programming and human factors
by Jeff Atwood
A recent Wall Street Journal describes Ticketmaster's problems with online scalpers:
The Internet era has brought speed and convenience to all sorts of consumer transactions. For concertgoers, however, it has also led to ever-faster sellouts for hot events. Ticketmaster deploys technology that is supposed to stop brokers from gaining access to large numbers of seats via online sales. But it says brokers' software circumvents the company's protections.That has placed large numbers of seats in the hands of brokers who use eBay Inc.'s StubHub, Craigslist and other online venues to resell the tickets at a big mark up.
One situation roiling consumers involves the 54-concert "Best of Both Worlds" tour in which singer-actress Miley Cyrus is performing sets as herself and as her fictional alter ego, Hannah Montana. Parents and children have found finding tickets for the shows difficult and expensive. The issue is drawing the attention of government officials. On Thursday -- in a rare Internet-age example of authorities enforcing antiscalping laws -- the attorneys general of Missouri and Arkansas filed lawsuits against people accused of illegally reselling Hannah Montana tickets.
According to StubHub, tickets for "Best of Both Worlds" are currently selling for an average $237, making them pricier than seats for the Police ($209), Justin Timberlake ($182) and Beyonc ($212). The highest face value for a ticket on the Hannah Montana tour: $63.
They must have really pissed off some high ranking political parents to get that kind of attention. Not that they don't deserve it-- scalpers are evil, profiteering bastards, to be sure. They deserve all the pain we can send their way.
The "technology that is supposed to stop brokers" they're referring to is CAPTCHA.
For instance, companies like Ticketmaster require customers searching for tickets online to replicate a set of the squiggly letters and numbers, known as a "Captcha." Theoretically, only human customers can correctly identify the characters despite the odd fonts, screening out automated purchasing programs. But RMG's software, according to Mr. Kovach, can also "figure out the randomly generated characters and retype them automatically." Mr. Kovach said RMG employees also gave him advice on fooling Ticketmaster's computers into thinking his requests were coming from different Internet addresses. Neither Mr. Kovach nor his lawyer could be reached for comment.
So if online scalpers are somehow beating the system, does that mean CAPTCHA has been broken? I covered this topic a year ago, and my opinion has not changed. If CAPTCHAs were well and truly broken, Google, Yahoo, and Hotmail would stop using them. Why would they continue to use something that doesn't work? I'm not going to rehash all the arguments here, but if you have strong feelings on this topic, I urge you to read my earlier post before commenting.
Ticketmaster's problem is that their CAPTCHA is not good enough. Programmers don't seem to understand what makes a CAPTCHA difficult to "break". But it's not difficult to find out. Heck, the hackers themselves will tell you how to do CAPTCHA correctly if you just know where to look. For example, this Chinese hacker's page breaks down a number of common CAPTCHAs, and the price of software he sells to defeat them at a certain percentage success rate:
| the9 100% $500 | 
|
| dvbbs 95% $1,000 | 
|
| Shanda 90% $1,500 | 
|
| Baidu 80% $3,000 | 
|
| eBay 70% $4,000 | |
| Ticketmaster 50% $6,000 | |
| Google (unbreakable) | |
| Hotmail (unbreakable) | |
| Yahoo (unbreakable) |
It seems an awful lot of programmers subscribe to the "add some crazy patterns and/or colors to the text and pray for the best" school of CAPTCHA design. That's not only sloppy, it just doesn't work. The top of this chart is littered with their failed attempts. On some sites, this is OK. They don't need the same world-class level of protection from bots and scripts that Ticketmaster does-- there's tremendous financial incentive for scalpers to break their system.
This particular hacker estimates a 50% success rate against the Ticketmaster captcha, long before the above article was published. No wonder those parents weren't able to buy their kids Hannah Montana tickets-- it's not because of failings in CAPTCHA protection, it's because the ticketmaster programmers failed to implement CAPTCHA correctly.
Instead of hacking together their own partially effective (and often not even human solvable) CAPTCHA, what Ticketmaster's programmers should have done is studied prior art-- in particular, by outright copying the high-volume, extensively researched Yahoo, Google, and Hotmail CAPTCHAs. I'm awfully fond of Google's CAPTCHA technique; in my professional opinion, it is simultaneously the most readable and the most hellishly difficult to OCR correctly. If you need industrial strength protection from bots and scripts, that's where you want to start.
Here's an alternative type of captcha, pretty much impossible for a program to defeat. Seems to work great for the women, not so well for the men: http://www.hotcaptcha.com/
Moe on November 21, 2007 1:31 AMThis example of bad CAPTCHA's in unfortunately just one of many examples in which programmers just invent their own amateur algorithm based on nothing more than their gut feeling and pray for the best...
It shows that software engineering really isn't engineering at all in many cases.
p.s. Is your own "orange" CAPTCHA a joke or what?
Jesper on November 21, 2007 1:57 AMI'm a computer graphics programmer (with a number of publications to my name) and if you paid me a couple grand, I could write software to decode Google's captchas. It would take no more than a couple weeks.
