Unfortunately, the Companies House doesn't seem to allow a quote character at the beginning. Gotta terminate that string literal before you start injecting your own statements!
To stop this happening again, the Economic Crime and Corporate Transparency Bill (which hasn't finished going through Parliament yet) adds the following text to the Companies Act 2006:
> A company must not be registered under this Act by a name that, in the opinion of the Secretary of State, consists of or includes computer code.
I remember this - the companies house website actually wasn’t vulnerable to the attack. They removed it because someone else who downloaded and hosted the data might be.
From what I've seen, gov contractors don't really know what an SQL injection is, but they use frameworks so its all good. Bad thing is that some of these frameworks sanitise rather than escape data and the injection may slip through. I wouldn't be surprised if a system somewhere that reads this company name will just crash one day out of the blue.
I can assure you that as someone that has done a couple Gov-related public-sites, some developers do think about it, and use suitable tools to ensure there's no issues.
Before the last-and-stolen-passports site went live (that I spent most of 2014 getting live - not writing - but mostly trying to get deployed), we did have a conversation, and easily proved that people called Mr or Mrs Null and/or O'Brien would have no problems. That conversation was also somewhat prompted by the Dartford Crossing site that went live a little before us - which had 'some issues'.
Back in 2000 Coca-Cola had an auction site. I put a HTML comment tag in my username and the words "AUCTION ENDED". The result of which was that whenever I bid on anything it would erase the bid submit button after my name -- therefore no-one else could bid on anything.
This worked for a short time. Then my account disappeared with all my (very hard earned) credits in it. Then I received a letter from the MD of Coke UK telling me I was a very naughty boy.
> Then I received a letter from the MD of Coke UK telling me I was a very naughty boy.
Truly better than any prize. I got a similar letter from my school's headteacher after some extracurricular IT shenanigans. I'm still proud of that one.
Ha! Within weeks of entering primary school at 11 I had persuaded the son of the IT teacher to give me his Dad's admin password for the school network. I caused untold chaos and was banned from touching the computers for the rest of my school history.
Similarly, in 2003, they had some code-under-caps promotion. I wrote a script to submit thousands of random codes to the website, and subsequently someone from Coca-Cola NZ called my home. They calmed down when my dad said I wasn't home, but at school.
Mind you, in 2002 no called, and I got a free shirt and a folding chair.
> I wrote a script to submit thousands of random codes to the website, and subsequently someone from Coca-Cola NZ called my home.
I managed to get a phone call and a personal visit from a script.
Much less interesting than it sounds: I was downloading satellite data from NASA, the increased bandwidth use worried the sysadmin in my research lab, and we each had landline phones on our desks because this was the mid-noughties.
I got my TI-99/4 confiscated by law enforcement when, after watching War Games, I wrote a script to "war dial" connection strings on the local Tymnet POP. Turns out one of the systems I connected to was the backend clearing system for Credit Suisse. They were neither happy nor had a sense of humor. After logs showed I didn't try to steal money or do anything damaging I got my computer back in a couple of weeks.
A couple of takeaways:
a. Credit Suisse did not have a username / password to log in. They were using "security by obscurity" in 1980.
b. The local FBI guys in Dallas didn't know you could purchase a modem for a couple hundred bux and hook it up to a $1000 personal computer. They seemed truly surprised to discover I wasn't part of a well-funded white collar crime syndicate and just a kid in jr. high school whose parents eventually gave in when I begged for a modem for a couple months.
c. You can apparently do damage to your reputation at 300 baud.
In the 1980's, the New York State Police visited the local police department in the town I lived because of some dialup mischief I caused. The local police chief toldd them he'd handle it.
The lesson I learned was to do a better job of covering my tracks. But I stayed away from that mainframe after that.
The things many of us did to learn about computers back then would get someone prison time today.
In the early 90's I worked for Louisiana State University's AG Center purchasing department and had a mainframe TSO account. I figured out how to use Gopher to various other research universities and download weather satellite photos and other various weather data (sometihng I was interested in at the time). I was then able to subsequently use Zmodem downloads over a 3270 dial up session to do this from home. I thought being able to get this info was pure magic at the time, since it was primarly only available to researchers.
