back to article Cops called to Singapore golf club after 'wrongdoers' use scripts to book popular timeslots

A Singapore golf club has called in the police claiming members may have broken the country’s Computer Misuse Act after using scripts to book up course slots within seconds of them becoming available. The Singapore Island Country Club dialled 999 after declaring that its online golf session booking system had been “compromised …

  1. Dwarf

    Perhaps someone should introduce them to API's, CURL and HTTP POST and possibly rate limiting.

    Its not really computer misuse if you are just interacting with the service they provide to the Internet for the explicit purpose for which it was provided

    Perhaps the older less technically capable could learn something from those that understand those new fangled computer things.

    I guess this boils down to the old boys club of MD's, FD's and the like who don't like that the technically competent members are doing better than them.

    1. Andy Tunnah

      If you use scripting or automation to circumvent what is supposed to be human based interaction and data entry that is absolutely misuse. Just because they don't have protections in place to prevent it doesn't mean it's open season.

      I know this is a leap so far I've practically already broken my legs and popped my knees, but it feels very much like "if it wasn't locked they can't complain someone let themselves in"

      That being said there is definitely a certain "ha, deserved" to know a bunch of rich gits got done over by a bunch of BOFHs

      1. cbars Bronze badge

        I cite discrimination based on reflexes and availability.

        Fairest solution is the bookings are open for 24 hours (plus a week or whatever), and after that the slots are assigned randomly. Youre notified if you've got one, so easier to get another slot if your available.

        If you win a slot, you're excluded from other contended slots.

        Doesnt matter if you're fast, and distributes slots about even, based on availability

        Tough luck if you can only make the fancy slots

        1. Prst. V.Jeltz Silver badge

          They should do that with Glastonbury , and any other fast sellout events.

          the 'fancy slots' arnt even a factor in those circumstances too

      2. doublelayer Silver badge

        Using a system for the purpose it was designed isn't misuse. Using that system with a bot when bots are prevented in the terms of service is a violation of that contract. Let's assume they've put that in (if they haven't, they have no case. Assuming they have, they can execute the penalties in that terms document for bot usage, such as closing accounts, charging fees, whatever they think is best and can get customers to agree to. However, it's not computer hacking. It's a violation of what they want.

        "I know this is a leap so far I've practically already broken my legs and popped my knees, but it feels very much like 'if it wasn't locked they can't complain someone let themselves in'"

        You are entirely correct. You've leaped so far that you're in orbit. If it wasn't locked, but they don't have permission to enter, then the law says they're not allowed to enter. This is a lot more like "it wasn't locked, and there is a big sign saying that people are allowed to come in, and people do come in and we like that, but someone came through with a bicycle and we don't like those". If it's your property, you can tell people not to come in with bicycles even though they're allowed to walk in. You can make them leave if they do so anyway. It is your rule, not the law, that says this.

        1. Alan Brown Silver badge

          "Using that system with a bot when bots are prevented in the terms of service is a violation of that contract."

          Objection: assumption made of items not in evidence

          If they don't have bot/script protection in place they're highly unlikely to have thought about T&C prohibiting the use of them

          This is S'pore - where as other posters have described, it's absolutely normal for the "privileged" stuff to be getting the snot hammered out of it simply to be able to book anything _at all_ due to the outfits in question having 100 times more members wanting to book slots than slots available for members - EVEN IF THEY WERE RATIONED TO ONE PER MEMBER PER MONTH (it's like airlines overbooking seats, but on steroids)

          Someone's crying "foul" because politically connected members can't get any slots but overlooking the elephant in the room of the blatant ripoffs which are causing people to resort to this behaviour

          These 'clubs' are essentially a license to print money - there's a significant "snob" value from being a member, even if you can never actually get a chance to use the facilities

          1. Anonymous Coward
            Anonymous Coward

            Most golf clubs have clauses in the membership/visitor contracts that require all members are responsible for maintaining communal resources and they must be shared and maintained for all members, rather than one member "hogging" them. The clauses are intended to prevent members from hogging showers/putting greens/lockers/shoe shiners/golf buggies but there is a reasonable argument that the tee time booking system is a "communal resource intended for the benefit of all members". The penalty is more likely to be the termination of membership though, rather than criminal.

