Forgot your password?
typodupeerror
Bug Programming

Hackers Using Bots, Scripts To Lock Down Restaurant Reservations 214

Posted by Unknown Lamer
from the flaws-in-the-system dept.
Nerval's Lobster writes "Forget about hacking an app or database: for a small cadre of hackers in San Francisco, it's all about writing code that can score them a great table at a hot restaurant. According to the BBC, these developers and programmers have designed bots that scan restaurant Websites for open tables and reserve them. Diogo Mónica, a security engineer with e-commerce firm Square, is one of those programmers. A self-described foodie, he decided to get around his inability to score a table at the ultra-popular State Bird Provisions by writing a script that sent out an email every time the restaurant's reservation page changed. 'Once a reservation got canceled I would get an email and could quickly get it for myself,' he wrote in a blog posting. But soon he noticed something peculiar: 'As soon as reservations became available on the website (at 4am), all the good times were immediately taken and were gone by 4:01am.' He suspected it was automated 'reservation bots at work,' built by other programmers with a hankering for fine cuisine. 'After a while even cancellations started being taken immediately from under me,' he wrote. 'It started being common receiving an email alerting of a change, seeing an available time, and it being gone by the time the website loaded.' His solution was to build his own reservation bot, using Ruby, and post the code in the wild."
This discussion has been archived. No new comments can be posted.

Hackers Using Bots, Scripts To Lock Down Restaurant Reservations

Comments Filter:
  • Or... (Score:5, Insightful)

    by nitehawk214 (222219) on Friday July 26, 2013 @03:32PM (#44393825)

    Go to a casual local place and have a backup plan if it is busy. Restaurants with mile-long reservation lists and >$100 plates are almost universally overrated.

    • Re:Or... (Score:5, Insightful)

      by war4peace (1628283) on Friday July 26, 2013 @03:42PM (#44393969)

      It's the "Ode to my Stomach" syndrome.
      Personally, I found home made food much more rewarding. At least I know for sure what do I put in my mouth. No funny business.

    • Re:Or... (Score:5, Funny)

      by PPH (736903) on Friday July 26, 2013 @03:48PM (#44394057)

      That place is so popular, nobody goes there anymore.

      - Yogi

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      The State Bird place mentioned does not have particularly high prices. The current menu only has two items in the $20 range ($20 and $22). With prices like those -- and assuming good food -- who wouldn't want to eat there?

      dom

    • Re:Or... (Score:4, Interesting)

      by ackthpt (218170) on Friday July 26, 2013 @04:16PM (#44394365) Homepage Journal

      Go to a casual local place and have a backup plan if it is busy. Restaurants with mile-long reservation lists and >$100 plates are almost universally overrated.

      Unfortunately I live in a resort-y area and we're overrun during the summer months. I just learn to be a better cook. I'm becoming very good at cooking these days. So much so I hate going out to eat because I can do everything so much better.

      now it's time for another episode of Samurai Short-order Chef

      • Re: (Score:3, Interesting)

        by Em Adespoton (792954)

        Another option: have dining in parties with your friends. Have each person take a rotation, try out new recipes/variants, and in general, have a good time without the bad music/bad lighting/bad seating. Non-paying guests can stay and wash the dishes ;)

        • Re:Or... (Score:4, Insightful)

          by ackthpt (218170) on Friday July 26, 2013 @04:42PM (#44394617) Homepage Journal

          Another option: have dining in parties with your friends. Have each person take a rotation, try out new recipes/variants, and in general, have a good time without the bad music/bad lighting/bad seating. Non-paying guests can stay and wash the dishes ;)

          I remember seeing something about these in my parents magazines from the 1950s. People had some place in the house call a Dining Room and it was much larger than their computer den. Shocking!

          • by drkim (1559875)

            People had some place in the house call a Dining Room and it was much larger than their computer den. Shocking!

            A room just for eating in? Weird.

            How could you operate your computer from there..?

