Most people would never consider a link between web site security and festivals. But, in reality, there are numerous parallels to these two ostensibly different worlds. In fact, visiting a secure festival these days is an excellent example to use when discussing web site security — primarily because the comparison illustrates very well how so many aspects of web site security represent conscious decisions that programmers make. So, let’s consider a festival scenario, and look at the kinds of rules in play.
Arguably, the most iconic aspect of any modern festival-goer’s overall ensemble, even more ubiquitous than all of the outrageous fashion and plumage, has to be the wristband. So, let’s make some random observations about these lovely access-granting accessories. (I made all of these observations recently at the Sasquatch music festival in central Washington, by the way.)
- Each attendee has to wear a wristband for access. That rule is pretty much universal for all festivals these days.
- This festival’s wristband was made of printed fabric (tough to fake), had a plastic collar (discussion of this below), a plastic barcode attached (tons of discussion below), and came all packaged in plastic (again, tough to fake — although this part is not required for access).
- The plastic collar mentioned was a rather simple security measure. It’s there to tighten the wristband when you first put it on. The plastic packaging on the wristband warned that the wristband could only be tightened one time using this collar. So, they clearly didn’t want anyone removing wristbands for any reason. After the event, it was difficult to remove the band without cutting it, as the plastic collar would not budge. This is rather unfortunate for most people looking for a keepsake of their attendance. But, what’s worse is that anyone who over-tightened their wristband could probably have hurt themselves, potentially cutting off blood supply to the hand and not being able to loosen it. I wonder what kind of liability a festival might bear for such a thing. (That may sound like a rather unlikely scanario, but with 12,000 drunk people running around, I’m sure it happened to someone, or will in a future year.)
- Wristbands must be authentic / official, of course. Fakes will not work because wristbands nowadays have an attached plastic barcode that must be scanned.
- In terms of the look of the thing, a barcode could possibly be faked, of course, but not easily by most people. So, the look of the wristband — the printed paper, plastic, or fabric of it, as well as the barcode being present — is collectively a security measure. This is actually a good thing not only for the venue, but also for those buying / selling wristbands online from others. A normal person could be fairly sure that a wristband was authentic just by looking at it. I actually bought mine online from a kid on Reddit. Sounds crazy, I know, as it’s not always adviseable to give strangers on Reddit a few hundred dollars. But, it was indeed legit, and the nice fabric and packaging helped assure me that I was not getting ripped off.
- Of course, even if a lookalike could be fabricated somehow, it would not work at the event because the barcode is essentially a password. It is tied to a record in a database somewhere. So, whatever the barcode represents (in terms of some string of characters or numbers), that code needs to be (1) unique, and (2) within the official database, in order for the wristband to work. I did not, for this article, spend any time examining the barcode, or what kind of code it ultimately scans as. But, given the level of security otherwise, one would hope that it would be sufficiently well thought-out.
- Given the above description of the barcode essentially being a password, you could say that being inside the venue is quite literally the same as being logged in to a web site or system. When you access the venue, you’ve just literally logged in!
- Most festivals (this one included) take it a step further, though. Not only are you simply authenticated and granted access, but you’re actively marked as being inside the venue as well. This is similar to having a “session” on a web server. It knows who you are, and where you are, more or less.
Let’s explore that last point a little more, though, because it presents us with another interesting parallel to the web world. Clearly, one reason that such a system tracks you (even by simply marking you as inside vs. outside) has to do with further controlling unpaid access. If you could simply scan a barcode and be inside, then:
- People could simply copy barcodes. They could literally Xerox them and make up fake bracelets, and they would always work because that one access code is indeed legit.
- Also, attendees might do things like go inside, and hand their bracelet to someone on the other side of the gate, who would then walk through and also gain access.
However, when the state (inside vs. outside) is tracked, those two possibilities go away. If someone tries to access the festival with the same barcode, the scan would fail. It would most likely alert the barcode scanner user that the code scanned is already inside.
So, you will likely notice that, whenever you leave a festival during the day, you probably have to scan out as well. The above items are the reason for this; you need to be able to come and go, but it’s either/or as far as the system is concerned.
It’s interesting in this scenario because, essentially, it’s a system where double logins (or, really, multiple logins) are disallowed. Compare that to various web sites that you visit, and you will start to see that the web site owners can make a conscious choice about this.
Netflix comes to mind, for example, because it allows multiple logins. You may think you’re getting away with something by using a relative’s Netflix password, but it’s clearly a conscious choice on their part because it would be easy for them to disallow such things, and in many complex ways as well.
