100 comments

[ 3.2 ms ] story [ 169 ms ] thread
Never heard the name Ticketmaster associated with any type of behavior but scummy behavior, to be honest. $10M seems quite cheap a fine.
This should be in the dictionary under password expiry.
(comment deleted)
Not really. Ex-employee had access. If his password expired, he could just choose a new one and keep access.

Revoking credentials of employees after they leave and doing regular audits of the access list, are controls that would be relevant here.

I read it that wasn’t just his own account he was accessing but yes you’re not wrong about employee termination procedures also.
Remember when Aaron Schwarz didn't break the CFAA, or hack into any other person or organisation's private data, but was nonetheless brutally assaulted by the government until he committed suicide?

Then here's Ticketmaster caught literally hacking into their competitors systems and they get a slap on the hand. No one going to jail, no one becoming a felon, no one's life ruined.

This is America. Schwarz was not prosecuted for his crimes but for his failure to monetize them.
I’ve said this before and I’m more convinced of this now: the cfaa is unsalvagable and must be completely repealed/scrapped. All of it. No half measures.

It does nothing to stop what matters: corporations or nation states. Horrible corporations like LinkedIn try to use it. Having the CFAA is literally worse than not having any laws about this. Not only must WE repeal it, the US must go around the world helping people understand that other countries must not enact or must scrap such laws.

just pointing out that his name is Aaron Swartz
> his old employer used non-protected but difficult-to-find preview links for ticketing pages.

Oh come on, I find it difficult to have sympathy for a company that does this.

It's a ticking time bomb, and certainly not hacking.

What are passwords if not difficult to guess strings? It’s usually safer to create a link with 32 random characters than letting users come up with their own passwords such as „qwer1234“.
I disagree. There’s a reason why security by obscurity gets a bad rap. Browsers generally treat passwords as sacred — not saving or logging them unless the user explicitly asks. On the other hand, the URL bar gets saved to history, sent as a referrer when links are clicked (in some browsers), might be sent to an external server by the browser or extensions, etc.
I agree with the part about an URL being less secured than a password. However, it's not security by obscurity. It's just less secure and more convenient. But the URL scheme merely grants you access to a ticket, not the whole account, so the potential damage is negligible.
32 random characters (192 bits of entropy if you assume base64) is a lot more than just "difficult" to find. I'm pretty sure that is not what the article meant by difficult to find pages.
Sure, but in this case the attacker had inside knowledge and took it to a competitor. That, itself, is scummy, as well as criminal.
99% of security issues are silly and avoidable in retrospect. I don't think an insecure direct reference (assuming that's what is meant) is really all that different from most XSS, SQLi, etc
Terry A Davis used to work at ticketmaster

Must have a hell of a culture there

If we’re gonna go after pentesters (coalfire), or pursue people for copyright infringement, we have to go after people who deliberately commit crimes and corporate espionage. This is no different to breaking or sneaking into a competitors facility and stealing their documents. Assembling a spreadsheet of artists using public data is different, but straight up corporate espionage with stolen creds is absolutely unacceptable and should result in criminal penalties for the company and its directors.
I’d argue this is worse, since Ticketmaster is likely violating antitrust statutes s as well.

Lawlessness will continue until the government starts charging individuals.

Ticketmaster has no hands and cannot act. Some human being, or set of human beings, did this, and some federal prosecutor declined to bring CFAA charges against those people who committed those crimes.

There are two sets of laws in that country: those that apply to them, and the other set that applies to you.

Prosecutors end up deciding who the law applies to. That they have so much leeway is the source of these issues. But we also need other parts of the justice system to bend and morph to the issue, otherwise it is just a big heartless machine has to be coded for every possible input.
This title is ambiguous. Sounds like they're offering a bounty
Journalism is dead. I am at the point where I don't believe any headlines anymore. It's either willful manipulation of the facts, clickbait, or just plain stupidity on the part of the writer/corporation behind the article.
Same here. Even for "institutions" of journalism. Even the BBC and the NYT. They're all awful.
Yes, the "newspaper of record" is such a joke - just as laughable as Cuomo receiving an Emmy. Bunch of self-dealing slimebags.

Group-think and blind zealotry have gotten so bad there, even the few pieces of actual journalism they put out are tainted with it. Hard to trust anything they say when you know how many lies they've pushed in bad faith.