I often see glib claims like this, and I'll say the same thing to you that I mentally say to all of them: SHOW ME. Heck, if it's so easy, why don't you show the entire class?
I'll tell you what's easy: making ridiculous claims in a comment box on a web page.
Jeff Atwood on November 21, 2007 2:14 AMscalpers are evil, profiteering bastards, to be sure.
No. Ticketmaster are evil monopolists. As for selling tickets for higher than some artificial price printed on the paper, that's just something the venues and Ticketmaster wish they could figure out how to get involved in. Why not have a concert and auction off all the tickets? Have no "face value" on any ticket, and just let the market decide how much they are worth. Don't you believe in capitalism?
It's no surprise Yahoo captchas are unbreakable: In most cases, they are just plain unreadable even to my human eye.
Yahoo has implemented them lately to access games.yahoo.com and I must say it's a real frustration when you enter the games site. OK, we no longer have porn ads in the rooms' common chat boxes but frankly the price to pay is expensive to me.
As you wrote, Google just proves that unbreakable doesn't have to be a synonym of unreadable!
Serge Wautier on November 21, 2007 2:18 AMThe difficulty is the use of NON-LINEAR transforms. Not any of the baloney you suggest.
Linear Transforms are easily reversed even if they are destructive. Non-linear transforms require non-linear methods which are more difficult to implement.
Essentially you need at least an undergraduate degree in stats or CS to get much success with the non-linear transforms.
Please stop suggesting stupid captchas like the cat captcha. Captcha Generation is a HARD AI PROBLEM. This means it is hard to generate new classes of captchas just as it is a HARD AI PROBLEM to solve them.
Jeff Atwood's Mother on November 21, 2007 2:22 AMJeff,
Is there a reason why the captcha on your comments section is always ORANGE? and its not even trying to be hard to decipher - it is using a standard font.
Ash.
Ash Moollan on November 21, 2007 2:25 AM"it is simultaneously the most readable and the most hellishly difficult to OCR correctly"
Most attractive, too. I'd use Google's CAPTCHAs as a desktop background. But *why* are Google's so much harder to crack than TicketMasters? Both seem to use warped writing. Is it the colours, the way they warp the image, or something I'm not getting?
Next up by Google: G-CAPTCHA. Actually, is it possible to copyright CAPTCHA technology?
"That's just something the venues and Ticketmaster wish they could figure out how to get involved in."
Well, that's blantantly not true, because it's not like scalpers are doing anything clever. They're just taking advantage of the time limit to distort the market.
"Don't you believe in capitalism?"
Haven't you heard of the Wall Street/DotCom Crash? How about Enron?
Capitalism works based on trust. Driving demand by hoarding until the last minute isn't good for anybody but the seller. An excellent book on market economics is "The Wisdom of Crowds" by J.Surowiecki.
Jeff, mind telling us how good you think your captcha is? :-)
The gothic letters don't seem that difficult to OCR.
Good post Jeff. In fact, it is possible to break EVERY CAPTCHA, that is readable. Do you know how? Hackers insert image with captcha from the site they want to break into some other site where there are a lot of visitors willing to receive some content for free (after passing fake registration with CAPTCHA from the site being hacked).
Vitaly on November 21, 2007 2:41 AMI liked the captcha I saw where you had to choose the three attractive women out of 8 shown. Of course there's the problem with individual definitions of attractiveness, but if I had to choose between trying to decode Hotmail's god-awful mish-mash of pixels and looking at 3 hot girls...
nickf on November 21, 2007 2:41 AM++Serge Wautier
I've had a flickr account - but after changing my user to a yahoo account (and forgetting the password) I am not able to access my flickr account any more.
It's nice to fight the bots - but it's dumb to fight the humans
Bernhard on November 21, 2007 2:47 AM@ash
Jeff has written about why it is a static captcha before. He was getting a lot of comment spam and after implementing this simple captcha, it eliminated 99% of the problems (most bots don't bother to try to defeat it since they are based on spamming on a massive scale). There's no reason to work any harder than that if it solves your problem.
Same principle applies here as in the article. A simple captcha for protecting against comment spam is enough protection for Jeff, but not nearly enough for Ticketmaster.
Mason on November 21, 2007 2:48 AMJon Raynor wrote: "If these tickets are being sold online, isn't there a credit card involved? Couldn't you print something on the ticket that would correspond to the users credit card, like a bar code or something similiar? That way, the card that bought the ticket would have to be presented when the ticket was presented at the box office
....
Pushing someone's card through a credit reader at the gate should take that much longer than taking the ticket."
---
Hmm. So how do I...
1)...give away or sell my tickets (at face value, of course) to an event that I can't attend, for some unforeseen reason?
2)...buy more than 1 ticket with a single credit card? Sure, this might work if EVERYONE in the group shows up at the same time and meets outside the gate. What about very large groups (schools, churches)?
