2024 Ticket Buying Tips

[assorted]

26 minutes ago, fred quimby said:

Think it would end up being a nightmare for the festival. The group could claim that they knew nothing about someone in the group knowing about this server thing that has been mentioned and therefore penalising them unfairly. Very tricky to prove I would have thought.

I happened to buy for a group of friends on a BT connection I should have cancelled about a month ago as I had changed suppliers ( must do it). The strange sounds I made when through should never be heard by anyone.

I work there so was trying for friends.

Based on what smarter than me people wrote in this thread, it was a server not meant to be used, so all the tickets bought fraudulently should be evident as they were all bought from the same (backup? Private?) server. 

Proving that the other members of the ticket group understood the buyer was using an unauthorized server to get the tickets I agree can be proven only by God and probably MI5, who should absolutely be enlisted. 😉  

My hands were shaking so violently when I was typing in the credit card both times it was frankly embarrassing for a grown adult human. 

[eatingglitter]

20 minutes ago, assorted said:

My hands were shaking so violently when I was typing in the credit card both times it was frankly embarrassing for a grown adult human. 

My resting heart rate is usually about 68bpm and this was 2 minutes before kick off, so shaking hands is totally understandable!

 

 

Edited November 21, 2023 by eatingglitter

[Simon247]

For those who missed out and are angry and upset (understandably) about people who used the 'hack' to get into the main site - if you seccured tickets via a friend who got them for you during the sale and afterwards said they used the hack - how would you feel?

I'm interested to know and I ask this as someone who got tickets through standard refreshing. Prevously I have missed out a few times in the general sales but got them through a secret resale and the main resale once. If I hadn't I would have done my best to try and work there instead. 

[hoopy67]

54 minutes ago, Simon247 said:

For those who missed out and are angry and upset (understandably) about people who used the 'hack' to get into the main site - if you seccured tickets via a friend who got them for you during the sale and afterwards said they used the hack - how would you feel?

I'm interested to know and I ask this as someone who got tickets through standard refreshing. Prevously I have missed out a few times in the general sales but got them through a secret resale and the main resale once. If I hadn't I would have done my best to try and work there instead. 

For me, it's a case of hating the game rather than the player. I know of at least 30-40 groups (friends of friends) who got tickets using the hack. In fact, one of my actual friends was in one of these groups where their friend got in 5 times because of it!

Most people would have jumped at the opportunity to get a ticket so easily. Therefore, I'm not really annoyed at any individual who did it.

 

I do think this will have consequences though. SeeTickets/Glasto won't release a statement on this due to the potential for bad publicity, so people won't be warned about the dangers about messing around with files on their computer in this way. Let's be honest, most people blindly followed these instructions and didn't actually understand what was going on.

 

This creates potential for people to circulate similar instructions in a future sale. But instead of helping you get Glasto tickets, it will take you to a fake site where your card details end up getting stolen.

[NotAnInsider]

43 minutes ago, hoopy67 said:

This creates potential for people to circulate similar instructions in a future sale. But instead of helping you get Glasto tickets, it will take you to a fake site where your card details end up getting stolen.

That's quite a big risk actually - I hadn't thought of that. Now the idea that changing files on your machine to get tickets is out there and effective its not a big stretch to imagine scammers creating a fake booking page and sending people to it. In the desperation for tickets I can guarantee people will fall for it.

The PR fall out from that would be huge. They might be better off acknowledging the issue now and making an example of those who purchased 50+ via the exploit and taking a firmer stance in the future.

[billum]

Yes, if See just issued a statement saying that they're aware of the issue, and though they won't be taking action against those who used it this time, in future sales they will detect and void all sales that weren't on the official 'blessed' servers after they've gone through

They might well never actually do this, but the threat of it could be enough to put potential host-hackers off

(or they could just configure those extra servers to not process Glastonbury tickets and then at least this hack is rendered void)

[Cheesey]

10 hours ago, assorted said:

it was a server not meant to be used, so all the tickets bought fraudulently should be evident as they were all bought from the same (backup? Private?) server. 

It wouldn't surprise me if they don't even know which transactions occurred on that server.

