2024 Ticket Buying Tips

[circus92]

A Ballot is a terrible idea. I can understand some of the logic as to why it may seem fairer, but it would honestly change the vibe of the Festival and not for the better.  @Physical_graffiti and @gigpusher posts explain this better than me.

No system is ever perfect, but the current system is way better than a ballot or heaven forbid ... Ticketmaster.  

[Kellsy_81]

9 hours ago, NorthernSoul52 said:

I ultimately got through in two minutes off a Chrome browser on a split-screen with a Google Doc holding all the relevant details.

Still at a loss as to how easy it was this time.

curious to know what time you logged onto the site to get ready to buy tickets?

 

 

[Gingerfish79]

I think its been said before, but a couple of really wet festivals with lots of mud would probably massively help stop the growth in the number of people trying for tickets year on year.

[gooner1990]

2 minutes ago, Gingerfish79 said:

I think its been said before, but a couple of really wet festivals with lots of mud would probably massively help stop the growth in the number of people trying for tickets year on year.

A few years ago I would have agreed with that but tickets for 2017 sold out in a flash after the 2016 swamp.....

[mjfromthelane]

This might be a stupid question but is there any truth to general location being a factor in ticket success? Me and my GF were talking about how we know a lot of people out of London/the UK who got through this year.

[incident]

12 minutes ago, mjfromthelane said:

This might be a stupid question but is there any truth to general location being a factor in ticket success? Me and my GF were talking about how we know a lot of people out of London/the UK who got through this year.

Nah. Not at all.

[thewomble]

2 minutes ago, Gingerfish79 said:

I think its been said before, but a couple of really wet festivals with lots of mud would probably massively help stop the growth in the number of people trying for tickets year on year.

Fingers crossed for a wet one in 2024 (I only say this as I didn't get a ticket...😅)

Jokes aside I don't know what the solution is and part of me thinks it's mostly luck

I don't like the idea of a ballot as I think you would end up with a lot more people trying to go if it was as simple as signing up to a lottery. Large groups definitely make it seem harder for a single group of 6 like ours was with a couple of extra helpers to be successful, but I don't think I see the problem with it. To be honest going forward it's something I'd consider - haven't in the past as felt a bit awkward joining/didn't understand how the payment situation would work. 

The IT glitch/hack/thing sounds like an absolute nightmare and is really disappointing for people who just genuinely tried for tickets as a normal person with extra devices, followed every tip they could and have no background tech knowledge 😒😒 however in the grand scheme of ticket sales I can't imagine it really made a dent in numbers. 

 

[Scrump]

11 hours ago, kerplunk said:

Well let's just say it wasn't exactly a bed of roses between people who bought tickets which paid for the festival and money to the good causes etc, and people who didn't but thought they were the heart and soul of the party. Especially when people had had their whole tents stolen - that happened a lot. It had got out of hand and become a national sport and there was an obliviousness from some about the threat it had become to the future of the fest. Eavis doesn't mind! Others could see the writing on the wall and it had to stop. And so - arguments and recriminations!

Thank you! Ah ok that all makes sense

 And yet Eavis didn't mind?! Just can't see them being bothered by this situation then tbh. Seems like small fry in comparison despite being something that has understandably upset people.

[angelin]

Are Glastonbury going to do anything about it? They were quick enough to change the sale date. 

[Dusk1983]

Jumping in as someone with experience of setting up and running web servers, the exploit conspiracy theories don’t completely add up. 

Firstly it is relatively trivial to provision new servers/clusters and/or assign new IP addresses. This could be done less than an hour before the sale. Yes, people who actually have the setup and CLI knowledge to interrogate the server can adapt but any pre-shared IPs or files used by the masses would be voided.

Secondly I strongly doubt See would provision servers with a fully wildcard domain name configured, at the very least some sub domains (like Glastonbury) would be excluded via regex, or alternatively every sub domain would be stated explicitly. In other words servers are restricted to certain sites.

Lastly regarding bots, the challenge is there is no time to script and test. Nobody is going to try and code it while the sale is in flight, and all See need to do it change a few HTML elements in the DOM to each year to break your crawler anyway.

Edited November 21, 2023 by Dusk1983

[incident]

6 minutes ago, Dusk1983 said:

Secondly I strongly doubt See would provision servers with a fully wildcard domain name configured, at the very least some sub domains (like Glastonbury) would be excluded via regex, or alternatively every sub domain would be stated explicitly. In other words servers are restricted to certain sites.

They absolutely did.

Presumably, that will change going forward.

[Dusk1983]

2 minutes ago, incident said:

They absolutely did.

Presumably, that will change going forward.