Seems kind of inconvenient and anti-free market. You're telling my that I can't even GIVE AWAY something I purchased legally with my own hard-earned money. I guess we are used to seeing this with certain operating systems, computer applications and video games.
Will on November 21, 2007 2:49 AMVitaly: that might work in many situations, but tickets to popular concerts will sell out in minutes--there's no time to wait for someone to come along and break a captcha for you, even if it's just 30 seconds.
Steve on November 21, 2007 2:57 AM Jeff, mind telling us how good you think your captcha is? :-)
The gothic letters don't seem that difficult to OCR.
Here is a function I've crafted to return the correct value for the box (based on my experience reading this website).
String CodHorCAPTCHADecode()
{
return "orange";
}
:)
In the end Ticketmaster themselves are evil and need to be investigated for the fees they add to a ticket. The last time I went to buy tickets from them their fees we're more than the price of tickets. I once tried to get around this by phoning the bar directly, they informed me that I would still need to pay the fees. Some sort of evil agreement they have with Ticketmasters.
I so want Google (or Amazon) to setup a competing site...they could destroy them.
JJ
J. Jablonski on November 21, 2007 3:02 AMIf you can't read the CAPTCHA on Yahoo, you have terrible eyes or a bad monitor. They're easy.
Ludvig Ericson on November 21, 2007 3:06 AMGreat post!
@Wouter Lievens: It's a thing of adequate security. Nobody would pay $1000 to bot-post on Jeff's blog (sorry Jeff). But those brokers DO pay much more to trick Ticketmaster.
@Jeff: I don't see, why Google ist so much harder to crack then Ticketmaster (no question it's better, because human readable). Do you have an explanation?
Hinek on November 21, 2007 3:10 AMThe example on the Asirra page is ridiculous. Some of the images can barely be seen at that size.
Venkman - did you notice you can mouse over the images to see a much larger version of them? Or just dismiss it out of hand because it comes from Microsoft Research?
JosephCooney on November 21, 2007 3:21 AMI suspect an element of Mechanical Turk going on...
Damian on November 21, 2007 3:22 AMJeff, have you looked at http://recaptcha.net/ ??
It could be a constructive way to replace your existing captcha ;-)
Roddy on November 21, 2007 3:25 AMGoogle's are much easier because they are pronuncible.
Personally, I like Asirra (http://research.microsoft.com/asirra/).
Zooba on November 21, 2007 3:30 AMI find the google ones to be almost impossible to read. Those things are a nightmare, especially for those with dyslexia
steph on November 21, 2007 3:41 AMYeah, and ORANGE is really difficult as well.
What I wonder about is if Google would open source their captcha generator, would that make it easier to decode the images?
Mike on November 21, 2007 3:43 AM"Other people have said it here, but I'll say it too: if you want scalpers to go away, sell tickets at market prices. At the right price, the show will sell out, but the last ticket will be sold only a little bit before the show begins. Just about anybody willing to pay the price will have gotten a ticket."
I really don't understand this. Surely the scalpers will just buy as many tickets as possible right at the start, when the demand is lower, and then take advantage of the price spike at the box office at the end. Basically, what they do now, except that the box office price will rise as well, so there's no place you can go to get a decent price. How does this benefit *anyone* but the scalpers?
My assumption when I hear this is that they've heard the "Market Cinema prices" (see the Wisdom of Crowds book I talked about) and overapplied the principle, without considering reduced supply.
On topic, is there any explanation for why Google's captchas are so secure and Ticketmasters aren't? Is it simple overlap?
deworde on November 21, 2007 4:24 AMThe example on the Asirra page is ridiculous. Some of the images can barely be seen at that size.
Venkman on November 21, 2007 4:36 AMTicketmaster is right: CAPTCHA is pointless if one can earn $100 by solving a single puzzle. you don't even have to hire chinese sweatshops, anyone would work 8 hours a day for that wage.
CAPTCHAs might work for protecting near-worthless assets like email accounts but not for REAL MONEY!
If you've ever been to any professional sports event, you've seen the army of scalpers outside. There's easily 100 of them at any Colts or Pacers game. Multiply that by 32 NFL cities, a few more with NBA and no NFL, etc, and nationwide, you've got a real army of thousands of professional "ticket brokers." Add in to that a few thousand opportunistic ticket resellers who know that a show like Hannah Montana will generate an easy profit (like the $$ I made in college in '85 waiting in line all night at the local Karma records to buy springsteen tickets to resell in the local paper's classifieds) and it's easy to see that it's much more likely that the ticket shortage and resale prices are caused by a few thousand ticket resellers nationwide who each bought their allotment of 8 tickets instead of a small number of resellers using broken captcha to buy hundreds or thousands of tickets each.
Yes, some captchas are bad, hacks for them can be purchased. But that doesn't seem like the most obvious and easy answer to what's happened here.
Jim Minatel on November 21, 2007 4:51 AMI still believe putting the burden on humans is the wrong way to go. I've had great success with detecting the bots instead: http://nedbatchelder.com/text/stopbots.html
Ned Batchelder on November 21, 2007 4:54 AMThe issue isn't about producing some kind of pure captcha but simply of making the cost of breaking it exceed the potential benefit of breaking it.