 

2 hours ago, hoopy67 said:

This creates potential for people to circulate similar instructions in a future sale. But instead of helping you get Glasto tickets, it will take you to a fake site where your card details end up getting stolen.

Yes, that would be easy peasy. Essentially a self-inflicted DNS spoofing attack.

 

10 minutes ago, billum said:

Yes, if See just issued a statement saying that they're aware of the issue, and though they won't be taking action against those who used it this time, in future sales they will detect and void all sales that weren't on the official 'blessed' servers after they've gone through

All See really need to do is fix the problem at their end to make this impossible. It really shouldn't be very difficult.

[Aragorn]

I had quite a strange experience trying for friends - using a link that was on here somewhere I got in at 08:58am to the enter registrations page.  Put them all in but then a message appeared saying tickets not available until 9am and the confirm button was greyed out.

At 09:00am I refreshed and the confirm button became live - so I clicked but got put back into the holding page.  I went back and forth a few times to the enter reg page and clicked confirm but no joy.  Assume it had not allocated a session cookie to me as I got through pre 9am but I am not technical in this area though have some understanding.  

[Aragorn]

I am presuming this IP hack was someone in the know giving out the direct server addresses which sit behind the load balancer at see? 

[incident]

7 minutes ago, Aragorn said:

I am presuming this IP hack was someone in the know giving out the direct server addresses which sit behind the load balancer at see? 

Nah. These servers were aside from the load balancer.

I figured it out for myself (albeit too cautious to use it when others tickets were at stake) pretty easily based on observation and very basic investigations. If I could do so, it's no surprise others did. Probably a fair few people independently figured it out in all honesty.

If someone who understands the basics of DNS, then once they realise or guess that See configure all their servers the same way and that their other sites aren't being affected by the Glastonbury demand, the rest is pretty easy, just a case of joining the dots. No inside knowledge would have been needed.

Edited November 22, 2023 by incident

[Gnomicide]

I can't see SEE acknowledging this any time soon, there would just be more outrage. The complaints on social media have mainly been about the video that went out of the fella supposedly going back in and purchasing more tickets, as far as I know it's not been proved if that genuinely worked or not. Huge swathes of people will not be aware of the whole IP hack thing, so if SEE mention it, they are opening themselves and the festival back up to more grief.

Perhaps before the resale, Glastonbury will put something in the FAQ/T&Cs that if people are found to have accessed tickets through unofficial routes, they will be cancelled. 

[incident]

3 minutes ago, Gnomicide said:

I can't see SEE acknowledging this any time soon, there would just be more outrage. The complaints on social media have mainly been about the video that went out of the fella supposedly going back in and purchasing more tickets, as far as I know it's not been proved if that genuinely worked or not.

While I could only be 100% sure if I'd been sat in the room with him. I'm 99% confident that bloke had implemented the DNS exploit, so he was getting a "new" session each time he went back in, it's just the server he was hitting wasn't busy. If he'd done the same thing on the "real" server, it wouldn't behave like that.

But yeah very little chance they acknowledge this happened unless chatter gets loud enough they feel they have to - and at this point, with the dust settling, the chatter probably isn't going to get any louder than it already has been.

[t0paz]

18 minutes ago, incident said:

Nah. These servers were aside from the load balancer.

I figured it out for myself (albeit too cautious to use it when others tickets were at stake) pretty easily based on observation and very basic investigations. If I could do so, it's no surprise others did. Probably a fair few people independently figured it out in all honesty.

If someone who understands the basics of DNS, then once they realise or guess that See configure all their servers the same way and that their other sites aren't being affected by the Glastonbury demand, the rest is pretty easy, just a case of joining the dots. No inside knowledge would have been needed.

I think the reason it became widespread this year is because those IPs had only previously been assigned to seetickets.co.uk which is less likely to be spotted. This year they were assigned to seetickets.com so easier to notice.

While they’ve closed it off for Glastonbury it still works to use the IPs not in use for the main seetickets site, so next time there is a Peter Kay sized sale going on, the main site queue can be bypassed in the same way.

[DeanoL]

12 hours ago, assorted said:

Oh wow! Thanks for the clarification.