In all my years of working at both highly professional and completely amateur online companies I have never seen a webserver (apache or nginx) set up with a wildcard domain. That is partly because it’s harder to configure and requires regex knowledge to route properly. You have to really intentionally want to do it, which makes no sense when one of your sites is bleeding Glastonbury FFS. Should be a sackable offence in any event.

[stuie]

10 hours ago, DeanoL said:

If the festival don't care about fairness and just want to sell all the tickets,  why do they run a massively complex and costly registration system with photos just to stop touting?

I said they doubt they care about fairness enough to change it to a ballot.

Sure they care that touts aren’t able to profit from their event and they care when See accidentally purge valid registrations. I’m sure they care about these loopholes that were exploited and they’ll jump on See to eradicate them too.

But… part of the appeal of Glasto now is how hard it is to get tickets - they are not going to throw that away, along with all the free media attention that goes with it. Over a few years interest would dwindle and then suddenly you’ve got an event that doesn’t sell out again. 

[Cheesey]

3 hours ago, johnnynodoe said:

I know you didn't state this yourself, but this is bullshit. That's not what's happened at all.

Basically there's a pool of IP addresses in the SeeTickets hostname's DNS record, which tells your computer which IP address to connect to when refreshing glastonbury.seetickets.com, similar to what was shown in a previous post for www.seetickets.com:

The order of these IPs changes on each DNS lookup so that the incoming requests are evenly distributed between the IPs.

It seems that See also have some additional servers which aren't listed in the DNS record, which is sensible. These would be on standby, ready to be added to the list in the DNS record in case any of the "live" pool go down or have other issues. The problem seems to be that for some reason See don't have these additional servers firewalled off while they're not part of the live pool, so they're accessible from the internet - you just have to find them and connect to them, and that's really not very difficult at all.

You can use your computer's "hosts" file to override the information in the DNS record and tell your computer which IP to use for a particular hostname - in this case glastonbury.seetickets.com. So then you just need to play "guess the IP" based on the list of live server IPs - for example, with the list of IPs shown above you might start by trying 31.221.2.85, 31.221.2.86, 31.221.2.87,  31.221.2.93, 31.221.2.94, 31.221.2.95, 31.221.2.96 one by one in your hosts file, and if it connects you're straight in because practically nobody else is using that server.

So nobody really "hacked" anything. See could fix this easily by making those servers inaccessible from the internet until they're needed. I'm sure there are a million ways to achieve that, but one crude way would be a single firewall rule, which would then be removed if/when the server needed to join the pool.

Edited November 21, 2023 by Cheesey

[NorthernSoul52]

1 hour ago, Kellsy_81 said:

curious to know what time you logged onto the site to get ready to buy tickets?

 

 

Erm, about an hour before? I'd say an hour.

[Nobby's Old Boots]

1 hour ago, gooner1990 said:

What if someone entered 5 times under different names and addresses but then got 5 tickets?! 

Presumably a ballot system would mean you're sent a link to buy tickets, so it would be easily exploited as people have suggested - people wouldn't accidentally buy multiple tickets.

Anyone suggesting a queue-based ticketing site either has zero experience using one, or is being very very disingenuous. The amount of times I've been in a queue on ticketmaster, waited for ages to get to the front, only to be booted out to the back of the queue - it happens constantly and I can only imagine how many stories there would be on this very forum with that much traffic headed to the site. Be careful what you wish for in the heat of the moment of losing out.

[kerplunk]

1 hour ago, Scrump said:

Thank you! Ah ok that all makes sense

 And yet Eavis didn't mind?! Just can't see them being bothered by this situation then tbh. Seems like small fry in comparison despite being something that has understandably upset people.

'Eavis doesn't mind' was a common trope to justify it which maybe had some validity when it was on a smaller scale, but like I said it had become a national sport - with Radio 1 DJs announcing when the fence was down on national radio (cheers Jo!).

After the fest in 2000 Michael declared there would be no fest in 2001 and pretty squarely pointed his finger at the fence jumping so that was the end of that trope.

Edited November 21, 2023 by kerplunk

[incident]

48 minutes ago, Cheesey said:

You can use your computer's "hosts" file to override the information in the DNS record and tell your computer which IP to use for a particular hostname - in this case glastonbury.seetickets.com. So then you just need to play "guess the IP" based on the list of live server IPs - for example, with the list of IPs shown above you might start by trying 31.221.2.85, 31.221.2.86, 31.221.2.87,  31.221.2.93, 31.221.2.94, 31.221.2.95, 31.221.2.96 one by one in your hosts file, and if it connects you're straight in because practically nobody else is using that server.

So nobody really "hacked" anything. See could fix this easily by making those servers inaccessible from the internet until they're needed. I'm sure there are a million ways to achieve that, but one crude way would be a single firewall rule, which would then be removed if/when the server needed to join the pool.