      • by gagol (583737)
        People do not eat out because it tastes to great, they go out because there is no meal to prepare or dishes to clean.
        • by ackthpt (218170)

          People do not eat out because it tastes to great, they go out because there is no meal to prepare or dishes to clean.

          And when I do that I generally regret not preparing something, even a can of beans. Dishes are rarely the chore some people draw them up to be.

    • Re:Or... (Score:5, Interesting)

      by TechyImmigrant (175943) on Friday July 26, 2013 @04:29PM (#44394487) Journal

      The most I ever paid for a meal was $700 per head for a 16 course tasting menu at a 3 star restaurant. I booked 6 weeks ahead. It was money well spent.

      My priorities may differ from yours.

  • by stewsters (1406737) on Friday July 26, 2013 @03:33PM (#44393837)
    God damn hipsters.
    • by Natales (182136) on Friday July 26, 2013 @04:20PM (#44394411)
      Come on dude! It's so easy to be dismissive when you don't have a clue what are you talking about. Let me break your bubble: there are geeks that are hipsters, foodies and that just love the hedonistic pleasures of life. We all converge in this site at some point and share things that matter to all of us, but this is by no means all we are in life.

      I've had to learn to appreciate our differences with fellow geeks and nerds that have completely opposite political views for example without demonizing them, and in the process I've learned a thing or two. Don't fall in the "us" and "them" rhetoric and learn to respect people that care about different things.
  • Cold Pizza (Score:5, Funny)

    by ebno-10db (1459097) on Friday July 26, 2013 @03:33PM (#44393841)

    Kids today. In my day programmers ate cold pizza and they liked it! Bonus points for pepperoni or sausage - there's nothing like cold congealed grease.

    • Re: (Score:2, Informative)

      by Ambvai (1106941)
      Ever try a Domino's Thin Crust with Double Bacon? One of my friends in college got two of those once and, after the puking up the first one, left the second on his desk. The next day, he found the grease soaked through the pizza, its own box, the lid of the box under it, and the bottom of the box under it, sticking it solidly to the table.
      • Ever try a Domino's Thin Crust with Double Bacon?

        This is where my regional snobbery kicks in. In NY you never order pizza from a chain. Even a randomly chosen neighborhood place is practically guaranteed to be better, let alone your choice neighborhood places.

      • by drkim (1559875)

        ...The next day, he found the grease soaked through the pizza, its own box, the lid of the box under it, and the bottom of the box under it, sticking it solidly to the table.

        "...that crap's gonna eat through the hull..."

    • by elistan (578864)
      Pizza (cold or not) for programmers was so prevalent, in fact, that there was developed an ANSI Standard Pizza configuration. Pepperoni and mushroom. (Although having just looked it up, I hadn't realized at the time it was mostly a CMU thing.)
      • I'm a sort of pizza snob. I want at least four different color toppings on my pizza. The sauce and cheese don't count.

        In fact I prefer to have bell peppers as one of the toppings, even though I don't actually like bell peppers. But without them, the pizza doesn't taste nearly as good.

  • by Anonymous Coward on Friday July 26, 2013 @03:34PM (#44393849)

    A DDoS to ensure no one gets reservations?

  • On the other hand (Score:5, Informative)

    by xevioso (598654) on Friday July 26, 2013 @03:34PM (#44393851)

    The reservation company specifically denies that this is happening or is possible.

    TFA:
    http://insidescoopsf.sfgate.com/blog/2013/07/25/are-automated-bots-are-making-hot-online-reservations-impossible/ [sfgate.com]

    • Re:On the other hand (Score:5, Informative)

      by xevioso (598654) on Friday July 26, 2013 @03:35PM (#44393861)

      The important part, which I failed to quote:

      Update, 1:20pm: Urbanspoon has released a statement that reaffirms its earlier denial, and also refutes duplicate reservations and reservation fraud (though neither of those issues are technically in dispute):
      "Urbanspoon’s data on State Bird Provisions’ reservations do not support the findings reported in Diogo Mónica’s post. While we will not disclose data about specific customers, we currently have processes in place to prevent duplicate reservations and combat reservation fraud. Urbanspoon’s goal is to give real diners the opportunity to make reservations. We’ve noticed that many diners will stop at nothing to get a table at the hottest restaurants in town, like State Bird Provisions , so we are constantly working on improving the overall reservations process to give all diners an opportunity to secure a table."