I’ve been so busy being annoyed by the server exploit people were selling access to I didn’t mention how I did.

16 of us. All using different strategies, some multiple devices, some just one, our group is located anll over the world. Only one got to a reg screen Thursday but they crashed out. 

Sunday only I saw a reg screen of the 16, I never have in 4 prior sales. I was using 3 devices, two on VPN using auto-refresh (neither saw a thing) and my laptop (my fastest device) using no VPN that I was manual refreshing every 2 seconds. My laptop was the one that got through.

But that's behaviour that See Tickets explicitly asked people not to do:

Whereas they never asked people to stop using that secondary server. 

I 100% agree the server should have been configured properly so it wasn't able to sell Glasto tickets, but it wasn't, some people figured it out, got on to it, and it sold them tickets. At no point were they told "you're not allowed to do that". So the idea they should have their tickets cancelled is unfair.

Whereas having multiple devices and windows? See Tickets tweeted to ask people not to do that and Glasto also retweeted it. Should we cancel your tickets because you ignored that. No of course not. You probably didn't even see it. But equally the people using the secondary servers never saw anything telling them not to do it either.

[MKBAB]

Does the Secret Resale still exist? I got my tickets in 2015 thanks to that. 

[stuie]

Just now, MKBAB said:

Does the Secret Resale still exist? I got my tickets in 2015 thanks to that. 

No - in recent years they've been offered out to friends and family of crew.  If you know anyone like that, they may be able to get your registration number whitelisted to purchase a ticket at full price, nearer the time. 

[gooner1990]

7 minutes ago, DeanoL said:

But that's behaviour that See Tickets explicitly asked people not to do:

Whereas they never asked people to stop using that secondary server. 

I 100% agree the server should have been configured properly so it wasn't able to sell Glasto tickets, but it wasn't, some people figured it out, got on to it, and it sold them tickets. At no point were they told "you're not allowed to do that". So the idea they should have their tickets cancelled is unfair.

Whereas having multiple devices and windows? See Tickets tweeted to ask people not to do that and Glasto also retweeted it. Should we cancel your tickets because you ignored that. No of course not. You probably didn't even see it. But equally the people using the secondary servers never saw anything telling them not to do it either.

People seem to have no issue with posting photos of their set up all over social media, 3 laptops, 2 phones etc etc or going on about how they had 20 people trying for them but then get annoyed when someone else worked out a 'hack' 

As you say the festival organisers and the company ticket sellers tell everyone not to do that but pretty much everyone ignores it.

[incident]

2 minutes ago, DeanoL said:

But that's behaviour that See Tickets explicitly asked people not to do:

Whereas they never asked people to stop using that secondary server. 

I 100% agree the server should have been configured properly so it wasn't able to sell Glasto tickets, but it wasn't, some people figured it out, got on to it, and it sold them tickets. At no point were they told "you're not allowed to do that". So the idea they should have their tickets cancelled is unfair.

Whereas having multiple devices and windows? See Tickets tweeted to ask people not to do that and Glasto also retweeted it. Should we cancel your tickets because you ignored that. No of course not. You probably didn't even see it. But equally the people using the secondary servers never saw anything telling them not to do it either.

I'm not calling for tickets to be cancelled. In all honesty it's probable that I would have done the same thing if it was only my ticket at stake. But if See did go down that route they'd have every right to do so.

I don't agree that there was any need to state "you're not allowed to do that". There should be no need to state "You shouldn't manually set your computer to override the default server config". In much the same way - if you found your way into a government system, because they'd forgot to change the default password or some other elementary misconfiguration that should never have been the case, then "well, it was easy" and/or "there was no warning" wouldn't hold up as any kind of defence.

[stuie]

14 minutes ago, DeanoL said:

But that's behaviour that See Tickets explicitly asked people not to do:

That tweet was one of the most pointless tweets of the year. 

As if everyone was about to turn off their extra devices and start shutting tabs down 😁

[DeanoL]

3 minutes ago, incident said:

I'm not calling for tickets to be cancelled. In all honesty it's probable that I would have done the same thing if it was only my ticket at stake. But if See did go down that route they'd have every right to do so.

