Backdoor link to booking page?

[incident]

I'll expand on this because I know it probably needs it. Simplifying some parts a bit here to avoid it getting too techy, but it still broadly holds.

Yes, the server was online and could be accessed via the IP address. That doesn't mean the "door was open" though. Far from it. Going to http://123.456.78.9/ or whatever it was on the day wouldn't have been enough to get you "in".

Try it - https://167.98.14.210/ is one of the servers that glastonbury.seetickets.com currently points to. But going direct to that address you'll hit two obstacles - firstly the security certificate on the server is tied to a domain name, and while that can be ignored the second issue can't. Namely that the server is configured to return the "regular" Seetickets web page unless it has reason to do otherwise - ie. that your browser has specifically told it that it's trying to get to the Glastonbury site.

In other words - you'd have had to actively choose to configure either your Computer (hosts file) or your Browser (modified headers) to lie to the server. So yes - any half competent lawyer could make a case for unauthorised access and if Seetickets chose to interpret it that way, they absolutely could make it stick.

[clarkete]

1 hour ago, incident said:

I'll expand on this because I know it probably needs it. Simplifying some parts a bit here to avoid it getting too techy, but it still broadly holds.

Yes, the server was online and could be accessed via the IP address. That doesn't mean the "door was open" though. Far from it. Going to http://123.456.78.9/ or whatever it was on the day wouldn't have been enough to get you "in".

Try it - https://167.98.14.210/ is one of the servers that glastonbury.seetickets.com currently points to. But going direct to that address you'll hit two obstacles - firstly the security certificate on the server is tied to a domain name, and while that can be ignored the second issue can't. Namely that the server is configured to return the "regular" Seetickets web page unless it has reason to do otherwise - ie. that your browser has specifically told it that it's trying to get to the Glastonbury site.

In other words - you'd have had to actively choose to configure either your Computer (hosts file) or your Browser (modified headers) to lie to the server. So yes - any half competent lawyer could make a case for unauthorised access and if Seetickets chose to interpret it that way, they absolutely could make it stick.

Having a machine on a public facing ip address which someone accesses does not mean that it's been hacked.  Their lawyer would look like a bloody idiot. 

[incident]

10 minutes ago, clarkete said:

Having a machine on a public facing ip address which someone accesses does not mean that it's been hacked.  Their lawyer would look like a bloody idiot. 

I don't know how to put this any other way.

The only possible way to get access to the site via that server during that time frame was to deliberately configure the computer or browser to misrepresent itself. Ultimately, it boils down to that.

While I don't think people doing so were in the wrong as such - and for reasons covered earlier nor do I think there was ever any likely prospect of See cancelling the tickets or taking any action against them - I don't see how anyone can credibly claim they'd not have been legally covered if they had.

[UEF]

How that situation would actually pan out:

See: "Did we make a sale?"

IT bod: "Yes"

See: "Very good"

[gfa]

On this topic, has anyone seen this before? Snipped for AM's tour. I know they are saying 4 tickets per person for whole tour but other artists must have done this before - however i've not seen anyone say this

[dotdash79]

3 minutes ago, gfa said:

On this topic, has anyone seen this before? Snipped for AM's tour. I know they are saying 4 tickets per person for whole tour but other artists must have done this before - however i've not seen anyone say this

If they were that bothered they would do a registration system like Glasto with photo. 

[gfa]

26 minutes ago, dotdash79 said:

If they were that bothered they would do a registration system like Glasto with photo. 

Its a step in the right direction at least

[Supernintendo Chalmers]

1 hour ago, gfa said:

On this topic, has anyone seen this before? Snipped for AM's tour. I know they are saying 4 tickets per person for whole tour but other artists must have done this before - however i've not seen anyone say this

I'd much prefer it if they banned certain secondary sales websites from selling them

[clarkete]

3 hours ago, incident said:

I don't know how to put this any other way.

The only possible way to get access to the site via that server during that time frame was to deliberately configure the computer or browser to misrepresent itself. Ultimately, it boils down to that.

While I don't think people doing so were in the wrong as such - and for reasons covered earlier nor do I think there was ever any likely prospect of See cancelling the tickets or taking any action against them - I don't see how anyone can credibly claim they'd not have been legally covered if they had.

However you put it I would never agree it was "unauthorised access", unless someone did something to get past a level of authorisation or authentication - which in this case they did not. 

 

[parsonjack]

3 hours ago, clarkete said:

However you put it I would never agree it was "unauthorised access", unless someone did something to get past a level of authorisation or authentication - which in this case they did not. 

 

That was my line of thinking also until I considered whether the absence of any level of authorisation or authentication then makes the access 'authorised'. 

Using the analogy of leaving your back door unlocked in error is certainly questionable from a duty of care perspective, but is still doesn't mean that access is 'authorised'. 

[gfa]

10 hours ago, Supernintendo Chalmers said:

I'd much prefer it if they banned certain secondary sales websites from selling them

Not possible

[DeanoL]

With the server thing, I believe the IP address was obtained because the server was advertising it also, that's why people trusted it. You look up glastonbury.seetickets.com and it said it pointed to two IP addresses. For whatever reason the load balancer wasn't working and was sending everyone to a single address. I don't think opting to choose the other address in that case was misuse, as the name server was advertising it as a valid option.

It's kinda like joining a queue and there's a big sign that says "use both lanes" and then when you reach the point where the queue splits in two, there's a guy there with his hand outstretched to the left and everyone is just going down the left queue. In those circumstances, nothing stops you going down the right queue, you'd just be ignoring the signal, having already been explicitly told that either queue is fine to use. 