The server used in this exploit was not from an adjacent or guessed IP. There was a different pool entirely, that was in active use at the same time for www.seetickets.com and www.gigsandtours.com.

Those servers needed to be accessible from the Internet, in order to keep serving traffic on the "bread and butter" sites. Though yeah they should have been configured in such a way as to reject traffic trying to use the glastonbury vhost.

Edited November 21, 2023 by incident

[DeanoL]

52 minutes ago, stuie said:

But… part of the appeal of Glasto now is how hard it is to get tickets - they are not going to throw that away, along with all the free media attention that goes with it. Over a few years interest would dwindle and then suddenly you’ve got an event that doesn’t sell out again. 

But people are also saying a ballot would make it harder to get tickets... so I'm not sure how the "interest would dwindle" thing would work. I think that's more likely with the current progression of things, to be honest. With a ballot your chance of a ticket might be 1 in 5 or whatever but you'd know you always have a chance. Right now we're already starting to hear "if you're not in a big group, may as well not bother" which will mean more people switch to big groups, which makes it harder for anyone else, and which will lead to essentially reverse touting, where people sell bot/people farms as ways of helping you secure tickets. That's way more off-putting than a system people can actually understand.

[DeanoL]

36 minutes ago, Nobby's Old Boots said:

Presumably a ballot system would mean you're sent a link to buy tickets, so it would be easily exploited as people have suggested - people wouldn't accidentally buy multiple tickets.

Nah you'd just put your card details in when you entered the ballot and if successful you'd get charged. It's a system used by plenty of other events and it works. It's not perfect, has its own issues of course, but no more than the existing system does.

[gooner1990]

Just now, DeanoL said:

Nah you'd just put your card details in when you entered the ballot and if successful you'd get charged. It's a system used by plenty of other events and it works. It's not perfect, has its own issues of course, but no more than the existing system does.

A lot of football matches (i.e tournaments) that I go to use this system.....they tell you the date you will get charged so you know when to have the amount available if successful.

[Cheesey]

12 minutes ago, incident said:

The server used in this exploit was not from an adjacent or guessed IP. There was a different pool entirely, that was in active use at the same time for www.seetickets.com and www.gigsandtours.com.

Ok, that's interesting. I'm pretty sure it was a "guess the IP" game in previous years.

I still suspect this extra working IP was probably found by simply trying See's other IPs, or guessing them based on See's IP allocations etc., rather than someone receiving knowledge from an insider. It only takes one person out of hundreds of thousands to find it.

 

12 minutes ago, incident said:

Those servers needed to be accessible from the Internet, in order to keep serving traffic on the "bread and butter" sites. Though yeah they should have been configured in such a way as to reject traffic trying to use the glastonbury vhost.

Agreed. My main point is that was See's screwup, rather than them being "hacked", or people bypassing any kind of security.

[discgoesmic]

2 hours ago, Simon247 said:

I rememeber the 'hack' that was posted on here one year that all you had to do was take the 's' out of the 'https' at the benging of the booking website and you went straight through to the booking page. That was a happy day, however the hacks are a little more sophisticated now.

 

Yeah, you'd be using a non-secure version of the site. These days most browsers insist on HTTPS but you can often manually bypass it.

[t0paz]

For what it’s worth I’m pretty sure they’ve closed the hole off now.

If you try a host file entry with any of the 5x 31. Or 3x 167. IPs you get the queue page. You only hit the real page when using the correct 13. IP. 
They’ve probably set it to look where you are coming from and if it’s not the correct IP then you get the holding page. I doubt going direct to those IPs for Glastonbury will ever work again.

The workaround was so staggeringly simple in technical terms it’s amazing it ever worked at all. They must be paying peanuts at See to employ these monkeys 

[Nobby's Old Boots]

8 minutes ago, DeanoL said:

But people are also saying a ballot would make it harder to get tickets... so I'm not sure how the "interest would dwindle" thing would work. I think that's more likely with the current progression of things, to be honest. With a ballot your chance of a ticket might be 1 in 5 or whatever but you'd know you always have a chance. Right now we're already starting to hear "if you're not in a big group, may as well not bother" which will mean more people switch to big groups, which makes it harder for anyone else, and which will lead to essentially reverse touting, where people sell bot/people farms as ways of helping you secure tickets. That's way more off-putting than a system people can actually understand.

Presumably this is mostly from people who weren't in big groups who weren't successful.

But we're also hearing that a lot of people who were in big groups weren't successful.

You can pick and choose which side you want to take, but if you take this advice then it's your own fault. I wasn't in a big group and was successful. Had I believed all the people telling me it's impossible I might not have bothered.