I don't agree that there was any need to state "you're not allowed to do that". There should be no need to state "You shouldn't manually set your computer to override the default server config". In much the same way - if you found your way into a government system, because they'd forgot to change the default password or some other elementary misconfiguration that should never have been the case, then "well, it was easy" and/or "there was no warning" wouldn't hold up as any kind of defence.

Those are different. Passwords are a security system. If you login using a default password and login, you're essentially impersonating someone. The act of logging in is an act of declaring "I am this person and have these credentials for this system".

This isn't that. This is just telling your browser to access a publicly accessible server. It's not a "hack" - the HOSTS file in Windows isn't some fancy thing you're not meant to touch, it's a tool, put in by the designers of Windows, to allow you do *exactly what people were doing*. They're using it exactly as intended.

Accessing a publicly available server and using it for the purpose it was designed for (buying tickets) seems fair to me. If the server didn't want to sell you Glastonbury tickets, it could have been set not to sell you Glastonbury tickets.

On the other hand, as I say, if someone posts on social media that got in 3 devices trying and can be traced, do See have every right to cancel those tickets as well? Because in that case, they're specifically doing something they've been told not to do by See Tickets and the festival. That would be ridiculous, but it's far easier to justify that being a rule-breaking act than the server workaround.

[DeanoL]

2 minutes ago, stuie said:

That tweet was one of the most pointless tweets of the year. 

As if everyone was about to turn off their extra devices and start shutting tabs down 😁

It reveals a lot though, I think, about the intent of the festival and what they want to ticket buying experience to be, which is what we've discussed a fair bit here. They want one person per device with one tab. That's obviously nowhere near what happens, but when discussing alternative systems it's interesting to consider what systems get closer to that ideal.

[stuie]

5 minutes ago, DeanoL said:

It reveals a lot though, I think, about the intent of the festival and what they want to ticket buying experience to be, which is what we've discussed a fair bit here. They want one person per device with one tab. That's obviously nowhere near what happens, but when discussing alternative systems it's interesting to consider what systems get closer to that ideal.

They have two choices - a genuine queue or something you can refresh the sh*t out of. 

If it's the latter, people will do what they do. 

(I'm ignoring the potential third choice which would be a ballot for all of the reasons mentioned yesterday)

[Skip997]

25 minutes ago, stuie said:

No - in recent years they've been offered out to friends and family of crew.  If you know anyone like that, they may be able to get your registration number whitelisted to purchase a ticket at full price, nearer the time. 

This year was the first time our crew weren't offered "friends and family" tickets.

[incident]

Just now, DeanoL said:

Those are different. Passwords are a security system. If you login using a default password and login, you're essentially impersonating someone. The act of logging in is an act of declaring "I am this person and have these credentials for this system".

This isn't that. This is just telling your browser to access a publicly accessible server. It's not a "hack" - the HOSTS file in Windows isn't some fancy thing you're not meant to touch, it's a tool, put in by the designers of Windows, to allow you do *exactly what people were doing*. They're using it exactly as intended.

Accessing a publicly available server and using it for the purpose it was designed for (buying tickets) seems fair to me. If the server didn't want to sell you Glastonbury tickets, it could have been set not to sell you Glastonbury tickets.

On the other hand, as I say, if someone posts on social media that got in 3 devices trying and can be traced, do See have every right to cancel those tickets as well? Because in that case, they're specifically doing something they've been told not to do by See Tickets and the festival. That would be ridiculous, but it's far easier to justify that being a rule-breaking act than the server workaround.

Sorry, but no.

My basic point is that "this is not an approved way in" does not need to be signposted.

Give me an honest answer here - if See did hypothetically cancel tickets on the basis of using this exploit, and someone challenged it - which way would the court side?

Now answer the same question, but for multiple devices.

[stuie]

8 minutes ago, Skip997 said:

This year was the first time our crew weren't offered "friends and family" tickets.

That sucks. My best mate works for FMS and he was asked to provide 2 registration numbers which were whitelisted for purchasing tickets at full price. The email did say not to share information about the offer on social media though 😂