      • Re:On the other hand (Score:4, Informative)

        by pipatron (966506) <pipatron@gmail.com> on Friday July 26, 2013 @03:40PM (#44393943) Homepage
        And of course, everyone here knows that the answer is plain marketing bullshit.
      • by gl4ss (559668) on Friday July 26, 2013 @03:44PM (#44393993) Homepage Journal

        all bunch of blabla bla.

        you know what would work out? if the tables are really all reserved all the fucking time, make a reservation cost.
        then increase cost until you hit a spot. the restaurant should just charge more, if people want to pay a months rent to eat there then so be it.

        btw how the fuck could they make sure they don't get duplicate reservations? checking id's of people coming in to match the reservation? they can't really rely on cookies, ip addresses or anything like that for it. not even fb profile linking would do it, easy enough to have fake profiles...

        what urbanspoon cares about is that the tables are full, nothing else.

        • Re:On the other hand (Score:5, Interesting)

          by blueg3 (192743) on Friday July 26, 2013 @04:45PM (#44394649)

          you know what would work out? if the tables are really all reserved all the fucking time, make a reservation cost.
          then increase cost until you hit a spot. the restaurant should just charge more, if people want to pay a months rent to eat there then so be it.

          It's easier to auction off reservations rather than continually adjust the price until you find a level that works. And this was suggested by many people on Twitter early this morning already.

        • by Anonymous Coward on Friday July 26, 2013 @07:47PM (#44395907)

          you know what would work out? if the tables are really all reserved all the fucking time, make a reservation cost.
          then increase cost until you hit a spot. the restaurant should just charge more, if people want to pay a months rent to eat there then so be it.

          That works if you're just in it to make a profit, and don't care about who is able to come to the restaurant.

          Planet Money had a podcast [npr.org] about this in regard to concert tickets. They had Kid Rock talking about it, and pointed out that it would be super simple to keep jacking up the price until supply & demand balances out and it's no longer worth scalping tickets.

          However, selling tickets to the highest bidder greatly changes the tone of the audience you get. You no longer get people who are there because they want to enjoy the experience, you instead you get people there just to show off their affluence. (Kid Rock mentioned the bored-looking old guys in the front row who are obviously just there to impress half-their-age girlfriends.) You'd see that with increasing the price to restaurant reservations. You'll no longer get people going to the restaurant because they want to enjoy the food, you'd get people there because a table at State Bird Provisions is rare, and it will impress a girlfriend/business associate. As a chef, cooking for people who want to enjoy your food and cooking for people who are just there to show off are greatly different things, and you may be willing to reduce your profit if you can ensure the former.

      • I call BS on this. Sounds like Urbanspoon is just covering their ass.

        Bottom line is their reservation system doesn't have any form of CAPTCHA which makes the use of reservation bots completely plausible.

        • by wagnerrp (1305589)
          Nonsense. Most CAPTCHAs can be reliably processed by machine vision, and the remainder can be processed by real humans in third world countries for pennies on the dozen. There are actually companies that sell such services. Alternatively, one can set up a fake free porn site, and route those CAPTCHAs through to users trying to access it.
      • we currently have processes in place to prevent duplicate reservations and combat reservation fraud.

        While they may indeed have a system in place to prevent duplicate reservations, their answer is meaningless. If a person can make a reservation on-line then a bot can do the same, except faster and in the middle of the night while you're sleeping.

      • we currently have processes in place to prevent duplicate reservations and combat reservation fraud.

        But this isn't duplicate reservations. Nor does it appear to be reservation fraud; nobody's said anything about third-party sale of the reservations. It's just people automating the process of getting a reservation.