      3. AVee
        Stop

        I know this is a leap so far I've practically already broken my legs and popped my knees, but it feels very much like "if it wasn't locked they can't complain someone let themselves in"

        I wish people would stop using that argument where it doesn't apply. Actively setting up a webserver and connecting it to the internet is not quite the same as 'leaving the door unlocked'. It's more like a shop in a high street with an open door and a blinking neon 'We're Open' sign. You clearly advertise that people can send requests there, you can't then blame them if they do.

        Of course you are still free to respond to these requests any way you see fit. But in this case people send the request saying 'can you make this reservation for me' and the response to that was '200 OK'. If they have a problem with the request there's plenty other possible answers, or you can do the rude thing and not respond at all.

        Now people using scripts do get an advantage in a first-come first-served system. But so do people camping outside a shop or people hiring Usain Bolt to sprint to the counter for them. You may have a problem with that, in which case you should use a different system.

      4. 9Rune5
        Thumb Down

        They should remove the online booking facility and replace it with a service using phones.

        ...and then, as people start calling minutes before the phones lines open, they should punish those who abuse calendar reminders to help them remember to call early.

        Oh wait, 'ridiculous' you say?

        Yes, indeed.

      5. xeroks

        I disagree completely.

        It is perhaps, a different use from the intended workflow. But I'd say the problem is that the intended workflow does not consider the real world where humans don't have to slowly type stuff into a website.

        Apart from anything else, a time-critical workflow like this discriminates against all sorts of people: people with physical disabilities, people whose internet connection breaks, people who are unable to spend the time at the exact critical seconds etc.

        There are obvious fixes: you put your name down for a slot in advance, and when the slot becomes available, the system decides which of the applicants wins it. Alternatively people (or bots) can only apply after the slot becomes available, but the applications are stored for a fixed time period before the system decides the winner.

        The decision proces re who wins could be lottery, but could also be an auction, or a combination.

    2. martinusher Silver badge

      It really is resource misuse

      What those little scripts are doing may look innocent enough but they're actually a de facto denial of service attack. Your typical script kiddie has no real feel for the amount of resources being used to service a Curl call, to them its just a matter of making the call and expecting a prompt answer. (They need a prompt answer because they're typically keeping their code hung on the service call...) Its possible that a more sophisticated programmer could also use tactics more in keeping with DoS such as holding sockets open (simulated slow response), simulating multiple requiestors and so on but that just compounds the crime.

      I don't golf but I gather that a big part of golf protocol is "playing the game according to the rules". This is why they'd take a dim view of gaming the system, it would be as unthinkable as useing a radio controlled golf ball to steer a putt into the cup. I'm surprised that they'd regard this as an emergency, though -- I'd have thought they'd have a quiet word with one of the members, the chief constable or maybe a government minister, someone like that, and they'd see that the problem's dealt with.

      1. ClockworkOwl
        Facepalm

        Re: It really is resource misuse

        Garbage, honestly utter nonsense...

        What script kiddie are you thinking of?

        These are golfers booking playing slots, no need for the Chief Constable or a Government Minister...

      2. John Brown (no body) Silver badge

        Re: It really is resource misuse

        "This is why they'd take a dim view of gaming the system, it would be as unthinkable as useing a radio controlled golf ball to steer a putt into the cup."

        No, it's more like inventing a new golf club that make s a hole in one far more likley while still being within the posted rules. It may break the spirit of the rules and be "unfair" in the minds of many, but still be completely legal.

      3. Anonymous Coward
        Anonymous Coward

        Re: It really is resource misuse

        " it would be as unthinkable as useing a radio controlled golf ball to steer a putt into the cup"

        Stop trying to give the US president ideas.

        Not that he could do it himself of course, he's far too stupid. But he might find a government programmer to coerce.

        1. Aladdin Sane

          Re: It really is resource misuse

          I'm pretty sure The Orange One uses a Dunlop 1 golf ball.

          1. Clunking Fist

            Re: It really is resource misuse

            He marks the ball with his initials, using a Sharpie.

            1. Victor Ludorum

              Re: It really is resource misuse

              Does he do it in code?

              His first ball - 1

              First initial - D

              Middle initial - 10th letter

              Last initial - T

              V.

    3. JetSetJim
      Windows

      If they have a problem with this, do they have a problem with executive PAs making appointments?

