Although I was lucky enough to get a barcode in the first round, I was logging on this time to try to snag one for fellow NovaInfosecPortal.com contributor @nathiet. Apparently due to some typos, it turned out to be an ad-hoc hacking contest this time. Those who could successfully hack the system were the ones that got tickets.

Challenge #1 – Find the Link: The first part of the challenge was to find the link. Unlike the last two rounds, the link was at the top this time. Clicking on it usually brings you to the first page of the registration process however this time it resulted in a 403 Forbidden error page as shown below.

Challenge #2 – Guess the URL: I guess you had to do some information gathering and figure out the cart system they were using. Armed with this data, you knew that “/cart/” needed a little more info. Specifically you had to append “reserve.cgi” to it. So the whole URL would have been:

https://www.shmoocon.org/cart/reserve.cgi

Several tweeps in Twitterland seemed to figure this out before I did; I saw tweets from @bbaskin, @KPOsborn, and @joerussbowman echoing this suggestion. Congrats to them for being the first to figure it out and post about it. I’m sure others discovered this too but keeping it to themselves has its advantages in cut-throat hacking contests like this one. Several others (@ryancnelson) reported that restarting your browser also worked. And there were some complaints about a bad ticket link on a “cacheable” page that prevented some early risers from accessing valid codes.

Overall, I was guessing the initial link they posted was wrong and either typing it it manually or restarting your browser (only after they fixed the link) to clear the cache worked. The cache part doesn’t make sense though because I was doing a hard refresh (i.e., Shift- or Ctrl-Refresh) in both Firefox and Safari. Apparently, it wasn’t “hard” enough as compared to restarting your browser. For me the story ended after tons of refreshing and the site stating the following message.

Challenge #3 – Enter the Captcha: As you know the next challenge was to entry the Captcha correctly. I could go on about this but 1) I never got there and 2) you can read about my Captcha horror stories in “Ticket Buying War Story.”

The Rest of the Story

Well that’s about it for the first 15 minutes or so. After an hour the ShmooCon folks posted a nice message to explain what happened.

“2010-01-01 17:52:20 : That was fast…

Another round of ticket sales, another adventure. The good news is the new server has way more capacity than the last and the webpage was responsive the entire time. The bad news is we inadvertently redirected the reservation code page to an insecure page (which the webserver won’t allow). We updated the landing page with the right link once we realized the mistake, but at that point we were already so close to selling out that the majority of you were still effected.

The good news is we have logs and have already sent an email to everyone who made it through the reservation process. If you haven’t received an email by now, please try again next year – but also please check back in the weeks leading up to the con as we have more surprises up our sleeves. No not more tickets, but good things none-the-less.

Happy New Year everyone. Our resolution? Do everything we can for a successful ticket sales experience for ShmooCon 2011.”

Yes, the server had WAY more capacity this time; it barely slowed down. Great job!!! Of course the second statement is off some from the little bit of research I did. In the above message, I think they are talking about the page AFTER you successfully choose your tickets and entered the Captcha. It does not address a potential second bad link typo on the Registration page that resulted in the initial 403 Forbidden error I described above.

What do you think happened regarding the bad link on the Registration page? Yadda, yadda, … comment below … and all that.

Regardless, the ticket sales phase is finally over and I imagine that those who wanted tickets either got them or will acquire them through other means. Now it’s on to doing con prep and all the surrounding excitement. See you all in February!!!

Tags: conference, dc, event, infosec, md, nova, registration, room share, shmoocon, slug, the shmoo group, twitter

This entry was posted on January 1, 2010 at 3:39 pm and is filed under Infosec Conferences. You can follow any responses to this entry through the RSS 2.0 feed.