      • Re:On the other hand (Score:4, Interesting)

        by hawguy (1600213) on Friday July 26, 2013 @04:34PM (#44394535)

        The important part, which I failed to quote:

        Update, 1:20pm: Urbanspoon has released a statement that reaffirms its earlier denial, and also refutes duplicate reservations and reservation fraud (though neither of those issues are technically in dispute):
        "Urbanspoon’s data on State Bird Provisions’ reservations do not support the findings reported in Diogo Mónica’s post. While we will not disclose data about specific customers, we currently have processes in place to prevent duplicate reservations and combat reservation fraud. Urbanspoon’s goal is to give real diners the opportunity to make reservations. We’ve noticed that many diners will stop at nothing to get a table at the hottest restaurants in town, like State Bird Provisions , so we are constantly working on improving the overall reservations process to give all diners an opportunity to secure a table."

        And since these bot'ed reservations aren't appearing for sale on Craigslist, nor do these popular restaurants appear to be suffering from excessive no-shows, what exactly is happening to these reservations that are supposedly stolen by bots?

      • by number17 (952777)
        Perhaps an employee or even the owner is being given a handful of cash to make sure the get the seat when one is cancelled.
  • by Dorianny (1847922) on Friday July 26, 2013 @03:38PM (#44393903) Journal
    These days you can't even post on a forum without going through some form of CAPTCH,A never mind trying to buy tickets or book reservations.
    • by 0123456 (636235) on Friday July 26, 2013 @03:41PM (#44393953)

      Yeah, but modern CAPTCHAs are so convoluted that computers can solve them more easily than I can.

      • by Dorianny (1847922)
        Yeh. OCR has gotten so good that CAPTCHA developers have no choice but to make their images so distorted that even human pattern recognition can't easily make them out anymore.
        • Yeh. OCR has gotten so good that CAPTCHA developers have no choice but to make their images so distorted that even human pattern recognition can't easily make them out anymore.

          That's why some captchas now have knowledge-based answers in the rotation, like showing an image of a brand name and asking what it's known for. Or assembling a small puzzle.

        • by al0ha (1262684) on Friday July 26, 2013 @04:24PM (#44394449) Journal
          Wrong. OCR still can't defeat reCAPTCHA - however depending on the prize there's a multitude of other ways to do it which do not involve OCR including low paid workers in third world countries being served the captcha and solving it for the automated algorithm, or in the case of Ticketmaster, where the prizes were monetarily substantial, a group of miscreants going to the trouble of databasing just about every Captcha solution they could find. One group also was able to p0wn the audio version of reCAPTCHA for a while until it was upgraded. Another group has claimed they use OCR to defeat reCAPTCHA, but have never proven that to be the case and if they can, why not prove it?

          Citations:
          http://en.wikipedia.org/wiki/ReCAPTCHA [wikipedia.org]
          http://www.wired.com/threatlevel/2010/11/wiseguys-plead-guilty/ [wired.com]
          • Another group has claimed they use OCR to defeat reCAPTCHA, but have never proven that to be the case and if they can, why not prove it?

            Why would they? It would be in their best interests to let the algorithm work for as long as possible, no point rocking the boat, and showing the reCaptcha developers how to block it more.

      • by magarity (164372)

        Yeah, but modern CAPTCHAs are so convoluted that computers can solve them more easily than I can.

        No kidding, I wish something like kitten Captcha was more prevalent but it never seemed to catch on.

  • by bradley13 (1118935) on Friday July 26, 2013 @03:39PM (#44393927) Homepage

    I would think that a lot of bot reservations would go unused, at least, as soon as the newness of this wears off. How long until restaurants start charging a nonrefundable reservation fee?

    • I would think that a lot of bot reservations would go unused, at least, as soon as the newness of this wears off. How long until restaurants start charging a nonrefundable reservation fee?

      And/or a simple wait list that gives preference for preferred customers? I.e. The restaurants should see this as an unmet need, and provide their customers a solution.

