This page was written a number of years ago but the information
still mostly stands and serves to explain our thinking and methodology.

WE OFTEN GET ASKED why we choose to manage ticket sales ourselves instead of outsourcing to a third party service. There are a number of reasons. We’ll run through these in no particular order.

Your Privacy
We limit attendance. That’s part of ShmooCon. Because of that, we can’t simply take cash at the door. We need to sell tickets in advance, which means we have to take some of your info in order to process a credit card sale. We are our own merchant. We have a merchant account with a card processor and clear all credit cards ourselves.

What’s interesting about cards is that card processors aren’t really allowed to do anything directly to you based on your use of a card. They can’t mine the data and send you ads for things you might want to buy, they can’t resell all your info to people for demographic purposes, etc. They have regulatory handcuffs that attempt to preserve some of your privacy.

Merchants don’t have those handcuffs. We all know how big companies will mine your purchases and suggest new things for you to buy. Other companies will resell your info. We’re the merchant here. We don’t want to know who you are. We want you to buy a barcode and come to the conference. Ideally we’d never even have to know your name and email, but we need those to handle troubleshooting and to track down transactions in the event something goes wrong. Beyond that, we don’t upsell to you, we don’t sell you, and we try to have your back.

There are lots of ticket companies out there that would be happy to have our ticket sales business. Not only do they get a cut of the transaction, they also get all of the information about you and get to keep it to market to you later… or sell it… or lose it in a breach. There’s a big privacy tradeoff that goes on when we go to 3rd party providers and we’re not sure we want to do that. We have a photo policy, we run our own ticketing, and we allow anyone with a barcode to show up and attend. We try to hold a reasonable line on privacy, even when our privacy is being eroded every day.

Turns out, third party ticket processors are expensive. One company, for instance, takes in total 5.5% + $1 for each ticket sold. On a $150 ticket, that’s $8.75 a ticket. When you handle ticketing directly like we do, we’re only paying $4.70/ticket in fees. Looking at 1500 general admin tickets, that’s greater than $6k in extra fees. Yes, we could raise ticket prices to account for the difference, but that doesn’t change the fact that using a 3rd party ticket sales company doubles the fee on the ticket. It’s more expensive for all of us when we don’t do it ourselves.

We Control the Outcome (we can ensure fairness)
People try to game our system. There are scripts, bots, people looking for side doors, and even some ritual sacrifices people are making in an attempt to get tickets before others do. We’ve created a system that is a simple queue. First come, first served. When the load is high (i.e. when there is FAR more demand than supply) this queue is remarkably effective at leveling the playing field. Sure, each round we see people with scripts successfully get tickets. But we also see tickets captured from cell phones, other countries, and we’ve even heard tale of someone on airplane wifi being able to snag a ticket one year.

Before we release tickets to be paid for, we inspect the registration run to look for signs of shenanigans. If we see something unfair, we address it. In the spirit of hackerdom, if someone gets a ticket by a previously unknown issue with our system, we’ll usually honor the ticket and close the door at the same time.

We have a custom built system that allows us to enforce our definition of fairness on the sales process. If we outsource that, we put total faith in other people’s systems. We lose the ability to inspect what has occurred. Maybe these other systems are as fair as ours. Maybe not. At least with our own system, it’s the devil we know and we can poke it.

Because We Want To
ShmooCon is a labor of love for the volunteers that run it. There’s a sense of pride that we can (usually) run sales successfully to completion. It’s a mad, mad process, and it’s a real adventure to make it work. We’re technologists at heart and honestly as stressful as it is, it’s an enjoyable system to run from a geek’s perspective. Yes, we’ve made mistakes along the way. We learn from the process and try to be as transparent as possible along the way.


ShmooCon has and will continue to cap attendance at around 2200 people. This number includes attendees, staff, speakers, vendors, etc. We have many reasons for doing this, but the one that matters most is we believe this size is large enough to always be meeting someone new and small enough for us to be able to create the desired atmosphere. Bottom line – this isn’t about needing a bigger venue. This is a deliberate decision on our part.

Why don’t we just raise prices to lessen demand? Because we don’t want to cater to those who have big training budgets or deeper pockets. We have changed our pricing structure in the past and might again in the future to meet general inflation, but that’s it. We try to make the conference financially accessible to anyone who wants to attend (while still covering our expenses). Trying to lessen demand on ticket sales days by raising prices is counter to our goals.

A Lottery
Numerous people have suggested we run a lottery. It’s a great concept, and we’d love to find a way to run a lottery that is fair to everyone. However, there’s a core problem around identity proofing we can’t solve. For instance:

If all it takes is an email to register for the lottery, then people can make tons of emails and effectively stuff the ballot box. This model favors the asshole.

If we ask people to “buy” a lottery ticket for $X and limit it to one ticket per card, people with many cards (or many friends willing to help out) can stuff the ballot box. This model is biased against groups of people like students, lower income folks, and frankly those without a large network of credit card handing over friends.

If we ask for your actual identity to register for the lottery and compare it at the time of sale and at the time of attendance, we’ve lost all the anonymity we were trying to have. Also it will substantially slow down onsite registration, and further it is biased towards those with government issued ID’s (which we have no way to truly verify anyway, not to open up that can of worms). Add to that, we don’t feel like you should ever have to show an ID to attend ShmooCon except in a few cases where a ticket is deemed non-transferable or we’re trying to resolve an issue like a lost ticket.

If anyone has ideas on how to do identity proofing in a lottery that doesn’t bias towards one group or another, we’re all ears.

Rights of First Refusal
This suggestion comes up from time to time. The idea is that people (either some or all) that have attended in the prior year of ShmooCon get first opportunity to attend again the next year. There are a few issues with this. First, we don’t track who actually attends (we really only know who pays) so we would have no way of determining who should attend in future years. Further, infosec gets a pretty rough rap for being cliquish. Inviting the same people over and over would actually define a clique. This sounds like an interesting experiment and it might work for other events, but it’s not something we’re going to do with ShmooCon.


Please let us know if you have any ideas or suggestions. We’re definitely open to your input and welcome feedback. Thanks again for your support.