attack. Moreover, the story makes it sounds like they were blocking NAT'd IPs. So much for trying to make a purchase from a school campus, dorm, business, etc. Heck, even some ISPs will NAT segments of their networks. Kind of weird.
The other errors described suggest that the app architects don't have a very good grasp on reality. Telling people to reduce their security zone is insane. It also goes more toward the theory that their design was inadequate.
"Moreover, the story makes it sounds like they were blocking NAT'd IPs."
Yet another reason NAT needs to die die die... party-line communications only lead to problems
The Rockies spokesman was asked if they would be pursuing a criminal investigation against the "attacker". His response was that he couldn't "speculate" which sounded like a total evasion, since he knew the only attack was thousands and thousands of people around the country trying to get tickets.
As for the question of blocking NAT'd IPs, I can say for certain that is not the case. The guy sitting in the cube next to me got tickets, while all the rest of us got to stare at connection timeout messages.
Given that online ticket vendors can sell out similar numbers of tickets for a rock concert in a matter of minutes, the fact that it took 2 1/2 hours when they were prepared on the second day makes me believe that they were just horribly unprepared to handle the load and won't admit it.
i also believe it was just heavy load, not an attack.
i had access to 3 consumer (dsl, cable) connections over the period of the second attempt sale on tuesday. i can confirm that after a given number of hits, an ip was summarily blocked -- probably at an upstream router. moving to another connection, without even flushing cookies, resulted in access again.
unfortunately, the logic for the router to block an ip was so screwy that it blocked me part way through completing a purchase and i lost the tickets.
the ticketing system for all of mlb.com is outsourced to paciolan. they run 15 servers (by ip/dns name) for mlb and all the other venues they offer white label ticketing for. on day one, purchases for the rockies were directed to servers 8, 14, and 15. on day two, just to server 3.
trying any other server resulted in the no-cookie errors, so it does appear to be a handoff related issue. further, using those servers was just as slow as the ones you were directed to. this leads me to believe they simply didn't have enough bandwidth to handle the load.
the original claim on monday, before they started claiming an attack, was 8.5 million hits (not views, just hits) in 90 minutes. considering most people had multiple browsers, multiple tabs, and hit refresh frequently, it's not hard to believe that one person could run up 300-1000 hits. at 500 hits/each, on average, that would be only 17000 people attempting to use the site at once. i suspect it was far more than that.
i think it's shameful for rockies management to attempt to cover up their ineptitude with claims of an attack.
Great. Now we have "enable cookies" and set their computer security to the "lowest level" indicating a trustworthy website.
A possibly valid site demands that you lower your guard as much as possible and trust that the other end, and any man the middle, won't violate that trust. And the World Series website is putting their stamp of approval on this behavior.
I thought it was BS the moment I heard it. They weren't hacked, just completely unprepared. Even if they were "hacked" if it worked then they were unprepared. This isn't selling tickets online to your little sister's dance recital, this is tickets to the the freaking world series. You better have your act together. In this day and age there is NO excuse for blaming being hacked. That is why companies like BT Counterpane exist. If you haven't done due diligence to cover possible attacks and to prepare for the load you would be getting, there is no-one to blame but yourself.
My employer put links on the intranet to a pro baseball game where our CEO threw the first pitch. We had enough curious users logging in but not buying tickets that the ticket company blocked our address range I know we didn't have enough interest to DoS the ticket company.
Ticket scalping firms...I'm sorry, ticket brokers...have specialized software that logs onto venue's sites or services like Ticketmaser when tickets are released to buy the tickets they then scalp.
I can't help but wonder if a 2nd or 3rd explanation other then the Rocky's IT performing like their pitching staff last night ;) is either
a) The ticket seller implemented something that broke the bots and created a traffic storm;
b) The bots themselves were broken and caused something to go haywire.
As someone who was trying to get tickets for the game and following the news closely, I call BS on their "hack" story. Their system simply couldn't handle the load and they needed a scapegoat because fans were angry. It may have _looked_ like a DDoS attack, but that's because there were tens if not hundreds of thousands of people requesting the page. (Isn't that usually a good thing??)
In fact, the only person I know who was able to buy tickets when they went on sale a second time was using 12 windows to try to get in! Those of us that tried to be legit and only use 1 (or 3) never even made it to the ticket selection screen.
Their system was simply underpowered but they didn't want to admit it to fans. I for one was surprised it worked at all the second time.
Yeah, I tried to get tickets along with a bunch of other people at my office. About 2 hours after they went for sale Wednesday our IP got blocked. I ended up trying through a number of cgi proxies, but no dice.