I used to write bots against TM back in the day, loads of folks were. The whole industry around ticking (and secondary!) is crazy, and OMG! fees on everything!

Surprised it took so long for one of the dirtiest players to get a little slap on the wrist.

>Ticketmaster apparently lost access to the system by 2015, the same year CrowdSurge merged with Songkick. Songkick sued Live Nation and Ticketmaster for violating antitrust laws. But it soon sold or shut down its services, and in 2018, it accepted a $110 million settlement — plus an undisclosed sum to sell some of its remaining assets to Ticketmaster.

>Ticketmaster expressed satisfaction with the outcome in a statement

Crime pays off, in the end.

If it didn’t there wouldn’t be any crime.
Humans are not perfectly rational agents, so this does not follow.
Congratulations, you win stupidest comment of the day!
Still, if crime never paid off for anyone, people would wise up eventually- save for exploratory divergent forays in case the situation has changed.
Crimes of passion are rarely rational.
When corporations are committing crimes of passion we have a huge problem. In the meantime, fine, jail and restructure.
> people would wise up eventually

Sadly, this isn't true. As quickly as the old idiots realise that their actions are futile, new idiots are born to repeat their mistakes.

This can apply to more than just crimes. Careers for instance.
>save for exploratory divergent forays in case the situation has changed

Sometimes, crime does pay. So there's a risk-reward strategy to being the kind of person prone to commiting crimes.

Two years ago, doing X might have been a net negative; now, maybe due to police cuts etc. it's viable. But it's hard to know this in advance; to find out, someone has to walk the territory.

Sounds like we need a corporate death penalty.
Ianal. But i think you can be sentence to never run a company again.
Also NAL. You can certainly be barred from serving as an officer of a publicly-traded company.

I doubt you can be barred from running a small company (absent being incarcerated which may indirectly/practically bar that).

Ohh that’s good. No longer able to own any corp or LLC anywhere. Forced to liquidate all holding and be taxed as a normal citizen.
(comment deleted)
> a corporate death penalty

This is a silly idea if you think about it.

Companies are packets of assets and obligations. Liquidations usually involve shareholders pulling the plug. If the shareholders want the company to keep going but the government doesn’t, when you liquidate the assets, the old shareholders will simply re-purchase them and re-hire the same (or a similar) team. Not a lot done except hosing creditors and enriching lawyers.

Okay, so you ban former shareholders from buying. Who is most likely to be able to do the fire sale diligence? A competitor. Now you have a policy that promotes industrial concentration.

Fine, ban competitors. At this point, few deeply knowledgeable about the assets can bid. In most cases, a deep discount bid will take the cake. So a wealthy person will get assets at a discount from pension plans and individual investors.

Applying concepts like a “death penalty” to legal fictions is emotionally satisfying but economically dubious. I am actually surprised it hasn’t been suggested as a solution by large-company lobbyists. It creates lots of legal work. A back door for wiping out debts. And it enriches wealthy clients while sidestepping real consequences.

It's a fantastic idea.

Shareholders, who the Board of Directors claim to be beholden to, would lose everything. The company would get liquidated to the highest buyer. Shareholders would be incentivized to not support crimes or strategies that would lead to corporate execution and Board members would be legally bound and liable if that happened.

It doesn't support industrial concentration. All the company needs to do to avoid executation is to not commit the most egregious crimes. Is that really such a hard ask? No, it isn't.

> The company would get liquidated to the highest buyer

Who do you think gets the liquidation proceeds? If not the shareholders, one, that’s expropriation, which rule-of-law countries try to avoid. And two, that’s easier achieved with a fine.

For businesses requiring a license, suspending licenses could kill a business. Otherwise, “death penalty” is, at best, an expensive way to levy a fine and, at worst and most likely, inchoate.

OK, shareholders might get some proceeds after secured and unsecured creditors, but as I am sure you're aware, share prices are generally a multiple of book value. With a corporate death penalty, the net present value of the expected future earnings of the company is 0.

A fine can be paid and the organization simply continues. But the point of the corporate death penalty is that the organization ceases to operate; executives and board members lose their plum positions in ignominy; shareholders lose enormous value; and the rotten people and incentive structures in the organization are scattered into the wind.

