Issues identified at FurSquared 2023

- 16 min read - Text Only

FurSquared's latest technology improvements were proven effective. Once more, the success at this year's convention sets a new baseline for convention efficiency that staff and convention attendees should expect in the future.

Before I go into what I did for FurSquared 2024, let's review my observations on 2023's technology and execution, as they greatly influenced my priorities for 2024.

If you haven't read it yet, check out Process Engineering at a Furry Convention, where I tackled the most time consuming process in the registration room.
My mission in all of this is to give attendees the most time they can have with their friends. Sure, attendance is necessary to fund the convention, and by extension support and raise charity for organizations like Humane Animal Welfare Society of Waukesha County. At the end of the day, my friends and I are going there to be with one another, and I want my friends to enjoy their time with one another.

I observed several issues before, during, and after the convention.

A group making a pentagram with a paper scratched with 'REG', and someone looks disapprovingly from a doorway in the distance.

Before the convention

FurSquared added a new Night Market offering for adult vendors. It was priced differently, as vendors had to set up each day for a limited operating period in the evening. Registration could not handle different prices for different vendor types, as it had no support for more than one vendor type. We used coupons as a workaround, and gave coupon codes to vendors that had a different pricing structure.

Coupons, as a concept, are useful to patching other problems in transactions. As a consumable voucher of value from a merchant to a customer, it can modify transactions that have other limitations. For example, a coupon allowed us to differentiate prices for Night Market and Weekend Dealers in 2023.

Coupons successfully worked around the limitation for vendors, though it was unsatisfying. If a vendor had assistants, these assistants had to register first and then share a long, confusing token to the vendor, which they'd then enter during the payment process. Or, they had to escalate for staff intervention afterwards through a Telegram group.

Email is a challenge for every department. One or two members of staff, who are volunteering their time, might look once a week at the inbox. The vendors' inbox receives a lot of noise from Alibaba resellers and "locally roasted" coffee bean merchants that don't take no for an answer. Attention then shifts to using a Telegram group for supporting vendors after they pay for their spot.

Many vendors lost their spot simply because they did not act on the invitation email. This led to some crying and whining and as usual led to overbooking the vendor room, which makes it everyone's problem. We cannot sell space that does not exist, or cover spaces that function as fire escapes.

I am about to describe some risks to payments, note that none of these risks happened. The issue is they were possible.

Payments were not resistant to web skimming attacks, as the form used an integration with Stripe from 2016 that relied on javascript to tokenize the form before submitting. Refunds required staff to access the Stripe administration portal, which bottlenecked refund processing to one person.

No cardholder data or sensitive authentication data was submitted to FurSquared's servers. Stripe SDK tokenized the card with Stripe as a payment processor and that token was submitted to the registration backend. The issue is that the form element was readable by other scripts on the page hosted by FurSquared. No Qualified Security Assessor would sign off on this in 2023, let alone 2024.

FurSquared's refund policy permits attendees to request a refund before the convention. Depending on their registration tier, it may be a full or partial refund.

Like going to a music concert, if you show up and attend, you are not getting a refund whether or not you didn't like the music. The event paid for the space, the licenses to operate and perform with you accounted for, and the same goes for any fandom convention.

Attendees that wished to volunteer filled out a separate Google Form, which required regular proactive review to process and invite into a Telegram group.

Those wishing to update their name on their badge before the convention had to find, copy, and paste a Stripe transaction ID from a plaintext email into an ugly online form. Copying an arbitrary string of characters is not something most people think of trying. Instructions help, but will not overcome the poor ergonomics of this process. They want a button to take them to the site to do the thing. Copying tokens is too high friction for the less technically inclined.

The same was true for anyone who wanted to upgrade — such as getting in on the yearly poster!

Poster for 2023 it looks like a theme park simulator

At the convention

Those paying in cash were blocked by the person ahead of them and used a slow and antiquated process with cash receipt books, and required staff to operate with constant attention to process attendees one at a time.

Cash processing was a nightmare, at least in my eyes. While sitting with the card printers, I could oversee a registration lead handling the single cash station.