So sure, as some people say, spammers could create a pr0n based mechanical turk to break google's captchas because they cannot be broken programatically. Or some sort of spammer labs central could produce some kind of uber-captcha-smasher. But the cost of doing these things will hopefully damage their operation's profit model.
That's all the police on your street corner hope to do - they don't make hardened criminals turn away from crime just by existing, they simply try to ensure that the cost of comitting a crime exceeds the benefit.
Rob Moir on November 21, 2007 4:56 AMActually, many spammers use much simpler methods to break captchas...
1. Throw up a porn site.
2. Pay for visitors.
3. Write software that screen captures / reproduces CAPTCHA on victim's website and then displays it on free login at porn site.
4. Porn visitors answer CAPTCHA for spammer.
5. Spammer software automatically enters correct CAPTCHA as inputted by porn site visitor.
It is quite simple and makes CAPTCHA's very weak. The only thing that make CAPTCHA's useful is if you have an equally valuable competitor who doesn't use them, which will divert the attention of spammers to that low hanging fruit first.
Russ Jones on November 21, 2007 5:16 AMHey Now Jeff,
Very interesting post. 'Hack CAPTCHA' made in China. Seems everything is made there huh? Thx 4 the info.
Coding Horror Fan,
Catto
A captcha that uses grainy backgrounds or different colors is ridiculous... convert the image to binary (just black/white) and apply errosion: you're left with letters every time, while the grainy and multi color backgrounds only added complexity to the human reader.
Jim on November 21, 2007 5:31 AMBen Houston wrote:
I'm a computer graphics programmer (with a number of publications to my name) and if you paid me a couple grand, I could write software to decode Google's captchas. It would take no more than a couple weeks. They are a challenge but by no means impossible.
Jeff Atwood replied:
I often see glib claims like this, and I'll say the same thing to you that I mentally say to all of them: SHOW ME. Heck, if it's so easy, why don't you show the entire class?
I'm purposely not making these two comments anonymous while claiming that I can break it after a couple weeks worth of work. I am open to freelance arrangements. I'm not so insecure that I will spend a bunch of time to do this for FREE just to show people up, but I am open to payment only on success arrangements.
Ben on November 21, 2007 5:38 AMI would respond to this post on the merits of CAPTCHAs and their current state, but your "evil, profiterring bastards" comment got me off track.
Re: CAPTCHAs? Join this forum for a month ($99) just to see the current state of affairs:
http://seoblackhat.com/
Apparently working captcha-breakers can fetch as high as $10k.
Shanti Braford on November 21, 2007 5:38 AMHmm. Frankly, if all their captchas were like the 'licit' example, I wouldn't believe for a second they were unbreakable. The others are great, so many edges touching, bright colours and a curvy effect on the type face. Did Google make captcha sexy?
Matt on November 21, 2007 5:57 AMI often get "Oops, CAPTCHA appears to be invalid.." from digg.com and it confused me so much.
I know what is wrong now. thanks.
BTW, this site always let enter the word ORANGE. i bet it is the simplest CAPTCHA in the world.
Another vote for http://recaptcha.net/
"reCAPTCHA improves the process of digitizing books by sending words that cannot be read by computers to the Web in the form of CAPTCHAs for humans to decipher. More specifically, each word that cannot be read correctly by OCR is placed on an image and used as a CAPTCHA."
Nick L on November 21, 2007 6:20 AMIt looks like one big diff between Google and Ticketmaster is that Google is using much tighter letter-spacing, and Ticketmaster is using the stock amount.
Scott on November 21, 2007 6:27 AMOne thing I noticed about the google chapta is that it alsways has a recurring letter differently deformed. I guess that throws off a lot of OCR apps.
Ben Blok on November 21, 2007 6:33 AM"Jeff, have you looked at http://recaptcha.net/ ??"
reCaptcha accepts wrong answers, not the most secure thing in the world.
Steve on November 21, 2007 6:41 AMWhat about letters made out of letters with a little swirle for effect?
BBB HHH
B H H
BBB HHH
format didnt come through. oh well u get the idea
Wouter Lievens: "Jeff, mind telling us how good you think your captcha is? :-) The gothic letters don't seem that difficult to OCR."
Did you bother to read the first article Jeff wrote on CAPTCHA (that he linked to) before posting to this one, like he suggested? The first article discusses the CAPTCHA used on this site (including always using the same word) in depth.
KenW on November 21, 2007 6:45 AMIt may be more than just a problem with captcha's being broken. Might be a cookie problem . . . .
I recently had to buy tickets from TicketBa$tard, and here's what I did: (This was a pre-sale event - tix on sale at 10:00 am - I was online at 9:59, etc.) They said they were only going to only show me 8 tickets at a time. They kept showing me the same 8 tickets, and they were lousy seats. I'd say no, the tickets would go away, and they'd show me the same 8 lousy tickets.
