Incident: Burning Man Ticketing System Hacked by Software Engineers.

Published Date: 2015-02-23

Postmortem Analysis
Timeline 1. The software failure incident of hackers exploiting a design flaw in the Burning Man ticketing system happened in February 2015 [33651].
System 1. Burning Man ticketing system powered by Ticketfly [33651]
Responsible Organization 1. Software engineers in Silicon Valley who hacked into the Burning Man ticketing system powered by Ticketfly [33651] 2. Hackers who created a technical 'backdoor' to the ticket sale, allowing them to purchase tickets ahead of others [33651]
Impacted Organization 1. Burning Man ticketing system powered by Ticketfly [33651]
Software Causes 1. Software engineers in Silicon Valley hacked into the Burning Man ticketing system powered by Ticketfly to cut to the front of the queue, exploiting a design flaw on the ticket page that allowed them to generate a spot ahead of everyone else in line [33651]. 2. Hackers created a technical 'backdoor' to the ticket sale by discovering a few lines of JavaScript code on the ticketing website that gave preeminent access to tickets three minutes before they officially went on sale at noon on Wednesday [33651].
Non-software Causes 1. High demand for Burning Man tickets leading to quick sell-out [33651] 2. Perception of unfair advantage by software-savvy engineers [33651] 3. Fluctuating wait times causing anxiety and confusion among ticket buyers [33651] 4. Previous criticisms of Burning Man ticket distribution system [33651] 5. Criticism of Silicon Valley's influence on Burning Man [33651]
Impacts 1. The software failure incident allowed 200 software-savvy engineers to cut to the front of the queue during the Burning Man ticket sale, causing resentment and parody among Twitter users [33651]. 2. The perception that hackers were cheating the system led to a source of resentment and parody among Twitter users [33651]. 3. The incident caused fluctuating wait times for ticket buyers, leading to anxiety and frustration among those trying to purchase tickets [33651]. 4. The incident resulted in Burning Man officials having to track down and cancel the hacked ticket orders, impacting the ticket distribution process [33651].
Preventions 1. Implementing stricter security measures to prevent unauthorized access and hacking attempts, such as multi-factor authentication or regular security audits [33651]. 2. Conducting thorough testing and quality assurance checks on the ticketing system to identify and fix any vulnerabilities or flaws before the sale [33651]. 3. Ensuring transparency and clear communication with users about the ticketing process to avoid confusion and frustration that could lead to suspicions of foul play [33651].
Fixes 1. Implement stricter security measures to prevent hacking attempts, such as enhancing the authentication process and monitoring for suspicious activities [33651]. 2. Conduct a thorough review of the ticketing system's code to identify and fix any vulnerabilities that could be exploited by hackers [33651]. 3. Enhance the ticketing system's design to prevent the creation of backdoors that allow users to bypass the queue and gain unfair advantage [33651].
References 1. Burning Man officials, including Megan K. Miller, director of communications [33651] 2. Burning Man's top brass [33651] 3. Engineers and web developers on a Burning Man Reddit thread [33651] 4. Social media, particularly Twitter users [33651] 5. Burning Man's social media team [33651]

