Web guy at ArrayWebDevelopment.com; author of books & blogs. See: JPDbooks.com.
Most people would never consider a link between web site security and festivals. But, in reality, there are numerous parallels to these two ostensibly different worlds. In fact, visiting a secure festival these days is an excellent example to use when discussing web site security — primarily because the comparison illustrates very well how so many aspects of web site security represent conscious decisions that programmers make. So, let’s consider a festival scenario, and look at the kinds of rules in play.
Arguably, the most iconic aspect of any modern festival-goer’s overall ensemble, even more ubiquitous than all of the outrageous fashion and plumage, has to be the wristband. So, let’s make some random observations about these lovely access-granting accessories. (I made all of these observations recently at the Sasquatch music festival in central Washington, by the way.)
Let’s explore that last point a little more, though, because it presents us with another interesting parallel to the web world. Clearly, one reason that such a system tracks you (even by simply marking you as inside vs. outside) has to do with further controlling unpaid access. If you could simply scan a barcode and be inside, then:
However, when the state (inside vs. outside) is tracked, those two possibilities go away. If someone tries to access the festival with the same barcode, the scan would fail. It would most likely alert the barcode scanner user that the code scanned is already inside.
So, you will likely notice that, whenever you leave a festival during the day, you probably have to scan out as well. The above items are the reason for this; you need to be able to come and go, but it’s either/or as far as the system is concerned.
It’s interesting in this scenario because, essentially, it’s a system where double logins (or, really, multiple logins) are disallowed. Compare that to various web sites that you visit, and you will start to see that the web site owners can make a conscious choice about this.
Netflix comes to mind, for example, because it allows multiple logins. You may think you’re getting away with something by using a relative’s Netflix password, but it’s clearly a conscious choice on their part because it would be easy for them to disallow such things, and in many complex ways as well.
Other systems do not allow it, or they might allow it only if you pay for it. I’m thinking of Adobe Creative Cloud, for example. I have that on a few of my machines, and sometimes it tells me, “Hey, you’re logged in on this other machine. Should we log you out of that before we let you login on this one?” So, yeah, it knows exactly what you’re doing.
The festival I attended was three days. At the end of each day (around 1:30 a.m.), no one needed to scan out. So, they must have a clearing query that they run once a day is over (or, more likely, before the next day begins), which freshly marks everyone as being outside. This is a clever, and practical, approach, really, as you have thousands of people leaving at once; there’s no need to manually scan all of those people out. But, in terms good examples of bad design, I’ve come across plenty of systems that have opportunities like this but do not code them.
Another parallel beyond multiple users is that of multiple user levels. At the festival I attended (like so many others), various wristband designs could be seen, such as:
Much like a web site, various areas are only accessible to various groups. I actually attended this same festival for the past three years as a media member, which allowed me access to all sorts of places that general access attendees could not visit. But, even as media, there were plenty of places I couldn’t go.
I know this because I tried, just to see if I might have been able to meet Robert Plant — which, sadly, I was not allowed. On the other hand, that’s exactly how and why these types of systems are designed.
I was, however, allowed backstage from time to time, in prior years, depending on where I tried to access. It was inconsistent, though, which is indicative of holes in a security system. (They’ve since patched these “holes.” Too bad, as it was neat to photograph bands from the side sometimes.) This happens in web sites, as well, if the levels aren’t properly and consciously defined.
Of course, the festival I’m describing depends on security personnel actually using the equipment provided to scan people in and out. There’s also, in such “systems” an inherent risk of the human factor. For example, let’s say a front-gate worker attempts to allow festival access to his or her friends by simply not scanning them in. That kind of thing is a risk, though perhaps somewhat tough to pull off reliably.
But, it goes as well for various checkpoints mentioned (such as backstage access). Sometimes the workers simply wave you in without using the tech. This is all somewhat akin to inside-type risks with larger sites. What if an employee simply sets up an account for a friend, for example? Things like that happen and, if they do (and if they’re problematic), then policies could be explored to address these vulnerabilities.
At the festival I attended, although all of the above was in place, that was pretty much the extent of it. From my observations, I’d say they probably also use the data for information purposes, such as:
It’s interesting because it’s all still pretty new. As far as it’s come from the days of actual ticket-stubs, one wonders how far it’ll go. For example, what if wristbands could track physical movement throught a venue? With that, they could then know:
What’s interesting, of course, is that the above already exists in a web site context, and has been pinoeered by larger ecommerce sites. In the physical world, advanced systems have been coming on board as well, using all sorts of advanced tech to track physical paths through retail stores. (Here’s an article with an overview of some of those newer technologies.)
In a web site context, and indeed in a festival context, regardless of all of the various measures consciously put into place, one has to wonder what the appropriate level is for some things. There’s generally a common-sense metric that I recommend, which is that, in terms of system security (e.g., guarding against hackers), it’s a pretty good idea to do all you can, within reason. But, when guarding against, say, users who might try to game the system in some way, perhaps a different rationale is called for.
I remember talking to a guy once who had ebooks for sale, and I pointed out that, if a user were really savvy, the system paths to the ebooks could be discovered and the ebooks could be potentially downloaded without paying. His response was, “Maybe so, but that’s such a small percentage of my users. If someone’s that desperate to get something for free, I don’t even care about them.”
He may have had a practical point, as well. What a site owner might also do is weigh the cost of any such lost sales against the cost of developing the technology to prevent them. If it costs someone $4,000 to develop tech that’s going to save less than $4,000, then it’s probably not worth doing (in most scenarios).
My gut feeling here is that, on the whole, this festival is applying a lot of appropriate tech. I’m actually not so sure on the plastic collar, as I do suspect there’s some liability there, as noted. Plus, I simply don’t feel that there’s a huge issue with people removing wristbands. (I’ll concede that’s 100% opinion with zero data to back it up. But, with everything else in play, I’d be surprised if this made much of a difference.)