I'm not sure why liquidating the assets is taken as given.

I would be much more amenable with the idea of destroying them.

Any trademarks are revoked, any copyrighted works are now PD, etc. Physical assets are destroyed and put in landfills. If they own a building, tear it down, make it a park.

why not do something like civil forfeiture? liquidate it n keep the money
And when the fines are so small for such huge crimes with no jail time for executives, this is what you get.
This guy shouldn't be able to work in IT/CS or anything non-freelance & computer related

Same should happen to Anthony Levandowski, but of course things are tricky when you're world leading Self-Driving Cars Expert

Anthony's story is exceptionally brazen. Corporate espionage, reckless public endangerment, and embezzlement while having produced very little.
It doesn't sound to me like any settlement Ticketmaster could make with the company they hacked should prevent an anti-trust investigation continuing. If Ticketmaster used anti-competitive tactics it is not just other companies that suffered a loss, it was also the public.
This was a settlement with the US Department of Justice, which apparently believes a $10M fine adequately protects the public. One wonders if the timing of this announcement is coincidental.
Protect the public? If anything the public needs protection from ticket master ands it's crime syndicate.

I just noticed that the word "master" is in ticket master. With every one renaming git branches etc. why hasn't ticket master been attacked for its "racist name"? Not that I personally give a shit.

Ticketmaster is really good at being evil. If professional sports teams with government protected monopolies can’t beat them, SJW types are like cannon fodder.
>Ticketmaster is really good at being evil

More like, taking all the heat so everyone else can keep their hands clean.

>BUDISH: So Ticketmaster takes all the P.R. hit for these egregious service fees. But actually a lot of that money spreads its way around the rest of the food chain.

>MARCUS: It’s actually historically kind of part of Ticketmaster’s business model to take on the burden of that negative sentiment.

https://freakonomics.com/podcast/live-event-ticket-market-sc...

That’s a perspective I suppose.

I worked in the space for awhile. Nobody ever mentioned that take in those years. Ticketmaster is good at dividing and conquering the different stakeholders. They aren’t doing anyone any favors imo.

When a person does it, they go to jail for a long time. When a company does it, it pays a fine, no wrongdoing
Isn't it nice to see our justice system at work. I'm glad to see our brave men and women keep in mind their number one imperative: never disappoint $$$.

> Ticketmaster expressed satisfaction with the outcome in a statement. “Ticketmaster terminated both Zaidi and Mead in 2017, after their conduct came to light. Their actions violated our corporate policies and were inconsistent with our values. We are pleased that this matter is now resolved,” a spokesperson told The Verge.

> Today’s judgment defers prosecution under the Computer Fraud and Abuse Act. Ticketmaster must pay the fine in question, maintain clear policies to detect and prevent unauthorized computer intrusion, and present annual reports on its conduct for the next three years.

These are criminal acts. If they were physical (i.e., not cyber) there would be more than fines. Fines are a slapon the wrist. $10 million a meaningless drop in the bucket.

Cyber crime pays.

> “Further, Ticketmaster’s employees brazenly held a division-wide ‘summit’ at which the stolen passwords were used to access the victim company’s computers.”

Isn't this a felony? Why aren't these people in jail?

> Live Nation hired a former CrowdSurge employee named Stephen Mead in 2013. Then, now-fired Ticketmaster executive Zeeshan Zaidi and other executives encouraged him to turn over his old employer’s secrets

You know, there are ongoing extradition cases from UK->USA for people who have done far, FAR less malevolent actions than these.

Why are these people not facing 10+ years in jail for hacking?

https://www.bleepingcomputer.com/news/security/ticketmaster-...

"The company admitted that it is responsible for the actions of its employees under United States law."

That was also my question why those employees are not in jail yet. I was thinking that company gets fine and employees get jail time but that must be some weird/interesting part of US law.

>that must be some weird/interesting part of US law.

Indeed. We see time and time again that corporations can get away with almost anything they want without facing any real consequence compared to individuals. What part of US law is protecting these corporations and the people involved when they flagrantly break the law? It's sickening.

>We see time and time again that corporations can get away with almost anything they want without facing any real consequence compared to individuals.

...except that corporations are literally just groups of people, the person who perpetrated the act (Zaidi) pled guilty to hacking and is awaiting sentencing?