The process was just so painful to me. I watched attendees with hunt-and-peck typing skills fill out the form, only to be told not to submit it. Once the attendee completed their portion, the registration lead took the laptop, asked for money amount, filed the money into a lockable box, wrote onto a duplicate receipt book, collected a signature, then gave one receipt copy to the attendee, finally entered the serial number of the receipt into the form, submitted it, and then my printing backend would enqueue their badge. The next person would start filling out the form while the registration lead told the hole-puncher which badge to hand to them for the person that completed their payment.

If the paragraph above was difficult to read, it was more difficult for me to witness it.

Attendees had high variability in the time they took. The line for cash was blocked by the attendee filling out the form. The staff member was blocked by the attendee. And finally, staff used cash books like it was 1999.

I had not seen a cash receipt book for years. Yuck.

A cash receipt book

Volunteers would be too occupied to notice anyone fill out the form during the convention, so they only engaged with those that came to the volunteering table in an open area.

Volunteers are essential to shore up the operations at the convention. They help with loading the convention in, taking pictures, checking attendees at doors, line wrangling, and so on.

Staff members are volunteers in the sense that they're not being paid and are at most compensated with a room discount and attendance at no charge. Staff are expected to show up and do shifts for an amount of time on site. Staff are not volunteers in the sense of being directed by the Volunteers department.

Volunteers that show up on site are handled by the Volunteers department. Attendees that volunteer may contribute as much or as little as they desire, whenever they desire. As attendees faithfully give the convention their time, in return they become eligible for rewards like a shirt or free attendance next year.

Time keeping is essential to running a fair Volunteering operation. And to keep time and assign volunteers, a roster is needed. And to get on the roster, the attendee or a staff member on behalf of the attendee would have to fill out a form.

As with any list of dependencies, it is described in reverse. Let me start in the other direction.

To onboard a volunteer, a registered attendee or staff on behalf of an attendee would fill out a Google Form. That form had no proactive notification to the Volunteers department that a new volunteer is ready to offer their time and efforts. The form also asked for redundant information to identify attendees and track them across years of service.

Everybody loves duplicate data entry that might get lost! It makes us happy and full of bureaucratic energy!
Speaking of, I really ought to make an account system at some point so attendees can just pay each year, like MFF and BLFC.

Volunteer leads would then invite the attendee into a Telegram group where they would later direct available volunteers to work that is requested by other departments.

After being assigned a task or a shift, like checking badges at doors, the volunteer would get a paper sheet with fields asking for their identifying information, who they worked for, how long they worked, etc.

Once their task or shift is complete, the attendee must find a department lead who will sign off on their contribution, and then return the paper sheet to Volunteers.

Once a Volunteers lead has the sheet, they are to immediately transcribe it. Afterwards, they would be verbally told to go to the Con Store to say they should get a shirt from volunteering.

No document or voucher would authenticate their statement to the Con Store. Further, no documentation was kept on what was given out and to who, and so we could not determine who was eligible for a shirt but never collected one.

As a practitioner of security and cryptography, unauthenticated exchanges are ripe for abuse. I am not comfortable with "vibes-based" free transactions.

And lastly, a friend of mine, ギンジ🐾ターラノー, had a badge with unsupported symbols on it. Only latin and emojis were supported at the time.

Badge 10 with question mark boxes on it


FurSquared 2023 volunteer time keeping was done in Excel on a personally owned device. It was never copied to the organization's Google drive and was lost before 2024.

This created a significant delay and headache for volunteers that were to be rewarded with free attending registration in the next year. The original papers had to be found again and re-entered to determine who was eligible for free attendance.

A process dependent on a personal device like that is not acceptable. FurSquared lost money issuing refunds for those affected.

A quick recap

All together, FurSquared needed to be PCI compliant, use a better cash process, support multiple vendor types, have better upgrade and badge edit ergonomics, volunteering integration, and proactive outreach to vendors and volunteer leads on tasks to act on.

In one sentence, it might not seem like much, but it took over three hundred hours to address it all in some way for 2024.

Another issue has come up too: furry conventions are growing exponentially. Process and quality of life are bound to degrade if we do nothing about it.

For how I addressed these issues, see Technology Updates for FurSquared 2024. However, not every solution worked out. A later article will cover what I'll do for 2025.