    4. chuBb.

      Call the cops cus it's less embarrassing than pointing fingers at the chairman's computer wizz nephew who built the form with his M4d php skillz, bet its all GET based to boot, in which case nm autocomplete, browser history will get u a valid submission multiple times a second...

      1. Anonymous Coward
        Anonymous Coward

        Having worked in Singapore, I suspect you're probably close to the truth.

        IMHO, unless the website form explicitly states that it must be accessed by humans only* I fear they don't have much to go on from a legal perspective. The site is for bookings, and someone made bookings. That their manner was sophisticated is, until explicitly excluded, fairly irrelevant.

        * Also, try proving that - browsers allow you to pre-fill which can speed things up in itself.

        1. JetSetJim

          Unfortunately the club rules and bye-laws are behind a login

          In the mean time, they've currently implemented a policy of "only one active booking per member".

  2. Imhotep

    But They Do Dress Funny

    A strange sort of hacking when you are actually using the site for its intended purpose.

    1. Anonymous Coward
      Anonymous Coward

      Re: But They Do Dress Funny

      They are effectively performing a DOS. That's not intended purpose.

      1. doublelayer Silver badge

        Re: But They Do Dress Funny

        They aren't doing that. Did the site go down? No, it didn't. That's not the complaint. The complaint is that it's not fair that people with bots are getting the nice slots immediately. That's a valid complaint, but it's not a violation of the law. Valid responses include making bots a violation of the terms, cancelling the accounts of people who use them, or taking technical action to prevent the bots from working. All valid things.

        Let's say that I post a page to my personal site and you visit it. Effectively, you're performing a DOS because my server is going to send that page to you. If enough of you do it, my server will run out of resource. That's also the exact point of my putting the page up, so people will use my resource to read it. I cannot blame people for using my resources by accessing public services that I put there and made public and could either make nonpublic or in other ways protect. By doing this, I am taking various risks. For example, I have a bandwidth limit and if enough people access my files, I'll exceed it and I'll have to pay a higher bill. I accept that risk when I put files up and allow the public to access them. If I don't want to run that risk, I can take the files down again. It's on me to manage my own resources and set terms. A DOS attack is when someone deliberately intends to take down my system. A flood of interest in the thing the site does which the server isn't able to handle is not an attack.

        1. Anonymous Coward
          Anonymous Coward

          Re: But They Do Dress Funny

          You don't know the law.

          1. Anonymous Coward
            Anonymous Coward

            Re: But They Do Dress Funny

            But I do, and he's right..

  3. Anonymous Coward
    Anonymous Coward

    Tell them they've got their tee time...

    Then arrest them when they arrive. "There is no humanly possible way to fill out the online form in two seconds. We don't care HOW you did it but until robots can play golf without us squishy humans the reservation site is reserved for us humans. Now we're going to make an example of you as a warning to others. We're terminating your membership, banning you for life, & publicly outing you as a crappy cheating player. Good luck getting tee time anywhere else. Buhbye!"

    1. Yet Another Anonymous coward Silver badge

      Re: Tell them they've got their tee time...

      But what if this is basically a CAPTCHA?

      You turn up to arrest 2 terminators, a cyberman (sorry cyberperson) and that cool 2 legged robot with the machine guns from the original Robocop .

      1. Dan 55 Silver badge
        Terminator

        Re: Tell them they've got their tee time...

        Please put down your golf club. You have 20 seconds to comply.

    2. Cederic Silver badge

      Re: Tell them they've got their tee time...

      Sorry, arrest them for what? Automating manual data entry?

      We're going to need bigger prisons.

    3. Anonymous Coward
      Anonymous Coward

      Re: Tell them they've got their tee time...

      Good luck with the lawsuits coming your way then. One problem with a posh golf club is that its members typically have their own lawyers, and in Singapore that is doubly so because it's part of the image.

      Not only is it going to cost you, but you'll lose face. At that level you can't afford to.

  4. Anonymous Coward
    Angel

    Hacking

    First - ha, ha.

    Second - hacking is what the golfers do on the course.

    Third - snigger, snigger.

    1. spold Silver badge

      Re: Hacking

      ...well those online golf session booking systems... apparently there was a hole in one.

