Comic Con hotel rooms available now

13 MARCH 2013

If you're one of these people who claim they can't find a hotel anywhere, then go back into hotel reservations and book a room now. Plenty of hotels are available.

No, they're not at the Marriott Marquis, in fact there are some depressing addresses to be found in there, but it is a roof over your head - and you can keep trying for something better from now until 30 April, when the hotel claims part of your deposit forever.

I feel like such a hypocrite urging people to book rooms at the DoubleTree Hotel Circle when I'm at the Omni. Don't hate me.


  1. It's an absolutely craptastic reservation system. They list hotels there which have no rooms available, and use a question mark to indicate, essentially, that they don't even know if there are rooms actually available, then give you the option of a list of hotels with available rooms, which is actually a list of hotels with yet more icons to indicate whether or not rooms are available on a given night, and most hotels on the list don't have rooms available at all.

    This is why I start a full year out and find my own hotel. It's worked well for me. Two years ago, I was at the Kimpton Solamar. Last year, the Westgate, and this year, The Sophia. Only the Solamar, out of those, was a 'celebrity' hotel (for those who actually care about that, which I don't), but they're all four-star or better hotels (which I do care about, because I like to travel and visit in comfort and good service). If I can get one of my favorites through the SDCC system, great, if not, I'm still set- that's the way I do it each year. Sometimes I pay less than the SDCC rate, sometimes more (but usually all upfront, if it's less, as in a special internet rate), but it's always a reasonable rate.

    Whoever designed the hotel reservation system for SDCC deserves to be flogged. Come to think of it, they need to find new companies to contract with for their online services, on the whole. I was able to fill and submit my hotel res form the Friday before it opened, because they didn't properly secure it. Last year, I was able to log in to several of my friend's professional accounts, because there's a huge security hole there, too (and it's still there, after the lengthy email convo I had with them more than a year ago). Love the convention, beginning to loathe the mediocre way it's run.

    1. People (including me) have been saying for years that CCI needs to contract with new vendors. The usual answer from CCI is "we're trying to keep prices low for the fans" - which as the years pass and the frustration mounts, comes to sound like a lazy excuse for not making improvements already. I think most of us would happily pay a bit more for a better system. They could always offered tiered pricing as well.

      But let's talk about "I was able to fill and submit my hotel res form the Friday before it opened, because they didn't properly secure it." Was the system wide open or are you some kind of ninja CCI hacker? You might just be my new role model.

    2. A bit of both. How much of each is probably subjective, to boot; as a software engineer, what is obvious to me might not be to someone who isn't.

      I think they (TravelPlanners or the SDCC staff, or both), very foolishly, were testing in production (using the live internet-facing website), rather than in a QA environment (isolated, running internally, in their private network, and accessible only to their engineers). I think what was being tested during this time was accessibility between devices. Late Friday night until early Saturday morning, you could access the form, depending on which browser you were using, depending on which they were using for testing. On their end, this is done by sniffing for the browser's user-agent. I think they were testing one at a time, to prevent the form from being available wholesale (after all, you could simply make it accessible to all, and test on all browsers, across all supported devices, simultaneously), and doing so during the wee dark hours to be less noticeable.

      Anyhow, they commented out the form's submit button, so it wouldn't render on the page. They used an HTML comment to do so, which was really stupid. Using Firebug for Firefox, or Chrome's built-in developer's tools, you could easily enable the button, which is what I did. It would have been smarter to use a server-side language to disable the button in the same manner; one could just as easily do this in PHP, ASP, or JSP, or even CGI, and the user's browser wouldn't even know it existed. Not that it matters, really, with the rest of the form rendered, looking at the source code gives you all the expected inputs, as well as the form's action attribute, which gives you the URL for the server-side service responsible for processing the form request. From there, anyone just a little bit clever could manually build and submit the request from their browser, or even a command line.