I had 8 or 9 browser windows open, and all of the tickets from each session were starting to show up in all the open windows. I kept discarding the tickets, and they'd show me 8 more, and they were different tickets. When a session would time out, I would hop to another open session. Eventually, I had about 200 tickets being offered to me, and the tickets offered at the end of the list were front row of the side sections, next to the stage. I removed the first 195 tickets from the session, and bought 5 tickets near the stage.
It shouldn't be like this . .. it shouldn't be this hard . ..
And you're assuming that ticketmaster (or its employees) *doesn't* do some of this itself, on the side, as a way of increasing profits?
Ian on November 21, 2007 7:13 AMThis is interesing.. I wonder how big their dictionary is at ticketmaster because I know for a fact that I have gotten the word Bilbo before through their system. Maybe the hackers have a limited dictionary that they have formed that makes dealing wth ticketmasters CAPTCHA much easier.
Ryan Smallegan on November 21, 2007 7:15 AMSurely your not suggesting that we should implement our own CAPTCHA. Granted it's not tremendously difficult using some of the current graphics apis to produce and check the image but it's not like our clients can tell the difference or for that matter are willing to pay for the difference.
And how exactly do you test against chinese hackers? Certainly you can test some OCR but that would be a tedious process that would be very difficult to automate.
Martin on November 21, 2007 7:25 AMGoogle's captcha is the only one I can read easily. There are a lot that I can't make out at all. The other day I tried an audio captcha at some site where I couldn't read it and it was even worse. There was so much background noise (which was intentional) and different voices that I couldn't tell whether one of the numbers was significant or background noise.
Mike on November 21, 2007 7:28 AM"reCaptcha accepts wrong answers, not the most secure thing in the world."
One of the words comes from a book, so in theory you could type anything for that word, but the other word is a computer generated word, so you have to type in the correct word.
Saral on November 21, 2007 7:29 AMHey, i got an idea:
Lets make scalping illegal.
I know, i know, then how will all the uncreative idiot leeches of society make a living....
ryan on November 21, 2007 7:32 AM"Ticketmaster is right: CAPTCHA is pointless if one can earn $100 by solving a single puzzle..."
You missed the entire point of the post. The CAPTCHA concept is not flawed, it is the way it is implemented.
joshua on November 21, 2007 7:36 AMHmmm... you could always automate everything but the CAPTCHA, and enter it manually.
Build an app that prompts you for the CAPTCHA text over and over upon each ticket request.
Looking at the TicketMaster's implementation, I doubt any OCR mechanism is successfully reading the text.
Actual implementations of OCR are only 90% accurate at best, and this is with completely readable characters
CptBongue on November 21, 2007 7:39 AMcaptcha has been broken for a long time now. Look at Malik's research on shape matching:
http://www.eecs.berkeley.edu/Research/Projects/CS/vision/shape/
He doesn't come out and say it's specifically for breaking captcha, but what else could it be for?
Capt. Jean-Luc Pikachu on November 21, 2007 7:45 AMHell, for low-level CAPTCHA you can get a copy of XRumer, automated software from russia that blows through weak forum, email and comment CAPTCHA.
alone413 on November 21, 2007 7:46 AMPretty cool--the WSJ article has a link back to your blog!
Another strategy that might be just as effective is to switch up the captcha method right before a new concert series goes on sale. The bots wouldn't have time to adjust, even if they might ultimately be able to program a way to OCR the captcha.
Brad on November 21, 2007 7:48 AM
With regard to Google's CAPTCHA being better than Ticketmaster's:
I wonder if it's possible that there exists an application to defeat Ticketmaster's CAPTCHA with 50% success simply because there's more of a financial incentive for such an app than there is for defeating Google's? Google's mangled text looks pretty similar to Ticketmaster's, except for the pretty colors and lack of a grid.
Yeah, scalpers are parasites. But on the other hand, wouldn't you want the option to see Hannah Montana for $237 rather than not being able to attend a sold-out show at all? (Well, maybe not H.M. but insert your favorite artist). By adding another market to the "lottery" system of popular concerts, the scalpers assure that there will be some supply available to those who really want it. Got to be a better way to achieve this though.
@Ryan: Seems like I got "bilbo" before as well. Is "bilbo" the new "orange"?
"Lets make scalping illegal."
Congratulations on the worst idea promoted on this thread. Criminalizing this activity could distort market prices for some shows even further by creating a true black market for it. Furthermore why would you remove someone's freedom to sell a ticket that they paid for?
adrian on November 21, 2007 7:59 AMwe might have all missed the point here- $237 average for Hanna Montana- With a high of $749 on the floor in Charlotte Bobcat Arena later this week?????
If I could turn a $500 profit on each of 8 tickets I would, wouldn't you? That would by a great workstation. : )
David on November 21, 2007 8:02 AMSee the captcha at the bottom of the page.
http://www.fairplaygames.com/cust_service.asp
It is a new ascii based captcha. I don't know why I never thought of that! Ticketmaster should take note.