Software Taxonomy of Faults

Category Option Rationale
Recurring unknown (a) The software failure incident related to Burning Man ticket sales being hacked by software engineers in Silicon Valley has not been reported to have happened again within the same organization [33651]. (b) The software failure incident of hacking into the ticketing system has not been reported to have happened again at other organizations or with their products and services in the provided articles [33651].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase was due to a design flaw on the ticket page that allowed software-savvy engineers to generate a spot ahead of everyone else in line during the Burning Man ticket sale [33651]. (b) The software failure incident related to the operation phase was caused by the operation of the system during the ticket sale. The fluctuating wait times in the online queue gave the illusion to users that hackers were cutting in front of them, causing anxiety and resentment among potential ticket buyers [33651].
Boundary (Internal/External) within_system (a) within_system: The software failure incident at Burning Man related to the ticketing system was primarily due to contributing factors that originated from within the system. Software engineers in Silicon Valley hacked into the Burning Man ticketing system powered by Ticketfly by exploiting a design flaw on the ticket page that allowed them to generate a spot ahead of everyone else in line [33651]. Additionally, hackers were able to create a backdoor to the sale by discovering a few lines of JavaScript code on the ticketing website that gave them preeminent access to tickets before the official sale started [33651]. (b) outside_system: There is no specific information in the articles indicating that the software failure incident at Burning Man was due to contributing factors originating from outside the system.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident at Burning Man ticket sales was primarily due to non-human actions. The incident occurred because approximately 200 software-savvy engineers discovered a design flaw on the ticket page that allowed them to generate a spot ahead of everyone else in line [33651]. This flaw was related to a backdoor created by hackers, which enabled them to purchase the first batch of tickets when the sale started, even though no tickets were sold before the official sale opening [33651]. (b) However, human actions were also involved in the software failure incident. The engineers exploited the design flaw in the ticketing system, which was a contributing factor introduced by human actions [33651]. Additionally, the Burning Man officials took steps to prevent such incidents from happening again in future sales, indicating a response to human actions that led to the failure [33651].
Dimension (Hardware/Software) software (a) The software failure incident related to hardware: - The incident at Burning Man involving the ticketing system was primarily due to software engineers hacking into the system to gain an advantage in purchasing tickets. This was not a hardware-related failure but rather a manipulation of the software system [33651]. (b) The software failure incident related to software: - The software failure incident at Burning Man was directly caused by software engineers exploiting a design flaw in the ticketing system's software to create a backdoor and jump to the front of the ticket queue. This was a software-related failure stemming from vulnerabilities in the software code [33651].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident at Burning Man related to the ticketing system was malicious in nature. Software engineers in Silicon Valley hacked into the Burning Man ticketing system powered by Ticketfly to cut to the front of the queue. Approximately 200 people created a technical 'backdoor' to the sale and made their way to the front of the line by exploiting a design flaw on the ticket page [33651]. The hackers were able to generate a waiting room URL ahead of time using code segments they discovered on the ticketing website, allowing them to purchase the first batch of tickets when the sale started [33651]. Burning Man officials confirmed that a backdoor had been created by hackers, leading to resentment and parody among Twitter users [33651]. (b) The software failure incident was non-malicious in the sense that it was not caused by unintentional factors. The incident was a result of deliberate actions taken by software-savvy engineers who exploited a design flaw and created a backdoor in the ticketing system to gain an unfair advantage in purchasing tickets [33651]. Burning Man acknowledged the error and took steps to prevent such incidents from happening in future sales [33651].
Intent (Poor/Accidental Decisions) unknown (a) The intent of the software failure incident was not due to poor decisions but rather intentional actions taken by software-savvy engineers to exploit a design flaw in the Burning Man ticketing system. These engineers hacked into the system to generate a spot ahead of everyone else in line, allowing them to purchase tickets before the official sale started [33651]. (b) The software failure incident was not a result of accidental decisions but rather a deliberate attempt by individuals to manipulate the system and gain an unfair advantage during the ticket sale process. The creation of a backdoor by hackers and the exploitation of a design flaw in the ticketing website were intentional actions aimed at bypassing the normal queue and purchasing tickets ahead of others [33651].
Capability (Incompetence/Accidental) accidental (a) The software failure incident at Burning Man ticket sale was not due to development incompetence but rather due to hackers exploiting a design flaw in the ticketing system. The incident involved software-savvy engineers discovering a backdoor in the system that allowed them to generate a spot ahead of others in line [33651]. (b) The software failure incident at Burning Man ticket sale was accidental in nature. The hackers accidentally discovered a few lines of JavaScript code on the ticketing website that gave them preeminent access to tickets three minutes before the official sale started. This accidental discovery allowed them to create a backdoor and purchase tickets ahead of others in line [33651].
Duration temporary (a) The software failure incident in the Burning Man ticketing system was temporary. The incident occurred during the ticket sale when approximately 200 software-savvy engineers discovered a design flaw on the ticket page that allowed them to generate a spot ahead of everyone else in line [33651]. This flaw was exploited by creating a technical 'backdoor' to the sale, enabling these individuals to purchase the first batch of tickets when the sale started. The incident was not a permanent failure but rather a temporary issue caused by specific circumstances and actions taken by the engineers.
Behaviour other (a) crash: The software failure incident in the Burning Man ticketing system did not involve a crash where the system lost state and did not perform any of its intended functions. The incident was more related to users exploiting a design flaw to gain an advantage in the ticket queue [33651]. (b) omission: The failure was not due to the system omitting to perform its intended functions at an instance(s). Instead, the issue stemmed from a design flaw that allowed certain users to bypass the queue and purchase tickets ahead of others [33651]. (c) timing: The software failure incident did not involve the system performing its intended functions correctly but too late or too early. The issue was more about certain users gaining early access to the ticketing system through a backdoor exploit [33651]. (d) value: The failure was not due to the system performing its intended functions incorrectly. The incident was more about users exploiting a flaw in the system to gain an unfair advantage in purchasing tickets [33651]. (e) byzantine: The software failure incident did not exhibit behavior characteristic of a byzantine failure, where the system behaves erroneously with inconsistent responses and interactions. The incident was more about users manipulating the system rather than the system itself providing inconsistent responses [33651]. (f) other: The behavior of the software failure incident can be categorized as a form of exploitation or manipulation of the system by users who discovered a design flaw that allowed them to jump the queue and purchase tickets ahead of others [33651].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence delay, theoretical_consequence, other (a) unknown (b) unknown (c) unknown (d) unknown (e) delay: The software failure incident caused delays for individuals trying to purchase tickets for Burning Man. The online queue system experienced fluctuations in wait times, causing frustration and anxiety among users [33651]. (f) unknown (g) no_consequence: The article mentions that Burning Man officials identified the hacked ticket orders and took steps to cancel them. The tickets obtained through the software exploit were to be put back up for sale during a later scheduled last-minute sale, indicating that the impact of the incident was mitigated [33651]. (h) theoretical_consequence: There were potential consequences discussed in the article, such as the perception that hackers were cheating the system, leading to resentment and parody on social media. Additionally, there were concerns raised about the fairness of the ticket distribution system and the criticism faced by Silicon Valley for influencing Burning Man's processes [33651]. (i) other: The software failure incident led to a situation where individuals who exploited the system were able to gain an advantage over others in purchasing tickets, highlighting issues of fairness and integrity in the ticketing process [33651].
Domain entertainment (a) The failed system in this incident was related to the entertainment industry, specifically the Burning Man festival ticketing system powered by Ticketfly [33651].

Sources

Back to List