It was probably the worst way I could see to sell tickets. It looked like they had some kind of load balancing application and if more than X number of connections were getting tickets, you would be thrown out into a web page with a 120 refresh to check again..
One funny thing, a coworker of my girlfriends got tickets.. at around 11 PM that night. two $250 tickets for the fifth game. Of course we'll see if she actually gets to use them.
I call BS on the "DoS attack" story. We write software, some of it web based, and it was blatantly incompetence on the side of the ticket company. I took a number of screenshots, showing that the redirects to the actual ticket selling servers (from the countdown pages) would truncate the URL and redirect the user to the querystring, not the actual site.
So, I'd get a browser window with a URL that reads http://ticketcode=gs%3Arockies-st%3A and so on. I have a couple screenshots of this really dumbitude.
Since we are based in downtown Denver, 5 min. from Coors Field, we had a VERY large amount of traffic outbound to the sites (300+ people trying to buy tickets). This is absolutely a "failure to plan". The ticket brokers/scalpers/pimps *may* use software that gives them an edge but supposedly plays nice, but I guarantee there are people NOT using this hypothetical polite software, and instead running what equates to a bot-net trying to achieve the same goal...automate the purchase of as many tickets as possible.
Shameful behavior by the Rockies management. Just because they can't imagine getting THAT MUCH legitimate traffic does not prove it is a malicious attack meant to do harm.
Heck, one might as well invade a sovereign nation because they can't believe their sources of data would have an agenda and misrepresent (or outright fabricate) the facts...
"World Series"? How many countries were involved in the competition?
(hint: the rest of the world doesn't care ... ;-) )
You say "World Series", I say "World Cup". The real tragedy will be when the Americans win the latter event and it doesn't even make the front page in their papers.
It seems that Paciolan will be acquired by Ticketmaster: http://www.ticketrends.com/index.php?...
Ticketmaster, at least, has a track record of being able to handle the amount of traffic generated by major ticket sale events.
You get what you pay for, I guess.
Security problems often occur when people get obsessed with the wrong causes. One example is the rule about liquids on planes. Liquids are neither a cause of terror attacks nor is someone with a water bottle likely to be a terrorist (unlike, say, someone carrying explosives). Eliminating this unlikely source of risk is inconvenient, and wastes resources that could be used for more general solutions.
The Colorado Rockies want their regular fans to be able to buy tickets at a reasonable price. They identified "scalping" as their problem, and set up their own sales system to eliminate it. In fact their problem is that their regular fans are unwilling to pay the market rate for World Series tickets. Because the Rockies focussed on the undesired result (scalping) rather than the cause (artificially cheap tickets) they invested in their own ticket sales system, and found that it's not easy to develop one that can cope with the sales volume.
What they need to do is price their tickets more appropriately and persuade their regular fans to pay these prices. One way of setting appropriate prices is to use an auction system like Ebay. The Rockies could actually use scalping to their advantage by auctioning bulk amounts of tickets that would be purchased by retailers and sold to individuals. These retailers (who are presently scalpers) would identify their own customers and use their own distribution system. If the Rockies want to encourage their regular fans to purchase tickets they need to increase the tickets' apparent value to fans (say, by advertising) or reduce the tickets' apparent cost through targetted discounts. For example, fans at non-Series games could receive vouchers good for a refund if and when the Rockies do well in the World Series. Fans might auction off their vouchers but they'd have to attend regular games to get them - and that's what the Rockies want to achieve.
I got the "you don't have cookies enabled" message twice on FireFox 2.x, so I switched to IE6 (bleah) and turned all security off. I never got the cookies enabled message again. In fact, I got no messages shortly thereafter. I assume the 2 cookie messages were my only chances to get tix. Oh well, it's warm in my house, beer is only $1/bottle, and I get to listen to Tim McCarver say the funniest things unintentionally.
I'm not qualified to judge whether the problem was an attack of any kind of the Rockies ineptitude or both. I can say, without qualification, that scalpers use specialized software to overwhelm ticket systems all the time. If you don't think that's true I would suggest that you know less about live event sales than you think. That is not to, in any way, excuse any possible incompetence on the part of the Rockies, just to suggest that yes, scalpers are a real problem.
