System's design left buyers vulnerable

Experts: Server setup was recipe for meltdown

Jeff Smith And Chris Walsh, Rocky Mountain News

Published October 26, 2007 at midnight

Text size

More Colorado Rockies

The Rockies' online ticket system randomly selected potential ticket buyers, meaning there was no first-come, first-served queue as is often the case with such Internet sales.

Paciolan Inc., the California firm that operated the site, also apparently designed the system to lock potential buyers into the same server for 30 minutes. The problem with that approach, experts said, is if a particular server became overloaded, the potential buyer was stuck.

One ticketing industry executive said the whole process was unusual, adding he believes fans got the short end of the stick.

"I think the Rockies need to be held accountable," said Michael Lipman, president and CEO of Tickets of America. "They were definitely not prepared and they could've avoided a lot of this, especially when they had a second chance. I really have to question the capabilities they had to host this sale."

Bob Bowman, chief executive of Major League Baseball's Advanced Media (MLB.com), which worked closely with Paciolan and the Rockies, defended the decisions while acknowledging problems.

"We're not saying everything was done perfectly," he said.

About 18,000 World Series tickets for each game at Coors Field went on sale Monday, but the system crashed after handling a few hundred transactions.

Bowman acknowledged the "external malicious attack" referred to by the Rockies consisted of automated software tools used by ticket brokers/scalpers to get into the site, not hackers trying to take down the site.

"The scope and breadth and frequency of the (attempts by ticket brokers) probably took some people by surprise," he said.

For Tuesday, Paciolan added software to try to combat ticket brokers and MLB.com contributed servers as backup. The remaining tickets sold in 2 1/2 hours.

While the system fared better, it still was painfully slow, and many complained of frozen Web pages and of losing ticket transactions.

Bowman said people were timed out because they weren't able to complete transactions within an eight-minute limit, something he attributed partly to inexperienced first-time buyers.

Bowman said Paciolan used a random waiting room because it is an easier system to build and maintain than a first-come, first-served system, and because it's like a lottery. But that also meant someone entering the site an hour after the sale started had an equal chance at getting tickets.

One Rockies fan started firing e-mails to Paciolan employees Tuesday afternoon. A Paciolan executive wrote back, saying cookies - small text files that track a user - were being used to assign customers to a specific server for 30 minutes. The executive gave steps on how the person could clear the cookie and restart the process.

Experts saw the e-mail as an acknowledgment of limitations of Paciolan's architecture.

"The biggest issue with the approach is that it locks you into the same server for 30 minutes," said Sam Masiello, director of threat management at MX Logic, an e-mail and Internet security firm based in Douglas County.

If the server crashes or is overloaded, users are out of luck until the cookie expires and a new, 30-minute one is set.

Online problems with ticket sales

• Potential buyers were selected randomly; there was no "online queue."

• The system was designed to assign a user to a particular server for 30 minutes. Experts say that's a problem if the server becomes overloaded.

• Internet connections timed out or froze while potential buyers were in the "waiting room" or while they were trying to complete ticket transactions.

• Buyers reported once they were in the ticket-buying section, they could order multiple times. Some were allowed to buy more than their allotted four tickets a game.

• UPDATE: "EXTERNAL MALICIOUS ATTACK"

The Rockies have filed a complaint with the Federal Bureau of Investigation regarding what the team called an "external malicious attack" on the team's Web site, according to CBS 4 News. The Colorado attorney general's office already said it was trying to determine if any Colorado laws were violated.

Subscribe to the Rocky Mountain News