      • by alen (225700)

        what unmet need? they are fully booked.

        one time years ago my wife wanted to go eat at some place in NYC that cost $600 for dinner for two people after taxes, tip and whatever. i tried making reservations, but the place was booked solid for months in advance and we forgot about it after a while

        • If people are willing to go to the trouble of creating bots to find cancelations, then it's likely there are people who will *pay* for that service. The bot runners might be selling their service, similar to ticket scalpers. On the other hand, they might be doing it just because they can.
        • by whoever57 (658626) on Friday July 26, 2013 @04:49PM (#44394699) Journal

          some place in NYC that cost $600 for dinner for two people after taxes, tip and whatever. i tried making reservations, but the place was booked solid for months in advance

          Face facts. The problem wasn't that the restaurant was booked, the problem was that you are not famous.

      • by bfandreas (603438)
        There will always be preferred customers and I suppose a lot of these reservations are made in person, face to face and way in advance.

        Also this is why we can't have good things. Brainless botter suspects brainless botters to be faster than him. Honestly, his behaviour is highly anti-social, egocentric and overly obnoxious. If I where running a successful restaurant I would go to great pains to avoid people like him. the likelyhood of him annoying other patrons is just too much. Do you need another jackas
        • >There will always be preferred customers and I suppose a lot of these reservations are made in person, face to face and way in advance.

          To be a preferred customer, come back a second time. All the starred restaurants have known when I've come back a second time and made a show of appearing to care about it.

          FWIW, I recommend La Toque in Napa. 1 star, deserves 2.

    • by Nidi62 (1525137)

      I would think that a lot of bot reservations would go unused, at least, as soon as the newness of this wears off. How long until restaurants start charging a nonrefundable reservation fee?

      I would imagine, if anything, they would charge maybe $5 that would then be included as part of the payment on your bill should you end up keeping the reservation; ie. on a $50 check you would only have to pay $45. Or people can just call in and make reservations like you used to have to do.

    • by Ichijo (607641)

      Make the reservation transferrable, and suddenly it would create a market, eliminating the shortage of reservation slots. To get a reservation, just go to eBay. Of course, if you can find it on eBay and the restaurant isn't the seller, it's a sign that the restaurant charged too little (below the market clearing rate) for the reservation in the first place.

  • This isn't hacking (Score:5, Insightful)

    by hypergreatthing (254983) on Friday July 26, 2013 @03:40PM (#44393947)

    This is just a html scraper. People have had the same thing going on ebay for years. Suddenly it's hacking? Give me a break.

    • by tepples (727027)
      Under the (U.S.) Computer Fraud and Abuse Act, any use not permitted in a site's terms of service is in effect "hacking".
    • by SeaFox (739806)

      Suddenly it's hacking? Give me a break.

      Haven't you heard? Nowadays using a computer to access/use something in any way the original creator doesn't like is "hacking".

      • by serviscope_minor (664417) on Friday July 26, 2013 @06:51PM (#44395559) Journal

        Nowadays using a computer

        Using an HTML scraper and an almost certainly unholy bunch of scripts to make sure you get first dibs on a restaurant reservation is certainly hacking in the old sense of the word: it's a hack.

    • Re: (Score:3, Interesting)

      by harvestsun (2948641)
      But your forget that the U.S. legal system has decided that accessing publicly accessible URLs [technologyreview.com] constitutes hacking. I guess the new definition of hacking is "using something in a way you weren't intended to".
    • by The Moof (859402)
      It was probably even easier than that. Given today's WWW climate of everything being JSON/AJAX driven, you can just query the site and have the seating information delivered ready to use.
    • by MightyYar (622222)

      Suddenly it's hacking? Give me a break.

      It would be totally awesome if language stopped changing in the 1980s. Radical, dude.

    • by wagnerrp (1305589)
      Yeah, plus it was done using Ruby. Now if this were done in Perl, no one would have any problem calling it hacking.
  • Abusing the system (Score:5, Insightful)

    by Torodung (31985) on Friday July 26, 2013 @03:45PM (#44394017) Journal

    This is abuse of the reservation system, plain and simple. It simply is not robust enough (too informal) to handle bots. I suspect it soon will become commonplace to require tortuous captchas for reservations. Great job, lazy hacktivists! You've ruined e-life for everyone.