As for Joe's suggestion above that the Rockies institute some kind of bidding system for tickets, well, that sounds like something a scalper would suggest. Which isn't to say that Joe is scalper but to say that given the money made at these events already, at the current face value of the tickets, the challenge to implement some kind of fair system that puts tickets in the hands of fans, at face value, not find a way to shill up bidding. Scalpers are parasites. They add nothing to the product they resell and frequently use less than ethical, if not outright illegal methods to acquire their "stock".
The answer is simple, make scalping illegal and actually enforce the law.
Is this Soviet Russia or what? I thought the United States was supposed to be a free market society. Set realistic prices for tickets. If supply matches demand, you'll have none of the scalping.
Keeping prices artificially low and then fighting scalping is brilliant marketing: it promotes the notion that major league baseball is still a family event, and that every dad can take their kids to see a game. If tickets are sold at $500 a pop, the public would eventually lose interest, and the house of cards would fall.
@FP: The scalping sites that foxsports links to had tickets ranging from over $800 to $5k per seat (right behind the visitor dugout for the $5k seats). Local news here mentioned someone selling a pair of seats, 6 rows behind home plate, asking price $10k/seat. Yeah, someone will pay it.
@Ice Weasel: the dodge used in FL by scalpers was to sell the tickets as part of an "entertainment package." So your package ran $1k each, with $250/each being the face value of the seats and $750 being the limo ride.
@ice weasel: "The answer is simple, make scalping illegal and actually enforce the law."
That doesn't sound simple at all to me. The only way I can conceive is to make the punishment unjustly severe. I certainly couldn't support that.
As others observe, it would be easy enough for MLB to curtail scalping by raising ticket prices. (Scalping would not be eliminated: scalpers _do_ provide some value, by making tickets available at times and places more convenient to some fans.) If MLB doesn't care about scalping enough to take a simple, legal, just measure against it, why on earth would we want the justice system to care?
"As for Joe's suggestion above that the Rockies institute some kind of bidding system for tickets, well, that sounds like something a scalper would suggest."
Or someone who wanted to buy tickets and was frustrated by the Rockies' sales system. I'm neither: I'm around ten thousand miles away from Colorado.
Let's imagine what an effective anti-scalping system would require. It seems to me that people could buy multiple tickets and sell "guest" spots unless every ticket were tied to an identified individual. So, if you want to invite some friends to the game you'd have to get all of them to commit to attending a game some time in the future, which may or may not be worth attending, and buy tickets on the basis that they'll all be able to make it. What happens to people who buy a pair of tickets and then split up? If they don't want to sit together in frosty silence then one or both will have to miss the game. Without anonymous tickets you can't buy one for your boy/girlfriend du jour, or even present one as a surprise present - what if the recipient can't make it?
And then there's the other big loser - the Rockies themselves. Look at all the money they're losing. If they auctioned the seats they could get many times as much as they do at present. I can't see why they're denying themselves this revenue.
If the whole idea of this system is to let "ordinary fans" buy tickets at below-market prices then let them do just that. As I said in my earlier post, auctions and vouchers ought to work. Suppose each voucher is worth $100 off the auctioned price of a World Series ticket. Attend ten "regular" games and you can probably attend the World Series for free! Or sell the vouchers, buy a nice TV and recliner, and see it at home.
Snark all you like, but given that this world series features the first Canadian to start a world series game, the first Japanese pitcher to pitch in one (at least effectively), and at least as many Latinos as gringos, I'd say a pretty big chunk of the world is involved and cares.
That the games are held in North America doesn't make the Major Leagues any less filled with the WORLD's best players.
Not that you're likely to come back and read these comments at this late date, but there it is.
There is no way for teams outside of North America to participate in the so-called World Series.
Even within North America, it is not about a team's competitiveness. The Major Leagues are a franchise. No matter how good a team is, if it doesn't have a license, it doesn't get to play in the Major League. Compare that with most sports where teams can ascend and descend through multiple levels (local, regional, national) based on performance.
So yes, the World Series is a US national event, and the World indeed doesn't care, as it has no part in it.
The odd American goes to Scotland for log tossing, to Japan for Sumo wrestling, or to Europe for Rugby or Soccer. That doesn't mean that the US cares about those events.
Just a side question... what exactly is ticket scalping? My knowledge of american crime language is leaving me blank there.. ;)
I think it was an attack, targeting their anti-bot CAPTCHA feature, that resulted in DOSing the site.
From the Yahoo report "...the system had been overloaded by powerful computers programmed to constantly generate five-digit codes meant to prove that an actual human is trying to buy tickets."
Merriam-Webster defines "to scalp" as "to buy and sell so as to make small quick profits; especially: to resell at greatly increased prices."
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.