I'm actually amazed that this whole thing is still so well-known but no-one in the years that followed and especially now has tried to take advantage of it for fraud (directing people to a fake server and stealing card details). I guess you wouldn't be able to replicate the registration system so that would look perhaps too suspicious. But I'd definitely be very wary of anyone promising a workaround during the sale these days.

Edited September 26, 2022 by DeanoL

[Supernintendo Chalmers]

6 hours ago, gfa said:

Not possible

It would be if all the stakeholders wanted it to be.

[gazzared]

8 hours ago, DeanoL said:

With the server thing, I believe the IP address was obtained because the server was advertising it also, that's why people trusted it. You look up glastonbury.seetickets.com and it said it pointed to two IP addresses. For whatever reason the load balancer wasn't working and was sending everyone to a single address. I don't think opting to choose the other address in that case was misuse, as the name server was advertising it as a valid option.

It's kinda like joining a queue and there's a big sign that says "use both lanes" and then when you reach the point where the queue splits in two, there's a guy there with his hand outstretched to the left and everyone is just going down the left queue. In those circumstances, nothing stops you going down the right queue, you'd just be ignoring the signal, having already been explicitly told that either queue is fine to use. 

I'm actually amazed that this whole thing is still so well-known but no-one in the years that followed and especially now has tried to take advantage of it for fraud (directing people to a fake server and stealing card details). I guess you wouldn't be able to replicate the registration system so that would look perhaps too suspicious. But I'd definitely be very wary of anyone promising a workaround during the sale these days.

all sounds a bit tronnie 🤣

 

[K2SO]

11 hours ago, DeanoL said:

It's kinda like joining a queue and there's a big sign that says "use both lanes" and then when you reach the point where the queue splits in two, there's a guy there with his hand outstretched to the left and everyone is just going down the left queue. In those circumstances, nothing stops you going down the right queue, you'd just be ignoring the signal, having already been explicitly told that either queue is fine to use. 

Off-topic, but this reminded me of something that happened to us at the festival this year. My girlfriend and I were queueing for the showers at Kidz Field. We were chatting with the two women behind us, having a good time whilst a group of 4 scouse girls in front of us stood there giving us filthy looks for the hour we were in the queue. When it got to the part where it splits into two queues, it seemed pretty clear to us that they had joined the queue for the right hand queue, so we walked past them and joined the left-hand one. These girls started kicking off at us, saying we pushed in front of them and they were queueing for both. We explained to them that it was clear there were two queues, and they had to choose one. They could go in front of us if they wanted to choose to do so, which they did. The two women behind us took the right hand queue.

Obviously, the two women had managed to go in the shower and come back out again before the scouse girls had even gone in. They called over to us and waved, whilst my girlfriend and I laughed at how the girls' plan had backfired. We weren't even mad that we were still queuing at that point.

[tarw]

46 minutes ago, K2SO said:

Off-topic, but this reminded me of something that happened to us at the festival this year. My girlfriend and I were queueing for the showers at Kidz Field. We were chatting with the two women behind us, having a good time whilst a group of 4 scouse girls in front of us stood there giving us filthy looks for the hour we were in the queue. When it got to the part where it splits into two queues, it seemed pretty clear to us that they had joined the queue for the right hand queue, so we walked past them and joined the left-hand one. These girls started kicking off at us, saying we pushed in front of them and they were queueing for both. We explained to them that it was clear there were two queues, and they had to choose one. They could go in front of us if they wanted to choose to do so, which they did. The two women behind us took the right hand queue.

Obviously, the two women had managed to go in the shower and come back out again before the scouse girls had even gone in. They called over to us and waved, whilst my girlfriend and I laughed at how the girls' plan had backfired. We weren't even mad that we were still queuing at that point.

Why mention that they were Scouse girls?  

[Pinhead]

On 9/24/2022 at 10:05 PM, DareToDibble said:

Would they have been able to though? People would have gotten official confirmation emails from See, booking references, the money taken etc. 

Possibly yes, if they deemed that they had been obtained through non standard means.

[Neil]

On 9/26/2022 at 7:30 PM, gazzared said:

. For whatever reason the load balancer wasn't working and was sending everyone to a single address.

there was no load balancer, just hope that the  two dns entries would cause users to alernate servers.

[UEF]

On 9/25/2022 at 8:33 PM, gfa said:

On this topic, has anyone seen this before? Snipped for AM's tour. I know they are saying 4 tickets per person for whole tour but other artists must have done this before - however i've not seen anyone say this

Government has sabre-rattled before about banning secondary sales (of the most piss-taking types that some of the big ticket sellers use with tickets appearing a little too quickly on them). This is their way of being seen to act before government acts for them, they're not doing it out of the goodness of their hearts.

By the way - what did happen to that legislation/early day motion or whatever it was?

[gfa]

27 minutes ago, UEF said:

Government has sabre-rattled before about banning secondary sales (of the most piss-taking types that some of the big ticket sellers use with tickets appearing a little too quickly on them). This is their way of being seen to act before government acts for them, they're not doing it out of the goodness of their hearts.

By the way - what did happen to that legislation/early day motion or whatever it was?

I'll bet money that its only for this sale and next weeks stadium tour whatever that may be won't have it. AM have requested it and clearly seetickets care a bit more (see haven't got dynamic pricing for instance)

[Oshman]

Does anyone have any clue on IP etc for this week's on sale? TIA

[clarkete]

4 hours ago, Oshman said:

Does anyone have any clue on IP etc for this week's on sale? TIA

No, those years are long since past and indeed it was very rare even then