    As for posting code for it in the wild so any script kiddy can do it. Good for you. That's called leveling the playing field. It's the proliferation of bots just to be shits to each other that rankles my ire, not the fact that everyone can now do it.

    • by Thud457 (234763)
      It's just Wall street quants doing to restaurants what they've done to the financial markets.

      OH FUCK, WE'RE ALL GONNA STARVE!!!
      • It's just Wall street quants doing to restaurants what they've done to the financial markets.

        Heard on the floor of the NYSE in the near future:

        "Sell! SELL! SELL! Oh, great, I can never get these.... what the hell is that? Uh... UB3Q6Y? No?.... well, fuck..." (jumps out nearest window)

      • by gagol (583737)
        OR LEARN TO COOK FOOD AGAIN!!!! THE PAIN!!!! Come on, if you think restaurants are good, wait till you prepare your meal yourself.
        • In my experience, the people who appreciate the best restaurants are usually pretty good cooks themselves.

          It's a foody thing.

          • by gagol (583737)
            In my experience, the more expensive the restaurant, the more smug and frenchy the maitre'd is. The rest don't change much. (up to 300$ per person, never tried anything more expensive)
  • by Gothmolly (148874) on Friday July 26, 2013 @03:49PM (#44394079)

    Are there foodies who are NOT self-described?

    • by gman003 (1693318)

      You're a foodie.

      There, now there's a foodie that's not self-described. You're welcome.

  • by Overzeetop (214511) on Friday July 26, 2013 @03:49PM (#44394093) Journal

    Heaven forbid we should have the convenience of making a reservation online. No, it's takes a bunch of assholes to game the system and screw it up. Not that it's anything new, as online ticketing for popular events has been gamed for fun and profit by scalpers for years.

    If all of my family were to suddenly die in a freak accident and I was left alone with nothing to live for, I would hunt every bot maker down and shoot them for amusement. (Oh, and happy Friday everybody!)

  • I did this back when the Wii was initially released to get one for retail when they were going for twice that on eBay. Scraped the major retailers product pages on a cron and told me when there was stock (which usually lasted a couple of minutes). Worked pretty well.

  • Ruby?? (Score:5, Funny)

    by happyhamster (134378) on Friday July 26, 2013 @04:00PM (#44394229)

    Pfff, my soon-to-be-released Assembly program will put his slow ruby ass to shame, thus starting HFR (high frequency reservation) era and trading in reservation futures.

    • by whoever57 (658626)

      Pfff, my soon-to-be-released Assembly program will put his slow ruby ass to shame, thus starting HFR (high frequency reservation) era and trading in reservation futures.

      He already talked about moving his sytems closer to reduce network latency.

  • by Alsee (515537) on Friday July 26, 2013 @04:16PM (#44394355) Homepage

    One of the perks of dating a geek is that we are now the only ones who are ever going to take you to the hottest restaurant in town.
    Jocks need not apply.

    -

  • by Bob9113 (14996) on Friday July 26, 2013 @04:40PM (#44394601) Homepage

    Attention Non-Programmers: This is what the future looks like. If you don't learn to make your computers obey you, if you don't take control of your information flows, you will be marginalized by the people, corporations, and governments that do.

    I'm not saying it is right. I'm saying it is. As philosopher-poet Ash once observed; "Good. Bad. I'm the guy with the gun."

  • by dcollins (135727)

    High Frequency Tables.

    Getting a direct fiber-optic link to the restaurant's web server could improve on this.

  • I suspect that this is just paid for advertisement for the diner in question. It conveys that the diner is in demand, the diners locations, and that it has resverations.
  • just doesn't taste right to me....

The F-15 Eagle: If it's up, we'll shoot it down. If it's down, we'll blow it up. -- A McDonnel-Douglas ad from a few years ago

Working...