      Anyhow, I was able to complete and submit the form, and was even presented with the success response page, afterward.
      As for the security issue in the Pro portal, I might keep that to myself, for now, despite that it IS obvious. I spoke with a few others who attend as professionals, after I accessed their accounts. It needs to be revealed, eventually, as that is the ONLY way SDCC will get up, off their lazy collective arses, and fix it. As it stands, it is frighteningly easy to to access a professional user's contact info (physical and email address, phone number, registration status). Granted, once registration is closed, it looks like you can't get to the Pro registration page at all, but during the open period it's pretty much a free-for-all. Looks like that, at least, changed from last year, but only because pro registration is no longer guaranteed; it is first-come, first-served, and closes once they run out, just like normal registration. It used to be the case, that if you qualified as a pro, you were guaranteed. Now, they qualify more pros than they have badges available.

    3. Was my comment deleted, or did you put an approval system in place (which I could understand, after the few spam comments which hit before mine)?

    4. Ok, looks like my response didn't get through. Let's try again...

      It's a bit of both, and the degree of either is subjective, too boot; as a software engineer, what is obvious to me may not be to someone else.

      I was able to submit the form on Friday, because, I believe, they (TravelPlanners or the SDCC folk, or both) were, very foolishly, testing on their production (internet-facing) environment, instead of on an isolated QA environment (internal-facing, accessible only to their engineers). I think they were testing between browsers and devices, as the form was directly accessible by one browser or another during the dark hours between late Friday night and early Saturday morning. This can be done by sniffing the requesting browser's user-agent. If that was the case, they probably isolated testing per browser to avoid making the form accessible wholesale (after all, they could simply have left it wide-open and tested across all supported browsers and devices) simultaneously). Doing so during the time they chose would be, obviously, to avoid notice.

      Anyhow, I was able to successfully complete and submit the form, with the expected success page response. They attempted to disable the submit button by commenting out the button HTML, which prevented it from rendering. This was a dumb idea. They could have used whatever server-side language was available to them (CGI, PHP, ASP, JSP, etc) to prevent it from being present, and it would not have been there at all. The HTML comment just prevents it from rendering on the page, but it's still in the browser's source code for that page. From there, anyone even slightly clever could use Firebug for Firefox, or Chrome's built-in developer's tools to make the button available (which is what I did). Not that it really matters- with the form accessible, you can peak at the source code to find all the expected input data, as well as the form's action attribute, which gives you the URL for the server-side service responsible for processing the form request. With that, you can easily construct and submit the request from your browser or a command line.

      As for the security hole I found in the pro registration portal, I'm keeping that a bit quiet, for now, at the request of a few of my fellow pro attendees (who I notified after I accessed their accounts). Eventually, it will need to come out, as that is the only way the SDCC folk will get up, off their collective lazy arses, and fix it. The end result of it is, that it is trivially easy to view a pro registrant's full contact info and registration status, and, during the open registration period, screw with their registration. Looks like the availability for doing so is now limited, unlike last year, when you could at least grab their contact info until the date of the convention, but only because pro badges are now first-come, first-served, and limited, just like normal attendee badges; previously, if you were a qualified pro, you were guaranteed a badge, and could log in to adjust or view your registration, up until the start of the convention. Even without being any sort of technical expert, the hole is obvious and makes potentially sensitive personal info (as some pros work from offices at home, or use their home address and phone number for other reasons) easily available. It's just that, now, the time in which you can do so is short.
      Maybe now wouldn't be such a bad time to let the cat out of the bag, now that pro registration is closed, and it would give SDCC yet another year to patch it. Then again, who's to say there isn't another way in, almost as easy as submitting the hotel reservation form. Yeah, I think I'll wait until the convention is over.

    5. Your comment showed up in my notification system the first time - but didn't post here for some reason. No idea why.

      Everything you found is kind of appalling. Much as I complain about the system inconveniences and general shoddiness, that kind of system vulnerability is inexcusable when it comes to personal data protection. I hope you let it rip when you think the time is right.