Other systems do not allow it, or they might allow it only if you pay for it. I’m thinking of Adobe Creative Cloud, for example. I have that on a few of my machines, and sometimes it tells me, “Hey, you’re logged in on this other machine. Should we log you out of that before we let you login on this one?” So, yeah, it knows exactly what you’re doing.
The festival I attended was three days. At the end of each day (around 1:30 a.m.), no one needed to scan out. So, they must have a clearing query that they run once a day is over (or, more likely, before the next day begins), which freshly marks everyone as being outside. This is a clever, and practical, approach, really, as you have thousands of people leaving at once; there’s no need to manually scan all of those people out. But, in terms good examples of bad design, I’ve come across plenty of systems that have opportunities like this but do not code them.
Another parallel beyond multiple users is that of multiple user levels. At the festival I attended (like so many others), various wristband designs could be seen, such as:
- general attendees
- band members
- staff (perhaps multiple levels here, as well)
Much like a web site, various areas are only accessible to various groups. I actually attended this same festival for the past three years as a media member, which allowed me access to all sorts of places that general access attendees could not visit. But, even as media, there were plenty of places I couldn’t go.
I know this because I tried, just to see if I might have been able to meet Robert Plant — which, sadly, I was not allowed. On the other hand, that’s exactly how and why these types of systems are designed.
I was, however, allowed backstage from time to time, in prior years, depending on where I tried to access. It was inconsistent, though, which is indicative of holes in a security system. (They’ve since patched these “holes.” Too bad, as it was neat to photograph bands from the side sometimes.) This happens in web sites, as well, if the levels aren’t properly and consciously defined.
Of course, the festival I’m describing depends on security personnel actually using the equipment provided to scan people in and out. There’s also, in such “systems” an inherent risk of the human factor. For example, let’s say a front-gate worker attempts to allow festival access to his or her friends by simply not scanning them in. That kind of thing is a risk, though perhaps somewhat tough to pull off reliably.
But, it goes as well for various checkpoints mentioned (such as backstage access). Sometimes the workers simply wave you in without using the tech. This is all somewhat akin to inside-type risks with larger sites. What if an employee simply sets up an account for a friend, for example? Things like that happen and, if they do (and if they’re problematic), then policies could be explored to address these vulnerabilities.
Mining Logins for Information Purposes
At the festival I attended, although all of the above was in place, that was pretty much the extent of it. From my observations, I’d say they probably also use the data for information purposes, such as:
- knowing official attendance numbers
- knowing attendance by day, and even by time
- knowing how often, on average, people tend to enter, leave, and re-enter during any given date or time-span
It’s interesting because it’s all still pretty new. As far as it’s come from the days of actual ticket-stubs, one wonders how far it’ll go. For example, what if wristbands could track physical movement throught a venue? With that, they could then know:
- attendance per stage (e.g., at a music festival with many stages)
- paths followed inside the grounds by attendees through the day, which could be used for various purposes from venue design to vendor and concession placement, facility placement, etc.
What’s interesting, of course, is that the above already exists in a web site context, and has been pinoeered by larger ecommerce sites. In the physical world, advanced systems have been coming on board as well, using all sorts of advanced tech to track physical paths through retail stores. (Here’s an article with an overview of some of those newer technologies.)
Determining Appropriate Security
In a web site context, and indeed in a festival context, regardless of all of the various measures consciously put into place, one has to wonder what the appropriate level is for some things. There’s generally a common-sense metric that I recommend, which is that, in terms of system security (e.g., guarding against hackers), it’s a pretty good idea to do all you can, within reason. But, when guarding against, say, users who might try to game the system in some way, perhaps a different rationale is called for.
I remember talking to a guy once who had ebooks for sale, and I pointed out that, if a user were really savvy, the system paths to the ebooks could be discovered and the ebooks could be potentially downloaded without paying. His response was, “Maybe so, but that’s such a small percentage of my users. If someone’s that desperate to get something for free, I don’t even care about them.”
He may have had a practical point, as well. What a site owner might also do is weigh the cost of any such lost sales against the cost of developing the technology to prevent them. If it costs someone $4,000 to develop tech that’s going to save less than $4,000, then it’s probably not worth doing (in most scenarios).
My gut feeling here is that, on the whole, this festival is applying a lot of appropriate tech. I’m actually not so sure on the plastic collar, as I do suspect there’s some liability there, as noted. Plus, I simply don’t feel that there’s a huge issue with people removing wristbands. (I’ll concede that’s 100% opinion with zero data to back it up. But, with everything else in play, I’d be surprised if this made much of a difference.)