Michael Bailey on November 21, 2007 8:09 AMScalpers are merely buying and selling a product. While I've had my rants against scalpers from time to time; they really are innocents in this. If you have a ticket to the upcoming Mega-Star-Tour... will you sell it for face value when a scalper will sell it for 500 bucks or more (knowing it will most likely be sold)?
It's an economics lesson: Supply vs. Demand. Up the supply and demand for the scarcity will drop. I wanted to see the Police, but the closest show had a face value of (I believe) 75 bucks for the nosebleeds... then add on the surcharges that Ticketmaster tacks onto EVERY ticket, then add on the surcharge that a scalper tacks on (since the tickets sold out before going on sale... yes you read that right... if you weren't part of the "pre-sale", you got nothing).
End result: I'll just wait and pray that the Police release either a live DVD of the tour (nudge to them... Christmas is FAST approaching!), or I get nothing.
The answer to end scalping is for these in-demand artists to perform more. When I was a kid, it wasn't uncommon for large acts (like Bruce Springsteen or the Rolling Stones) to play the local FOOTBALL STADIUM for like 4 days. Scalpers would charge you less "premium" than Ticketmaster. Now everyone plays 1 show, jacks the price as much as they can and then scalpers buy all the tickets.
Bah... I guess I'm just getting older and crustier.
wes on November 21, 2007 8:29 AMContent based CAPTCHA is the way to go. For example Chew and Tygar http://www.cs.berkeley.edu/~tygar/papers/Image_Recognition_CAPTCHAs/imagecaptcha.pdf created a system that shows six pictures and asks which is different. Easy for humans, hard for computers.
Richard Hollos on November 21, 2007 8:33 AMWhat about look for the cute kitten? I would love to see some AI software trying to distinguish between a cute kitten and a toilet bowl.
blip on November 21, 2007 8:38 AMOT: Isn't CAPTCHA redundant? Seems like "(C)ompletely (A)utomated (P)ublic (T)uring test" is sufficient. The rest, "to tell (C)omputers and (H)umans (A)part", is, I think, well-captured by "Turing"
CAPT: Wilbur. Wil outside no coat winter.
RHH on November 21, 2007 8:41 AMWhy does captcha always is about typing some characters you see?
How about putting an image like of a tree and asking the question "What do you see?" If you didn't enter "tree" in your first 3 attempts, the server will block you.
AFAIK, there isn't any image recognition software out there yet.
BTW, this site seems to be affective against comment spam. I am not seeing any. Maybe Jeff can talk about what he's using.
Abdu on November 21, 2007 8:43 AMya, speaking of captcha, how comes yours is always the SAME word? doesn't seem very secure to me...
-sarah
Speaking of captchas, I'm surprised yours works so well. I agree with your assessment of Google's technique. This throws back to my comment on "Competing with the Internet." Ticketmaster should not have tried to reinvent the wheel that Google had already perfected.
Mattkins on November 21, 2007 8:52 AMadrain, I agree that outlawing scalping is a bad idea, but for a different reason.
The creation of a real black market might make the black market tickets cost more, but this would only happen if the number of tickets on the market decreased (creating higher demand). Less tickets on the black market means more tickets for legitimate direct buyers.
The reason I think it is a bad idea is the Coase theorem: basically, if transactions are cheap (in this case, low risk) then the tickets will end up in the hands of whoever values them the most. If transaction costs are high (in this case, high risk) then the tickets will end up in the hands of whoever happened to get them first.
I'm not defending scalpers, but I do believe in the free market (not that it is perfect), and I can't reconcile that belief with the belief that scalping should be illegal. It seems to me just like any other kind of arbitrage or investment.
Paul Butler on November 21, 2007 8:58 AMSHOW ME. Heck, if it's so easy, why don't you show the entire class?
Not only that, but if someone's willing to pay $6k just for the software to break Ticketmaster's Captcha 50% of the time, there's got to be some monetary incentive in actually breaking Google's.
Then again, if Ticketmaster had reasonable prices I might be willing to pay $6k to bypass their crap just so I don't have to try the damned thing 5 times and end up with a terrible seat every time I want to see a big name play at a large venue (thankfully the small venues in my area don't usually sell out and don't have seats).
Vizeroth on November 21, 2007 9:03 AMHonestly, I don't see how Google's is unbreakable. Each letter is quite clear, and while OCR may not be able to recognize the letters, there are algorithms that could trace the outlines for each character and then with enough training, it could recognize those letters easily.
mos on November 21, 2007 9:07 AMOther people have said it here, but I'll say it too: if you want scalpers to go away, sell tickets at market prices. At the right price, the show will sell out, but the last ticket will be sold only a little bit before the show begins. Just about anybody willing to pay the price will have gotten a ticket.
To respond to poster "deworde":
Enron did not exist in a free market. Neither did all the telecoms that went bust. Neither the energy nor the phone markets are close to free markets in this country.
The Dot-Com crash? How was that a bad thing? A bunch of companies that didn't do anything useful went under. A bunch of companies that survived were forced to become more efficient. Some companies that whose only market was to support all this excess went under too.