And all the other people who were present and knew what was going on?
IANAL, but in the US at least there isn't any obligation to stop or report any crime you witnessed[1]. As for the other people in the company that used his credentials to access the competitors site, it's possible to prosecute them, but you'll have to prove intent. That might be tricky to prove because the defense can argue that they didn't intend to hack the site, because they thought Zaidi was properly authorized to use the site.

[1] There are some exceptions, eg. if you're a teacher and you learn about child abuse

According to the articles other employees logged in with what they knew were not legitimately obtained and pretty clearly committed CFAA violations that have gotten serious punishment before. Moreover they induced Zaidi to commit the offenses he's been prosecuted for _and_ co-ordinated a set of employees to access the victim's network _and_ showed that off internally. How is that not criminal conspiracy unless it doesn't count against Ticketmaster if they just say the magic words that they didn't know?
Really? Zaidi did all this by himself? Last time I checked "I was just following orders" isn't a valid defense for felonies.
> What part of US law is protecting these corporations and the people involved when they flagrantly break the law?

Er.... this is entirely the point of the law in the US -- to protect corporate interests. Who do you think are writing the laws? It's not some weird edge case or quirk in the system. Protecting and furthering corporate interests is the system. As always, the purpose of the system is what it does.

Cool so I want to hack a company and face no jail: create my own company, employ myself and do the hack.

My company gets fined $X million, which it doesn't have so it folds. I skip off into the sunset

If only. It requires a bit more finesse and money than that. Ticketmaster had the resources to throw at the right people to influence outcomes. If you don’t, then you will not have the same outcome as there is a lot of subjectiveness in the system.
I think downside of this plan is that you have to have billions of dollars first and a pack of lawyers to pull it off.
(comment deleted)
Aaron Swartz did far, far less, but took his own life because of how draconian the CFAA is.

I agree: these people should be prosecuted. I'd also argue that Ticketmaster in this case was acting as a criminal conspiracy.

The statute of limitations on the CFAA is two years.
Yes, but it's from "the date of the act complained of or the date of the discovery of the damage."

Also, the article states that Ticketmaster is under a deferred prosecution agreement for CFAA. So they get to pay a pittance of a fine, and make some internal "policies" and get off scot free.

>Isn't this a felony? Why aren't these people in jail?

Zaidi was prosecuted and he pleaded guilty, although his sentence has yet to be determined.

>Zaidi was terminated from Ticketmaster in 2017 and pleaded guilty in Brooklyn federal court in 2019 to one count of conspiring to access protected computers without authorization and to commit wire fraud, according to the deferred prosecution agreement. Zaidi's sentencing has been delayed, according to court filings. CNN has contacted his attorneys for comment.

https://www.cnn.com/2020/12/30/business/ticketmaster-plea-pa...

The problem we have is that the lawyers for the government want to show victories quickly. They don't care about justice, and they aren't incentivized to prosecute tough cases where rich companies have dozens of lawyers and present roadblock after roadblock through legal defense. We literally need robot lawyers that will prosecute and convict people tirelessly and fairly. There are hackers who did much less that got the book thrown at them and actually spent time in jail. Weev's case (https://www.eff.org/deeplinks/2013/07/weevs-case-flawed-begi...) is disgusting even though he was using AT&T's own APIs and actually didn't hack anything. Yes, Weev appears to be a horrible person but that isn't the point, the point is the law should be fair to everyone. If the Ticketmaster execs and those that hacked CrowdSurge don't see a sentence much harsher than this, it will be an attack against justice. But again, I don't think justice will be served because the prosecutors literally don't care about justice.
The DOJ should send them a bill for 10M plus a 12.5% handling fee and a 4% convenience fee.
Geez, reading the title, I thought Ticketmaster was offering $10M to hack its competitor...
Shouldn't that guy that was pushed to turn over secrets have signed an NDA with the previous company? sounds bizarre
Is there a league table (similar to the global corruption index?) which shows which industries attract the most prosecutions?
... payable in vouchers for free concerts that don't actually exist, and coupons for $2 off expedited shipping of paper tickets.

(I'm bitter, but that wasn't hyperbole - that was the actual award of their last class action settlement for fixing the consumer market)

Ticketmaster's business model is evilness. Always has been.
Title should include the word: "FINE"