      The system designer...Caddy fix it or not? Should have been fore!warned... before the bogeymen turned up and clubbed them. I suspect this is par for the course.

      1. John Brown (no body) Silver badge

        Re: Hacking

        Congrats to the eagle-eyed staffer who spotted that!

        1. JetSetJim

          Re: Hacking

          They were watching the birdie

  5. skeptical i
    Devil

    Do they actually show up and play?

    Are they any good? Not necessarily relevant to the rightness or wrongness of how they secured the tee time, but if they are really bad perhaps they could argue that they clearly need the practice time more than others. OK, maybe not. *snrk*

  6. sanmigueelbeer

    Singapore is a tiny country.

    Like owning a private vehicle or a free-standing house, golf memberships are only for the rich.

    My response would be to auction the premium slots. You want the 7am slot? That'll be SG$500k, thanks.

    1. DS999 Silver badge

      Why would that help?

      If the premium slots are valuable, then people will still want to game the system to get them and sell them for a profit. Just like scalpers using scripts to grab all the front row seats at a big concert.

      1. sanmigueelbeer

        Re: Why would that help?

        then people will still want to game the system to get them and sell them for a profit

        Good point, however, this is easier said than done. Unlike ordinary "people" who buy (and scalp) cheap concert tickets - Singaporean membership to golf clubs are not easy to get. It is not difficult for SICC to check credentials of the golfers claiming their slots.

        1. CrackedNoggin Bronze badge

          Re: Why would that help?

          My guess is that one or more of the rich GC members hired one or more urchins to fill out and submit those forms for them , and that eventually one or more of those urchins figured out how to do it efficiently.

          1. Dan 55 Silver badge
            Thumb Up

            Re: Why would that help?

            That's probably why they've not said that people who turn up to a slot booked by a script will be denied their play, because rich-boy would throw a tantrum and start acting like the current President of the US. Instead it's the urchin who will have their collar felt.

        2. keith_w

          Re: Why would that help?

          Ordinary people rarely buy a ticket intending to sell it. Scalpers however use scripts and bots to buy dozens of tickets for a concert and then resell them through, often through ticket sellers own reselling marketplace. However, while morally reprehensible, this is not illegal, at least here in Canada, and so it should not be illegal, at least here in Canada, to use a script to book the time you actually want to play golf. It would be morally reprehensible to book ALL the tee times and then resell them to your fellow members but from reading the article, that isn't what is happening. Additionally, private golf clubs have other ways of punishing members who evade the intent of the rules.

        3. DS999 Silver badge

          Re: Why would that help?

          If you have to login to the golf club's web site first to identify yourself as a member, then the solution is much easier. You can easily figure out which logins are using scripts to slam the server and gobble up the best tee times (based on them always getting those tee times a couple seconds after they become available) so you call them up and tell them their tee times have been canceled. Further instruct them that if they persist in trying to use a script they will lose online access and be required to make tee times in person.

      2. dirtygreen

        Re: Why would that help?

        Duh, that's the point of an auction. After the auction, the person who wonhas already paid the full value of the slot. There's no value left for a tout.

        1. John Brown (no body) Silver badge

          Re: Why would that help?

          Of course there is. If demand is high enough, then people will pay above ticket price.

          1. doublelayer Silver badge

            Re: Why would that help?

            The original suggestion is an auction. In an auction, there is no ticket price. In an auction, the person willing to pay the most gets the thing. So unless the person who is willing to pay more doesn't get to attend the auction, they will attend the auction and pay their price there. No scalpers will be able to sell at a higher price because anyone willing to buy at a higher price would attend the auction and buy there at that higher price. Whether that's actually a good suggestion is another question, as it doesn't leave any opening for people who can't pay the high prices, but at least understand the suggestion before discussing that bit.

          2. Clunking Fist

            Re: Why would that help?

            John: the golf club will auction the slots, not the folk who make a booking.

      3. 9Rune5

        Re: Why would that help?

        Just like scalpers using scripts to grab all the front row seats at a big concert.

        And just like that scenario, it isn't impossible to release a few hundred cheaper tickets and require the original buyer to show up in person.

