Remember when Aaron Schwarz didn't break the CFAA, or hack into any other person or organisation's private data, but was nonetheless brutally assaulted by the government until he committed suicide?
Then here's Ticketmaster caught literally hacking into their competitors systems and they get a slap on the hand. No one going to jail, no one becoming a felon, no one's life ruined.
I’ve said this before and I’m more convinced of this now: the cfaa is unsalvagable and must be completely repealed/scrapped. All of it. No half measures.
It does nothing to stop what matters: corporations or nation states. Horrible corporations like LinkedIn try to use it. Having the CFAA is literally worse than not having any laws about this. Not only must WE repeal it, the US must go around the world helping people understand that other countries must not enact or must scrap such laws.
What are passwords if not difficult to guess strings? It’s usually safer to create a link with 32 random characters than letting users come up with their own passwords such as „qwer1234“.
I disagree. There’s a reason why security by obscurity gets a bad rap. Browsers generally treat passwords as sacred — not saving or logging them unless the user explicitly asks. On the other hand, the URL bar gets saved to history, sent as a referrer when links are clicked (in some browsers), might be sent to an external server by the browser or extensions, etc.
I agree with the part about an URL being less secured than a password. However, it's not security by obscurity. It's just less secure and more convenient. But the URL scheme merely grants you access to a ticket, not the whole account, so the potential damage is negligible.
32 random characters (192 bits of entropy if you assume base64) is a lot more than just "difficult" to find. I'm pretty sure that is not what the article meant by difficult to find pages.
99% of security issues are silly and avoidable in retrospect. I don't think an insecure direct reference (assuming that's what is meant) is really all that different from most XSS, SQLi, etc
If we’re gonna go after pentesters (coalfire), or pursue people for copyright infringement, we have to go after people who deliberately commit crimes and corporate espionage. This is no different to breaking or sneaking into a competitors facility and stealing their documents. Assembling a spreadsheet of artists using public data is different, but straight up corporate espionage with stolen creds is absolutely unacceptable and should result in criminal penalties for the company and its directors.
There are countless names of “hackers” that have sat in prison and are currently sitting in prison for lengthy terms regardless of their intent. A Ticketmaster exec should have to do the same.
Ticketmaster has no hands and cannot act. Some human being, or set of human beings, did this, and some federal prosecutor declined to bring CFAA charges against those people who committed those crimes.
There are two sets of laws in that country: those that apply to them, and the other set that applies to you.
Prosecutors end up deciding who the law applies to. That they have so much leeway is the source of these issues. But we also need other parts of the justice system to bend and morph to the issue, otherwise it is just a big heartless machine has to be coded for every possible input.
Journalism is dead. I am at the point where I don't believe any headlines anymore. It's either willful manipulation of the facts, clickbait, or just plain stupidity on the part of the writer/corporation behind the article.
Yes, the "newspaper of record" is such a joke - just as laughable as Cuomo receiving an Emmy. Bunch of self-dealing slimebags.
Group-think and blind zealotry have gotten so bad there, even the few pieces of actual journalism they put out are tainted with it. Hard to trust anything they say when you know how many lies they've pushed in bad faith.
I used to write bots against TM back in the day, loads of folks were. The whole industry around ticking (and secondary!) is crazy, and OMG! fees on everything!
Surprised it took so long for one of the dirtiest players to get a little slap on the wrist.
>Ticketmaster apparently lost access to the system by 2015, the same year CrowdSurge merged with Songkick. Songkick sued Live Nation and Ticketmaster for violating antitrust laws. But it soon sold or shut down its services, and in 2018, it accepted a $110 million settlement — plus an undisclosed sum to sell some of its remaining assets to Ticketmaster.
>Ticketmaster expressed satisfaction with the outcome in a statement
>save for exploratory divergent forays in case the situation has changed
Sometimes, crime does pay. So there's a risk-reward strategy to being the kind of person prone to commiting crimes.
Two years ago, doing X might have been a net negative; now, maybe due to police cuts etc. it's viable. But it's hard to know this in advance; to find out, someone has to walk the territory.