Mike on November 21, 2007 9:27 AMAs someone who actually writes commercial OCR software, I would guess that I could write something that could read the Google strings at a fairly high success rate. Though if you put the time money in, the Yahoo Hotmail ones could also be read by current OCR technology (at some lower success rate).
Jeff, you are totally right!
Funny thing is that I was presented with a ticketmaster CAPTCHA and I was myself unable to solve it and lost my good spot. Ticketmaster's ones are really the worst I have seen so far: given that they are breakable, they should go back to the basics.
How long before they break KittenAuth?
http://www.thepcspy.com/kittenauth
@Capt.Jean-Luc Pikachu: Actually he does come out and say it: "Breaking a visual CAPTCHA" a href="http://www.cs.sfu.ca/~mori/research/gimpy/"http://www.cs.sfu.ca/~mori/research/gimpy//a
@blip, abdu : 'Image' CAPTCHAs: a href="http://www.captcha.net/cgi-bin/esp-pix"http://www.captcha.net/cgi-bin/esp-pix/a
Some of them are a bit weird, and not easily human-solvable.
- Roddy
Roddy on November 21, 2007 9:39 AMconvert the image to binary (just black/white) and apply errosion: you're left with letters every time, while the grainy and multi color backgrounds only added complexity to the human reader
Exactly. Many of the pictured CAPTCHA algorithms waste their time shifting colors or contrast when it makes no difference whatsoever to an OCR algorithm. If a person can read it (and a person *has* to read it for it to work!), then so can OCR. Varying color/contrast is a complete waste of time. Distortion and perturbation are the only thing you need, at least according to Google's highly effective CAPTCHA image algorithm.
Jeff Atwood on November 21, 2007 10:01 AMI love the Ticketmaster one that is just grainy, but undistorted. It looks just like a bad fax, and that's a basic, basic OCR problem.
Scott on November 21, 2007 10:07 AMI personally have about a 50% success rate at deciphering Ticketmaster's captchas. I have no idea what the lower right Ticketmaster image is and I only have a guess on the upper left image! Also, their servers are woefully incapable of handling the demand during large events. When they are overtaxed, the captcha shows up as a little red x. This is especially frustrating when you manage to make it to the top of the queue for something like the first game of the World Series, only to be booted out because your captcha image won't load!
I liked the idea of simply showing some random image and asking "What is this?" You could even provide a simple multiple choice solution:
"a. A Tree b. An Umbrella c. A Car d. A Bicycle". For global companies, simply provide a language option.
The main reason ticketmaster is so much easier than googles is that Ticketmaster use words from a dictionary!!
This makes the task much easier. Once you've got a few characters you can then reference a dictionary to fill in the ones you can't recognise.
With the google ones you've got to get every single character by OCR.
Everyone knows you don't use words found in a dictionary for secure passwords, same goes for these.
Toby on November 21, 2007 10:08 AMWhy not print the orignial buyer's name on the ticket, then require photo id at the gate? How would a scalper get around that?
Milivoj on November 21, 2007 10:18 AMSeems some of ya’ll don't understand how scalping works. At the risk of creating more scalpers--here's how to be a scalper:
Demand for an event is a bell curve. A tiny number of people are wiling to pay $10,000. A few more will pay $1,000. Many will pay $100. A lot will pay $50. Some would pay $20 and a few would pay $5. (At the bottom end we're taking people who simply aren't interested and are going out of curiosity)
The best way to make money would be to charge everyone the max they would pay. However, there's no way to do that. So, instead Ticketmaster has to compromise on a price that will result in the most successful concert.
For Ticketmaster there are two factors:
1) Max of Money
2) Happy Fans
Say the ticket price that would bring the best overall return is $250. But, it would only half fill the seats in the arena. Fans don't like going to empty concerts. Artists don’t like performing at empty concerts. In short, if the concert hall isn’t packet, Ticketmaster will loose the next gig to a competitor. So Ticketmaster has no choice but to under price their tickets in order to keep the fans happy and maintain the power of their brand. So, we have the absurdly low price of $63.
Oops, scalpers buy them up and resell at $250. Scalpers don’t care if only half the tickets sell. The half that do sell will pay for the original purchase plus 100% profit.
Unlike Ticketmaster that must keep fans happy. Keeping fans happy has no economic benefit for the scalper. If the scalpers destroy Ticketmaster’s business, they’ll simply go on to scalp the tickets of whatever competitor that takes over Ticketmaster’s business.
That ladies and gentleman is how to be a scalper.
A few people have suggested using "free" porn sites as a way to break CAPTCHA's (i.e., if the wanker wants to see the porn, he has to solve a captcha from another site). That isn't a reliable way of breaking catpcha's for time-sensitive applications like buying tickets when they go on sale. For buying tickets, you want a guarantee that a certain number of people will be available to solve captcha's exactly when you need them. The best way to do that is to employ some people. It's a low-skilled job, but you pay someone enough and they'll do it. If they quit, you can train someone else in 10 minutes. Set up the system so that everything else is automatic.