        I've bought tickets like that on two occasions. It was a lottery. First time I ended up way in the back and possibly wasn't even at the concert, but on the second try I landed a jackpot and was right up at the stage, almost sitting in Mick Jagger's lap. Both times I was tagged with a bracelet to discourage me from scalping my tickets once I had paid for them. (the price was 1/4th of normal price IIRC)

        You cannot do that for everyone obviously, but I suspect there aren't 20000 people trying to enter that golf course for each time slot.

      4. gnasher729 Silver badge

        Re: Why would that help?

        Royal Albert Hall has for quite a while required ID when you enter, matching the card used to book, so a scalper would need to know your card number.

      5. xeroks

        Re: Why would that help?

        Ticketing systems which allow scalping like that are also discriminatory and should be fixed using a lottery/auctioning system.

        I also think ticketing systems should make it easier - much easier - to sell tickets on to other people while protecting the event organisers of course). but that's another story.

    2. The lone lurker

      Kiasu culture

      Singapore is tiny but it is uniquely kiasu as well as being severely dense in population. If golfing (or anything) slots are auctioned it will become inflated to a status symbol.

      My girlfriend here is a member of a major gym, we are forced to set an alarm to book classes and immediately try on three phones to get a slot as otherwise they'll be gone in seconds due to the overselling of service which is just normal here.

  7. Emir Al Weeq

    Is it hacking?

    Is it hacking if I sit on the web page repeatedly clicking Refresh until a slot appears?

    Is it hacking if I cut 'n' paste my details from a pre-prepared text file?

    Is it hacking if that text file includes all the tabs needed to hop fields so that a single ctrl-v does it all?

    Refresh, refresh, refresh, ooh! Ctrl-v

    I'm not doing anything that's not expected of a user. I'm just doing it a bit quicker. Is it hacking if I script that?

    1. Nifty Silver badge

      Re: Is it hacking?

      In the UK you can use a phone with a paid service to find and book sought-after driving test slots. The scripting is probably similar to the Singapore golf club: Repeatedly monitor for new slots then grab, albeit only a single slot. Not a problem in the UK.

      1. Dan 55 Silver badge

        Re: Is it hacking?

        Then again there was case ages ago where a guy wanted to donate to a charity and used Lynx, the transaction failed, he modified the URL in a pretty standard way to go back, and was arrested for it and I think he lost the case against BT who were managing the website. Can't find a link unfortunately, but it was reported in El Reg.

        1. DavCrav

          Re: Is it hacking?

          It is here.

          Edit: In that article it suggests he was thinking of leaving IT. His employer didn't fire him, which probably means they didn't believe it either. He appears to be head of cyber security research at Santander, so it doesn't seem to have stymied his career.

        2. Anonymous Coward
          Anonymous Coward

          Re: Is it hacking?

          "and was arrested for it and I think he lost the case against BT who were managing the website"

          He tried to access files that he wasn't supposed to (he effectively used a directory traversal attack to go up the tree), rather than accessing something he was allowed to in a way that the provider didn't like - there is a difference.

          1. xeroks

            Re: Is it hacking?

            IIRC when the police turned up at his door, he initially denied accessing the charity's website, which he later backed away from. I don't know if that was a case of him lying, him answering a technically incorrect question correctly, or him simply forgetting he'd done it.

            I understood this denial was the main reason he was prosecuted.

          2. Dan 55 Silver badge
            Facepalm

            Re: Is it hacking?

            "Directory traversal attack to go up the tree"? If deleting the last part of a pathname off the end of a URL is illegal I think everyone here should be in the clink.

            The site should serve a page or serve forbidden or redirect. Anything else like serving files which aren't supposed to be public is even more idiotic than allowing an SQL injection.

    2. Craig 2

      Re: Is it hacking?

      Not hacking! A script or macro is just a bespoke digital assistant. It won't be soon before you say can say "Hey Alexa, book me a slot at the golf course as soon as it's available".

    3. SuperGeek

      Re: Is it hacking?

      Or even using AutoFill. I do it a lot, is that hacking too?

    4. Mr Sceptical
      Pint

      Re: Is it hacking?

      My keyboard can record macros - is it hacking if I record a previous session, then replay it the next time I want to book?

      After all - I (not a bot) have entered the text and had to manually trigger the input the second time.

      Case close, M'lud and off to the 19th hole for a celebration!