Companies are packets of assets and obligations. Liquidations usually involve shareholders pulling the plug. If the shareholders want the company to keep going but the government doesn’t, when you liquidate the assets, the old shareholders will simply re-purchase them and re-hire the same (or a similar) team. Not a lot done except hosing creditors and enriching lawyers.
Okay, so you ban former shareholders from buying. Who is most likely to be able to do the fire sale diligence? A competitor. Now you have a policy that promotes industrial concentration.
Fine, ban competitors. At this point, few deeply knowledgeable about the assets can bid. In most cases, a deep discount bid will take the cake. So a wealthy person will get assets at a discount from pension plans and individual investors.
Applying concepts like a “death penalty” to legal fictions is emotionally satisfying but economically dubious. I am actually surprised it hasn’t been suggested as a solution by large-company lobbyists. It creates lots of legal work. A back door for wiping out debts. And it enriches wealthy clients while sidestepping real consequences.
Shareholders, who the Board of Directors claim to be beholden to, would lose everything. The company would get liquidated to the highest buyer. Shareholders would be incentivized to not support crimes or strategies that would lead to corporate execution and Board members would be legally bound and liable if that happened.
It doesn't support industrial concentration. All the company needs to do to avoid executation is to not commit the most egregious crimes. Is that really such a hard ask? No, it isn't.
> The company would get liquidated to the highest buyer
Who do you think gets the liquidation proceeds? If not the shareholders, one, that’s expropriation, which rule-of-law countries try to avoid. And two, that’s easier achieved with a fine.
For businesses requiring a license, suspending licenses could kill a business. Otherwise, “death penalty” is, at best, an expensive way to levy a fine and, at worst and most likely, inchoate.
OK, shareholders might get some proceeds after secured and unsecured creditors, but as I am sure you're aware, share prices are generally a multiple of book value. With a corporate death penalty, the net present value of the expected future earnings of the company is 0.
A fine can be paid and the organization simply continues. But the point of the corporate death penalty is that the organization ceases to operate; executives and board members lose their plum positions in ignominy; shareholders lose enormous value; and the rotten people and incentive structures in the organization are scattered into the wind.
I'm not sure why liquidating the assets is taken as given.
I would be much more amenable with the idea of destroying them.
Any trademarks are revoked, any copyrighted works are now PD, etc.
Physical assets are destroyed and put in landfills. If they own a building, tear it down, make it a park.
It doesn't sound to me like any settlement Ticketmaster could make with the company they hacked should prevent an anti-trust investigation continuing. If Ticketmaster used anti-competitive tactics it is not just other companies that suffered a loss, it was also the public.
This was a settlement with the US Department of Justice, which apparently believes a $10M fine adequately protects the public. One wonders if the timing of this announcement is coincidental.
Protect the public? If anything the public needs protection from ticket master ands it's crime syndicate.
I just noticed that the word "master" is in ticket master. With every one renaming git branches etc. why hasn't ticket master been attacked for its "racist name"? Not that I personally give a shit.
Ticketmaster is really good at being evil. If professional sports teams with government protected monopolies can’t beat them, SJW types are like cannon fodder.
More like, taking all the heat so everyone else can keep their hands clean.
>BUDISH: So Ticketmaster takes all the P.R. hit for these egregious service fees. But actually a lot of that money spreads its way around the rest of the food chain.
>MARCUS: It’s actually historically kind of part of Ticketmaster’s business model to take on the burden of that negative sentiment.
I worked in the space for awhile. Nobody ever mentioned that take in those years. Ticketmaster is good at dividing and conquering the different stakeholders. They aren’t doing anyone any favors imo.
Isn't it nice to see our justice system at work. I'm glad to see our brave men and women keep in mind their number one imperative: never disappoint $$$.
> Ticketmaster expressed satisfaction with the outcome in a statement. “Ticketmaster terminated both Zaidi and Mead in 2017, after their conduct came to light. Their actions violated our corporate policies and were inconsistent with our values. We are pleased that this matter is now resolved,” a spokesperson told The Verge.
> Today’s judgment defers prosecution under the Computer Fraud and Abuse Act. Ticketmaster must pay the fine in question, maintain clear policies to detect and prevent unauthorized computer intrusion, and present annual reports on its conduct for the next three years.
These are criminal acts. If they were physical (i.e., not cyber) there would be more than fines. Fines are a slapon the wrist. $10 million a meaningless drop in the bucket.
> “Further, Ticketmaster’s employees brazenly held a division-wide ‘summit’ at which the stolen passwords were used to access the victim company’s computers.”
Isn't this a felony? Why aren't these people in jail?
> Live Nation hired a former CrowdSurge employee named Stephen Mead in 2013. Then, now-fired Ticketmaster executive Zeeshan Zaidi and other executives encouraged him to turn over his old employer’s secrets
You know, there are ongoing extradition cases from UK->USA for people who have done far, FAR less malevolent actions than these.
Why are these people not facing 10+ years in jail for hacking?
"The company admitted that it is responsible for the actions of its employees under United States law."
That was also my question why those employees are not in jail yet. I was thinking that company gets fine and employees get jail time but that must be some weird/interesting part of US law.
>that must be some weird/interesting part of US law.
Indeed. We see time and time again that corporations can get away with almost anything they want without facing any real consequence compared to individuals. What part of US law is protecting these corporations and the people involved when they flagrantly break the law? It's sickening.
>We see time and time again that corporations can get away with almost anything they want without facing any real consequence compared to individuals.
...except that corporations are literally just groups of people, the person who perpetrated the act (Zaidi) pled guilty to hacking and is awaiting sentencing?
IANAL, but in the US at least there isn't any obligation to stop or report any crime you witnessed[1]. As for the other people in the company that used his credentials to access the competitors site, it's possible to prosecute them, but you'll have to prove intent. That might be tricky to prove because the defense can argue that they didn't intend to hack the site, because they thought Zaidi was properly authorized to use the site.
[1] There are some exceptions, eg. if you're a teacher and you learn about child abuse
According to the articles other employees logged in with what they knew were not legitimately obtained and pretty clearly committed CFAA violations that have gotten serious punishment before. Moreover they induced Zaidi to commit the offenses he's been prosecuted for _and_ co-ordinated a set of employees to access the victim's network _and_ showed that off internally. How is that not criminal conspiracy unless it doesn't count against Ticketmaster if they just say the magic words that they didn't know?
> What part of US law is protecting these corporations and the people involved when they flagrantly break the law?
Er.... this is entirely the point of the law in the US -- to protect corporate interests. Who do you think are writing the laws? It's not some weird edge case or quirk in the system. Protecting and furthering corporate interests is the system. As always, the purpose of the system is what it does.
If only. It requires a bit more finesse and money than that. Ticketmaster had the resources to throw at the right people to influence outcomes. If you don’t, then you will not have the same outcome as there is a lot of subjectiveness in the system.
Yes, but it's from "the date of the act complained of or the date of the discovery of the damage."
Also, the article states that Ticketmaster is under a deferred prosecution agreement for CFAA. So they get to pay a pittance of a fine, and make some internal "policies" and get off scot free.
>Isn't this a felony? Why aren't these people in jail?
Zaidi was prosecuted and he pleaded guilty, although his sentence has yet to be determined.
>Zaidi was terminated from Ticketmaster in 2017 and pleaded guilty in Brooklyn federal court in 2019 to one count of conspiring to access protected computers without authorization and to commit wire fraud, according to the deferred prosecution agreement. Zaidi's sentencing has been delayed, according to court filings. CNN has contacted his attorneys for comment.
The problem we have is that the lawyers for the government want to show victories quickly. They don't care about justice, and they aren't incentivized to prosecute tough cases where rich companies have dozens of lawyers and present roadblock after roadblock through legal defense. We literally need robot lawyers that will prosecute and convict people tirelessly and fairly.
There are hackers who did much less that got the book thrown at them and actually spent time in jail. Weev's case (https://www.eff.org/deeplinks/2013/07/weevs-case-flawed-begi...) is disgusting even though he was using AT&T's own APIs and actually didn't hack anything. Yes, Weev appears to be a horrible person but that isn't the point, the point is the law should be fair to everyone. If the Ticketmaster execs and those that hacked CrowdSurge don't see a sentence much harsher than this, it will be an attack against justice. But again, I don't think justice will be served because the prosecutors literally don't care about justice.