Brendan Dowling on November 21, 2007 10:39 AMJeff,
Your right.
David Ginger on November 21, 2007 10:42 AMRoddy: Oops. Well, no one's ever accused me of being literate...
Capt. Jean-Luc Pikachu on November 21, 2007 10:52 AMMay be you all might be interested in my post.
Niyaz PK on November 21, 2007 11:05 AMA free solution that I use for phpbb (bulletin board) allows me to write questions with the corresponding answers. For example:
1 + 2 = __
2 x 5 = __
Jack and Jill went up the ___
Humpty Dumpty sat on the ___
I've had zero problems using the above (of course I need to be aware of cultural language differences when using nursery rhymes). I realize this isn't a cure-all but is a very simple implementation.
Drew on November 21, 2007 11:13 AM"Another vote for http://recaptcha.net/" - Nick L
Here's my second vote against reCaptcha.
Accepting wrong answers: dumb
Using dictionary words: dumb
drum roll
http://www.captchakiller.com/ breaks it
I just flat refuse to buy tickets from scalpers and whenever possible--which is most of the time--I do not buy tickets through Ticketbastard (or is it Sticketmaster?)
Frankie Stone on November 21, 2007 11:18 AMhaven't read all the comments, due to the numbers of those, so i apologize in advance if this has been mentioned.
i would suggest making a second (or a third, or a fifth) textbox to enter the numbers/letters and a little icon in front of each one, that changes colors. 2 captchas, one with a string of the color of the text box you have to put the code in, another for the actual string.
wouldn't be all that difficult to write, and if done right would add (almost) no friction for an actual user, but a program would have to 'decode' 2 captchas, and then wonder what the main color of each icon is, then put the string into the correct one.
as a ticket broker i can tell you for a fact that ocr is not neccessary to break ticketmasters captcha system. Its fairly simple if you think outside the box
lawrence on November 21, 2007 11:33 AMFor an apropos discussion of the relationships among the mutability of letters, their readability by humans, and their recognizability by computers, see Douglas Hofstadter's _Metamagical Themas_.
Alex Chamberlain on November 21, 2007 11:53 AMThe solution is simple, Ticketmaster is selling at too low a price. If they want to prevent scalpers, they should raise their prices. Then scalpers would not make a profit between Ticketmaster's price and the market price. Then they should discount the prices as the concert date approaches, similar to how stock option prices have a time value and depreciate closer to expiration. Start at $250, the market price, and depreciate down to $1 the day before. If customers want to ensure their seat, they will pay the higher price sooner rather than later. If there are empty seats, they can sell at the door, or invite an orphanage for a free show.
Chloe on November 21, 2007 12:02 PM@abdu: "How about putting an image like of a tree and asking the question "What do you see?" If you didn't enter "tree" in your first 3 attempts, the server will block you."
Dammit. I tried "birch", "aspen", and even "maple". Doesn't that site's idiot programmer know his trees?
(Note that the exact same problem happens with pictures of kittens - a cat fancier may well enter "himalayan" 3 times and get locked out....
Short answer Jeff:
bCAPTCHAs are not broken, Ticketmaster is broken./b
Many concerts are high-demand, low availability events and Ticketmaster is the gatekeeper with a ton of conflicted interests.
Goodness knows, it wouldn't surprise me to know that people inside of Ticketmaster's IT are probably "in" on the whole thing.
As to the "free market" touted by other commenters, it may actually be in the best interest of performing groups to do a giant seat-sale auction. Right now, those Hannah Montana tickets are not generating more than $50 for Miley Cyrus yet people are expecting a $200 show. I'd say that it's time for artists to renegotiate, but there's no competition to TM right now, so it's an uphill battle.
But hey, it's back to point #1: TM is broken.
Gates VP on November 21, 2007 12:26 PMI'm a computer graphics programmer (with a number of publications to my name) and if you paid me a couple grand, I could write software to decode Google's captchas. It would take no more than a couple weeks. They are a challenge but by no means impossible.
Ben on November 21, 2007 12:49 PMTHere's a common word illusion going around that basically says that words don't have to be spelled in their correct order to be recognized:
for e.g:
fi yuo cna raed tihs, yuo hvae a sgtrane mnid too
Cna yuo raed tihs? Olny 55 plepoe out of 100 can.
i cdnuolt blveiee taht I cluod aulaclty uesdnatnrd waht I was rdanieg. The phaonmneal pweor of the hmuan mnid, aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it dseno't mtaetr in waht oerdr the ltteres in a wrod are, the olny iproamtnt tihng is taht the frsit and lsat ltteer be in the rghit pclae. The rset can be a taotl mses and you can sitll raed it whotuit a pboerlm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe. Azanmig huh? yaeh and I awlyas tghuhot slpeling was ipmorantt! if you can raed tihs forwrad it
Could this be used to make CAPTCHAS more secure?
Gilbert on November 22, 2007 2:00 AMThe comments to this entry are closed.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |