Computer Glitch or Vandals? Some Fast Runners Moved to Slowest Corrals in Half Marathon
by Lani Teshima, staff writer
Advertisement
Whether due to a computer glitch or vandals with ill-intent, a number of runners in this past weekend's Disneyland Half Marathon discovered that their proof-of-time did not match what they had submitted, leading fast runners who typically get assigned to corrals A or B, to be placed in the slowest corrals.
Could this have been due to a computer glitch, or something more nefarious?
Unlike past races, where proof-of-time information was a field in the online race registration form, the Disneyland Half Marathon introduced a new method. The race registration form did away with the proof-of-time field altogether, and all registered participants were instructed to go to a special online proof-of-time submission form, where they were told to enter their full name, birthdate, and the name, date, and finish time of a previous race as proof of time. In the past, runners who improved their finish time in another race after they had registered for a runDisney race had to submit an email; with this new online proof-of-time form, the idea was to standardize the submission information, and provide runners with an easy way to continue updating their proof-of-time information all the way up until the last day of submission.
This new form was a great idea, in theory. Unfortunately, the form lacked some very basic security measures, the biggest being the lack of any sort of login/password requirement. Anyone could submit a proof-of-time for any registrant, as long as they had the runner's basic information. Worse, when someone else updated this information, the registrant never received a confirmation email to acknowledge that a new proof of time had been submitted.
Because of this, many people assumed everything was fine with the submission they made, and never knew anything had gone awry… until they found out their corral placements was not what they expected.
One victim of this proof-of-time switch is Karen Chu. Known for her elaborate race costumes, Karen is a fast runner. After she registered for the Dumbo Double Dare to race in both Saturday's 6.2-mile 10K and Sunday's 13.1-mile half-marathon, she followed the official instructions by submitting the form to Disney with her proof of time of 2:07 for a previous half-marathon she had run. With this time, knew she would be in one of the faster corrals.
Karen was thus puzzled, when runDisney announced race bib availability and corral placement, that she had been assigned to the very last corral. "I thought it was weird that I was in (corral) H when I'm usually an A or B," Karen said. She immediately contacted the runDisney race registration officials at TrackShack to figure out what was going on, and it was at this point that she received some startling news: TrackShack asked if she may have written a typo in her proof-of-time submission, because the information they had from her form showed a proof-of-time of 3:59, almost twice as slow as the time she'd submitted.
Fortunately for Karen, TrackShack was very prompt and friendly in helping her correct the "error," and she chalked it up to some odd hiccup. When Karen went to pick up her bib at the race expo, they put an official sticker on her bib to show that she was formally placed corral B, rather than in corrals E for the 10K and H for the half-marathon.
Karen grew suspicious, however, when she discovered that a friend of hers—also a fast runner who is typically assigned to corral A or B—had entered a similar "error" with a slow time that placed her in corral H.
According to Karen, she never received a confirmation email when the form was updated. And because anyone with a person's birth date could submit a fake proof of time, there is no way to tell until participants get their official bib assignment if they are in their appropriate corral. Karen suspects that someone decided to play a prank on her and her friend by moving them to the back of the pack, but was satisfied with the quick correction from race staff.
Karen was not the only victim of this "prank." Another victim was runner Louis Blanco, along with his brother, and his brother's wife. When the bib numbers were released, he saw that instead of the A corral that he expected, they had been moved to the back. Louis says he contacted TrackShack, and discovered that their proof-of-time information had been changed from "1 hour and something to 3 hours and something,"
"From what I understand, the changes were made at or near the June 2 deadline, but I cannot confirm that. Anyway, at that point I knew someone was messing with us," Louis said.
Fortunately, as with Karen, Louis said TrackShack was very responsive and quick in helping. "They were very nice in making the correction. They just sent us an email to bring to the expo." Louis did ask them if they could provide him with the IP address of the person(s) that sabotaged their times, or whether they were taking the matter seriously and investigating these fraudulent resubmissions, but he says he did not hear back from them.
Another person who had the proof-of-time information incorrect with TrackShack was Matt Marcella, an administrator for the Team #runDisney Facebook group. He says he was among a number of runners for whom TrackShack did not have the correct proof of time. "A lot of runners, including myself, found that their proof of times were not properly processed in the new system that runDisney is using. The times showed slower that the proofs that were submitted. runDisney acknowledged that there was a problem with the new system and corrected the issue for these runners by placing them in the correct corrals." Matt said that he had not considered the time changes to be something other than a computer glitch, but acknowledges that there should be a way to protect people's proof-of-time submissions.
This could have a larger implication for the runDisney race community in general. If this was a computer glitch, how many runners were affected? After your deadline passes for submitting the proof-of-time form, you can no longer find out what your officially submitted time is. But what if this was, as runners suspect, a malicious act made by pranksters? The current method makes it very easy to downgrade faster runners into slower corrals, and not everyone will notice (until too late) that their corral assignment is wrong—especially for first-time runDisney participants who aren't familiar with the paces for the corrals. A person could file a fraudulent proof-of-time submission to purposefully move age group winners back, essentially eliminating a lot of their competition by cheating before the race even starts.
Regardless of reason(s) or the perpetrator(s), we recommend that you do these three things to reduce your chances of being a victim of any downgrading sabotage:
- Take a screenshot of the confirmation notice of your proof-of-time submission form. If you ever need to show that you submitted this, a screenshot is the best evidence because it shows the finish time you submitted.
- Go back and check to see if someone has changed your proof-of-time information near, but before, the final submission deadline. Once you pass the deadline, the form becomes unavailable and you can no longer see what time they have you down for. If your time has been sabotaged, change it right before the deadline (to reduce the chance that your saboteur will try to overwrite your form again).
- Remove your birthday from public profiles such as Facebook (including removing any "happy birthday" posts in your timeline) so that the saboteur cannot obtain your full birth date. Remember that even if you only post the month and day of your birthday on Facebook, people can easily figure out the year based on your age information posted in race results.
Things runDisney and TrackShack could do to minimize such incidents:
- Bring back the original proof-of-time field in the online race registration form.
- Send confirmation email to the registrant anytime there is a proof-of-time submission, to the email address associated with the race's registration.
- Requires a password to log into an account to update the proof of time form.
- Automatically flag any updated proof-of-time submissions as fishy when the new time is slower than the original submission, and request a confirmation response from the racer at the email address associated with the registration.
But could this have happened to more than these runners? Did this happen to you? If so, when did you find out about the problem? How was your experience?
[We attempted to contact runDisney for a response, but they were unavailable over the holiday weekend.]
Comments
I agree that the email should be sent whenever you submit a proof of time. That should be the easiest thing to implement.
I also hope my 'estimated finish time' went in ok for Wine & Dine. I don't have a proof of time, but I did estimate my finish at 3:15 (which I'm hoping to be near with my increased training for Sept and Oct). But by their rules I also don't NEED a proof of time for that estimated finish. It should have a 'check box' or some other backside checking to acknowledge that you don't have to have a race to support those times.
I can't imagine this was a hacker or a vandal, since the victims were so random. I think it was a glitch that they need to address. I agree that confirmation emails are the best place to start. It also wouldn't hurt to have a log of updates the user made to his/her account leading up to the race, including how often someone logged in. If there was a change to the race time without a login time to support it, then it's a glitch. If not, it's rather coincidental that so many were so unlucky. Thank goodness it was fixed for them.
Louis, one of the runners I talked to, had this affect himself, his brother, and his brother's wife. I wouldn't really call that random, especially when Louis didn't do the registration for his brother and his brother's wife.
Bottom line, though, is that there is absolutely NO security to the form whatsoever, so anyone could post an updated time. They don't ask if the new time is actually slower, and if that updated submission shows a really slow time, the runner doesn't even need to provide proof from a race; I don't think they even bother looking them up.
This really messes up runDisney too, because they can only fit so many bodies into the faster corrals... and if turns out that 100 people were fraudulently pushed back to a slower corral, they have to deal with trying to figure out if it's possible to physically move them up without overcrowding a corral. What a nightmare.
By the way, I've also posted a link to the article at Slashdot, since I see this as a general web security issue: http://slashdot.org/submission/49173...disney-runners
Interesting. I just went in to update my POT for WDW and the system now generates a page with all your information and
PLEASE PRINT THIS PAGE FOR CONFIRMATION.
Also includes the date of the change.
I would say Track Shack and runDisney took note of the issues and your article. Nice job!