100 comments
[ 3.2 ms ] story [ 169 ms ] threadRevoking credentials of employees after they leave and doing regular audits of the access list, are controls that would be relevant here.
Then here's Ticketmaster caught literally hacking into their competitors systems and they get a slap on the hand. No one going to jail, no one becoming a felon, no one's life ruined.
It does nothing to stop what matters: corporations or nation states. Horrible corporations like LinkedIn try to use it. Having the CFAA is literally worse than not having any laws about this. Not only must WE repeal it, the US must go around the world helping people understand that other countries must not enact or must scrap such laws.
Oh come on, I find it difficult to have sympathy for a company that does this.
It's a ticking time bomb, and certainly not hacking.
Must have a hell of a culture there
There are countless names of “hackers” that have sat in prison and are currently sitting in prison for lengthy terms regardless of their intent. A Ticketmaster exec should have to do the same.
https://en.m.wikipedia.org/wiki/List_of_computer_criminals
RIP Aaron Swartz.
Lawlessness will continue until the government starts charging individuals.
There are two sets of laws in that country: those that apply to them, and the other set that applies to you.
Group-think and blind zealotry have gotten so bad there, even the few pieces of actual journalism they put out are tainted with it. Hard to trust anything they say when you know how many lies they've pushed in bad faith.
Surprised it took so long for one of the dirtiest players to get a little slap on the wrist.
>Ticketmaster expressed satisfaction with the outcome in a statement
Crime pays off, in the end.
Sadly, this isn't true. As quickly as the old idiots realise that their actions are futile, new idiots are born to repeat their mistakes.
Sometimes, crime does pay. So there's a risk-reward strategy to being the kind of person prone to commiting crimes.
Two years ago, doing X might have been a net negative; now, maybe due to police cuts etc. it's viable. But it's hard to know this in advance; to find out, someone has to walk the territory.
(And maybe I should too.)
I doubt you can be barred from running a small company (absent being incarcerated which may indirectly/practically bar that).
This is a silly idea if you think about it.
Companies are packets of assets and obligations. Liquidations usually involve shareholders pulling the plug. If the shareholders want the company to keep going but the government doesn’t, when you liquidate the assets, the old shareholders will simply re-purchase them and re-hire the same (or a similar) team. Not a lot done except hosing creditors and enriching lawyers.
Okay, so you ban former shareholders from buying. Who is most likely to be able to do the fire sale diligence? A competitor. Now you have a policy that promotes industrial concentration.
Fine, ban competitors. At this point, few deeply knowledgeable about the assets can bid. In most cases, a deep discount bid will take the cake. So a wealthy person will get assets at a discount from pension plans and individual investors.
Applying concepts like a “death penalty” to legal fictions is emotionally satisfying but economically dubious. I am actually surprised it hasn’t been suggested as a solution by large-company lobbyists. It creates lots of legal work. A back door for wiping out debts. And it enriches wealthy clients while sidestepping real consequences.
Shareholders, who the Board of Directors claim to be beholden to, would lose everything. The company would get liquidated to the highest buyer. Shareholders would be incentivized to not support crimes or strategies that would lead to corporate execution and Board members would be legally bound and liable if that happened.
It doesn't support industrial concentration. All the company needs to do to avoid executation is to not commit the most egregious crimes. Is that really such a hard ask? No, it isn't.
Who do you think gets the liquidation proceeds? If not the shareholders, one, that’s expropriation, which rule-of-law countries try to avoid. And two, that’s easier achieved with a fine.
For businesses requiring a license, suspending licenses could kill a business. Otherwise, “death penalty” is, at best, an expensive way to levy a fine and, at worst and most likely, inchoate.
A fine can be paid and the organization simply continues. But the point of the corporate death penalty is that the organization ceases to operate; executives and board members lose their plum positions in ignominy; shareholders lose enormous value; and the rotten people and incentive structures in the organization are scattered into the wind.
I would be much more amenable with the idea of destroying them.
Any trademarks are revoked, any copyrighted works are now PD, etc. Physical assets are destroyed and put in landfills. If they own a building, tear it down, make it a park.
Same should happen to Anthony Levandowski, but of course things are tricky when you're world leading Self-Driving Cars Expert
I just noticed that the word "master" is in ticket master. With every one renaming git branches etc. why hasn't ticket master been attacked for its "racist name"? Not that I personally give a shit.
More like, taking all the heat so everyone else can keep their hands clean.
>BUDISH: So Ticketmaster takes all the P.R. hit for these egregious service fees. But actually a lot of that money spreads its way around the rest of the food chain.
>MARCUS: It’s actually historically kind of part of Ticketmaster’s business model to take on the burden of that negative sentiment.
https://freakonomics.com/podcast/live-event-ticket-market-sc...
I worked in the space for awhile. Nobody ever mentioned that take in those years. Ticketmaster is good at dividing and conquering the different stakeholders. They aren’t doing anyone any favors imo.
My only idea.
> Ticketmaster expressed satisfaction with the outcome in a statement. “Ticketmaster terminated both Zaidi and Mead in 2017, after their conduct came to light. Their actions violated our corporate policies and were inconsistent with our values. We are pleased that this matter is now resolved,” a spokesperson told The Verge.
> Today’s judgment defers prosecution under the Computer Fraud and Abuse Act. Ticketmaster must pay the fine in question, maintain clear policies to detect and prevent unauthorized computer intrusion, and present annual reports on its conduct for the next three years.
Cyber crime pays.
Isn't this a felony? Why aren't these people in jail?
> Live Nation hired a former CrowdSurge employee named Stephen Mead in 2013. Then, now-fired Ticketmaster executive Zeeshan Zaidi and other executives encouraged him to turn over his old employer’s secrets
You know, there are ongoing extradition cases from UK->USA for people who have done far, FAR less malevolent actions than these.
Why are these people not facing 10+ years in jail for hacking?
"The company admitted that it is responsible for the actions of its employees under United States law."
That was also my question why those employees are not in jail yet. I was thinking that company gets fine and employees get jail time but that must be some weird/interesting part of US law.
Indeed. We see time and time again that corporations can get away with almost anything they want without facing any real consequence compared to individuals. What part of US law is protecting these corporations and the people involved when they flagrantly break the law? It's sickening.
...except that corporations are literally just groups of people, the person who perpetrated the act (Zaidi) pled guilty to hacking and is awaiting sentencing?
[1] There are some exceptions, eg. if you're a teacher and you learn about child abuse
Er.... this is entirely the point of the law in the US -- to protect corporate interests. Who do you think are writing the laws? It's not some weird edge case or quirk in the system. Protecting and furthering corporate interests is the system. As always, the purpose of the system is what it does.
My company gets fined $X million, which it doesn't have so it folds. I skip off into the sunset
https://en.wikipedia.org/wiki/Piercing_the_corporate_veil#Fa...
You're going to have to be very careful to avoid that, and even then, you might still be personally liable, see my other comment: https://news.ycombinator.com/item?id=25593629
I agree: these people should be prosecuted. I'd also argue that Ticketmaster in this case was acting as a criminal conspiracy.
Also, the article states that Ticketmaster is under a deferred prosecution agreement for CFAA. So they get to pay a pittance of a fine, and make some internal "policies" and get off scot free.
Zaidi was prosecuted and he pleaded guilty, although his sentence has yet to be determined.
>Zaidi was terminated from Ticketmaster in 2017 and pleaded guilty in Brooklyn federal court in 2019 to one count of conspiring to access protected computers without authorization and to commit wire fraud, according to the deferred prosecution agreement. Zaidi's sentencing has been delayed, according to court filings. CNN has contacted his attorneys for comment.
https://www.cnn.com/2020/12/30/business/ticketmaster-plea-pa...
(I'm bitter, but that wasn't hyperbole - that was the actual award of their last class action settlement for fixing the consumer market)
https://www.justice.gov/usao-edny/pr/ticketmaster-pays-10-mi...