  8. Scoured Frisbee

    Autofill

    I fill in all kinds of forms in Chrome with one or two clicks, two seconds is just on the low end of reasonable if you've got a lot of people trying who are familiar with the form.

    I mean, I could script it, but given the market share of Chrome I'm not sure it's the simplest solution. Two seconds seems a little long for a scripted solution.

    1. tiggity Silver badge

      Re: Autofill

      Indeed, most browsers have autofill (or addins that will do the job). Some forms I use a lot take me seconds to complete as it's all tab & autofill

  9. Robert Grant

    Apparently it is “impossible” for humans to complete the course booking form online within two seconds as doing so requires inputting names of players and their membership ID numbers and selecting tee times.

    Welcome to browser autofill.

  10. Ashto5

    Glastonbury Festival

    A friend did this with the Glastonbury website

    He passed the script out to his friends and they ALL secured the tickets they wanted within minutes of the site opening up

    That’s just clever people being clever nothing illegal about it

    It was in their world of expertise so it’s not a problem

    If someone else can’t get a slot well tough that’s the way the world works

    Call the cops, that is pathetic

    1. Anonymous Coward
      Anonymous Coward

      Re: Glastonbury Festival

      Just volenteer for litter picking, pay a 100quid refundable deposit as long as you actually do some work, get tix and dibs on any wallets, drugs, decent camping gear left behind, just hope ur not one of the ones to discover that years glasto dead..., sucks to find them and there is a good chance the pigs steal your stash to boot.

  11. Claverhouse Silver badge
    Meh

    Unsporting.

    Just ban them for foul play.

  12. PhilipN Silver badge

    Welcome to Singapore

    999??? Seriously???

    I know things are different there - such as the unique value of the right to own and drive a car - and I suspect activity similar to Cup Final ticket touts but if the Club underpriced itself in a capitalist society what do they expect?

    Oh I know. The Chairman’s wife couldn’t get the slot she wanted to coordinate with her trip to the hair salon.....

  13. Anonymous Coward
    Anonymous Coward

    Golf, the opium of the people

    Singapore is tiny, a golf course is sheer luxury.

    Allocate the best spots to school groups and the under privileged (if there are any).

    The rich can play any time of the day.

    1. Dan 55 Silver badge

      Re: Golf, the opium of the people

      I don't think golf clubs anywhere in the world work like that.

      1. Anonymous Coward
        Anonymous Coward

        Re: Golf, the opium of the people

        Which is why I avoid those places like the plague.

        Turn them all into affordable housing.

  14. gnasher729 Silver badge

    Obvious solution

    Make a list of everyone you booked a slot within ten seconds of becoming available, and six lashes when they arrive at the golf club.

  15. Anonymous Coward
    Anonymous Coward

    Punishment would be overkill

    Isn't it enough that they have signed up to play golf? Have you no mercy?

  16. hoola Silver badge

    Do they actually turn up?

    If they are members do they have to pay separately for each round as well?

    If they are playing then there is usually some sort of hospitality as well after the game.

    With many of these booking systems the fact that it is simple to book then leads people to make multiple booking that they have no intention of using. In restaurants this is crippling them as they are "fully booked" so people who ring on the day or showed up on the door cannot get. Then a high proportion of the bookings do not appear with the net result they have a stonking loss. They can attempt to charge them but I would have thought that the sort of person who does this will have paid on credit card and then dispute the transaction.

    I don't know whether the restaurant stating the guest was a no-show would be enough to stop the charge being reversed.

  17. Loyal Commenter Silver badge

    Badly designed API is badly designed.

    Apart from the obvious rate limiting, and limiting the number of slots one user can book, an astute designer might think to, for instance, not allow booking of slots the day they are first posted but instead take requests for that slot and assign them after 24 hours (or even longer, if the slots are well in the future), either randomly, or to whichever person last had that slot the longest time ago, for fairness, so that everyone gets a chance.

    It's not like booking systems for time slots like this are a novel thing, and it's exactly the reason our local sports centre stopped taking bookings online for the badminton courts because the same people would book the Sunday slots every week, and only turn up half the time. Shock horror - you now have to call them or go to the front desk and book a court.

  18. Prst. V.Jeltz Silver badge

    unlike most hacking incidents, this will be easier to sort out because presumably the perpetrators will have written their real names when booking!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon