"PastaPassport": Why You Didn't Win (and why a bot may not have either)
September 14, 2017
pastapass
pastapassport
thatdamnbot
clickbots
Earlier today, Olive Garden ran their annual PastaPass promotion. I’m going to assume you know what this is (or else why else are you reading this?), but just incase you don’t, during this promotion, the Olive Garden restaurant chain sells (this year) 22000 ‘PastaPasses’, each of which entitle the holder to unlimited soup, breadsticks, and pasta during their ‘Never Ending Pasta Bowl’ season. This year, that time period is 8 weeks long, so if you plan on eating alot of pasta (or live near an Olive Garden and want to save some money on food), it is clear why getting one of these $100 ‘passes’ is a good investment.
This year, they also introduced a ‘Pasta Passport’, which, for $200, included all of the previously mentioned perks, plus an all-expenses-paid, 8 day trip for two to Italy. They sold 50 of these.
Understandable, lots of people tried to buy one. Also understandably, lots of people didn’t get one and had some questions.
Many even took to blaming all of the ‘bots’. For instance, these three people.
Now, I have my own disagreements with how they ran this event, however I believe that is important to make clear that in most high volume promotions of this nature, there are far too many hidden factors that affect all participants, both human and ‘bot’, to be able to fairly assume that a bot was the ‘winner’.
System Time
Time is a concept that seems rather simple, but under the hood, is insanely complex. On every computer you own, there will be a small process (typically NTP), who’s entire job is tweeking your system clock by microseconds in an effort to keep it in sync with the rest of the world, and avoid clock skew. Basically, en masse, these systems attempt to ensure that in normal use, the time on your computer is as close as possible to the time on any other computer.
But, close isn’t always enough, and problems can arise even when we only have a small time skew. We saw this today, with the Pasta Passport event, where the promotion was ‘sold out’ before even being available on some people’s computers.
Lets look at some ‘advantage’ options for different time-comparison situations:
The ‘Server’ difference is on top, ‘Your Computer’ difference is on the left. This chart assumes all other participants are ‘Perfect’, which should, on average, be true.
Behind | Perfect | Ahead | |
---|---|---|---|
Behind | Disadvantage | Disadvantage | Large Disadvantage |
Perfect | Advantage | None | Disadvantage |
Ahead | Disadvantage | Advantage | Large Advantage |
The important thing here isn’t when you have an advantage over the other participants in the system, it is when you are disadvantaged. We can see here, that out of the 9 situations, you are at a disadvantage in 5 of them, and at an advantage in only three.
Network Time
Just as time isn’t simple under the hood, requests over the internet aren’t either. Every time you make a request from your machine, that request has to travel through the internet to the destination, and then back to you. This takes time, and the amount of time can also be very volitile, depending on multiple factors. Currently, a round-trip from my machine in Austin, Texas to the Pasta Pass servers (located in Oregon) takes ~100ms, so we’ll assume ~50ms for a round trip. This means that even if you clicked the button (or a click bot did), at exactly the right time, the promotion could be over before your requests even reaches the server.
But What Advantage Could A Bot Get?
Personal click bots, while giving the user a potential advantage (which could be futher enhanced by adjusting the system clock), would still (en masse) be at a disadvantage compared to the overall participant pool.
Note that I am making the assumption that the use of personal click bots accounted for a minority of promotion participants.
As well, it was fairly trivial to write a click-bot for this promotion. There are ways that this could have been prevented, which will be discussed in another post.
Another option would be to run a modified version of the website code, which could remove the time checks, and repeatedly try to check out starting before the promotion is set to being, hoping to have a request land at the perfect time. This is again a not-super-trivial solution, and is also likely to be caught by even the most trivial abuse-prevention systems.
While there are some advantages that could be obtained by a dedicated (and technical) individual, the size of the promotion does not validate the effort. Assuming a value per-trip or $10 000, the total size of the prize pool is $500k, and even then, one could not reasonable win all of the prizes anyways (I’m pretty sure someone at Olive Garden would catch on).
It’s (mostly) Random
Last year, the promotion sold 21000 “PastaPass”’s in “less than 1 second”, which makes it extremely plausible to have sold 50 “PastaPassports” in less than 2 milliseconds. Even with a bot, these elements of randomness would make it very difficult to hit that (moving) 2 millisecond target with any sense of confidence, or repeatability. The biggest aspect here would be luck; luck that your system clock lined up in a nice configuration with the server’s clock, luck that the time it took your request to reach the servers happened to have it arrive at the right time, and luck that 50 other ‘individuals’ didn’t get lucky before you did.
Overall, the results of this entire promotion would likely be on-par with a random give-away.
Then what should they have done?
In my opinion, the should have done just that. A random giveaway (from those individuals who purchased the regular PastaPass). There are multiple approaches they could have taken in this situation, including my 2 personal favorites:
- Allow “Pasta Passport” ‘purchase’ requests for a few seconds after the promotion starts, and then select 50 random ‘winners’ from that pool.
- Sell 22050 “Pasta Pass”’s, randomly select 50 customers after-the-fact, and offer them the ‘upgrade’. If they don’t want it (for whatever reason), you can offer it to someone else.
Note that neither of these two approaches eliminate, or reduce, the amount of randomness. In fact, they both increase it, which can help by eliminating the (arguably slight) advantage that ‘bots’ can gain, and by preventing negative feeling that occur when someone feels like they “should have won” (ie, no one gets angry when they don’t win the lottery).
Either way, I hope you learned something about the underlying mechanics of promotions of this nature. If you disagree with any of the points here, or think I’m just plain wrong, send me an email! I’d love to hear from you.