My supervisor got the next month's TSO departmental chargeback bill for my user account from the University's IT group, and it was tens of thousands of dollars of TSO time :). They told me "don't do that anymore"
Somewhat related, in '99 my school gave everyone shell accounts, so they could check their email through pine. But the shell accounts were pretty functional with access to command line tools, such a perl.
It took me a lot of restraint not to harvest everyone's usernames (which was just the name of the home directory easily grokked) and email everyone at username@highered.edu (since sendmail was also available) something silly during winter break- like the fact that flooding had happened in the dorm rooms, and that everyone would have to move out before Spring semester due to needed maintenance and everyone will receive $500 in compensation because everyone's stuff in their dorm was destroyed.
Surely I would have been expelled, but what a story to tell my next employer.
Anyways, looking for a QA job if anyone's hiring. I would like to break your stuff.
This ultimately resulted in a new restriction in a bill making its way through Parliament that "a company must not be registered under this Act by a name that, in the opinion of the Secretary of State, consists of or includes computer code".
Assuming this means the Secretary of State for Business and Trade (the UK has 17 Secretaries of State), the current one has a degree in computer systems engineering and has worked as a software engineer [1], so she probably has a fairly good idea.
I didn't know this, and have made the same snarky joke in dumb interviews about the company registration etc. - that's very cool and I will eat my words.
She somehow got away with hacking into a rivals computer/server — she would contest the use of the word hacking but by the wording of the computer misuse act it's what she did.
The company name is a bit of hacker sleight-of-hand… or as some astute people have put it, it’s ‘wrong’. Of course it’s wrong - I’m not a /total/ arsehole. :
80 comments
[ 396 ms ] story [ 3573 ms ] thread[1] https://www.linkedin.com/company/-drop-table-companies----lt...
Also relevant: https://www.theguardian.com/uk-news/2020/nov/06/companies-ho...
This reads like someone drinking, and then waking up the next morning in damage control mode.
https://xkcd.com/327/
>THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD
>Previous company names
>[NAME AVAILABLE ON REQUEST FROM COMPANIES HOUSE]
https://forum.aws.chdev.org/t/cross-site-scripting-xss-softw...
They changed it and you can only see the old name upon request
https://find-and-update.company-information.service.gov.uk/c...
Looks like the XSS tried to load this script that has since been banned: https://mjt.xss.ht/
Edit: huh, looks like HN translate 𝕏 into xn--971h.com, but the link still works. So much for my dumb twitter link.
https://en.m.wikipedia.org/wiki/Punycode
https://xn--i-7iq.ws
> A company must not be registered under this Act by a name that, in the opinion of the Secretary of State, consists of or includes computer code.
However that doesn't mean downstream users of the data treat data sources correctly
Before the last-and-stolen-passports site went live (that I spent most of 2014 getting live - not writing - but mostly trying to get deployed), we did have a conversation, and easily proved that people called Mr or Mrs Null and/or O'Brien would have no problems. That conversation was also somewhat prompted by the Dartford Crossing site that went live a little before us - which had 'some issues'.
; DROP TABLE "COMPANIES";-- LTD - https://news.ycombinator.com/item?id=27815396 - July 2021 (30 comments)
Drop Table “Companies”;-- LTD - https://news.ycombinator.com/item?id=21534156 - Nov 2019 (7 comments)
Drop Table “Companies”;– LTD - https://news.ycombinator.com/item?id=20583540 - Aug 2019 (2 comments)
Drop Table Companies Ltd - https://news.ycombinator.com/item?id=17003588 - May 2018 (27 comments)
Drop Table Companies Ltd - https://news.ycombinator.com/item?id=13280494 - Dec 2016 (23 comments)
https://web.archive.org/web/20010223090106/http://cokeauctio...
This worked for a short time. Then my account disappeared with all my (very hard earned) credits in it. Then I received a letter from the MD of Coke UK telling me I was a very naughty boy.
Truly better than any prize. I got a similar letter from my school's headteacher after some extracurricular IT shenanigans. I'm still proud of that one.
Mind you, in 2002 no called, and I got a free shirt and a folding chair.
I managed to get a phone call and a personal visit from a script.
Much less interesting than it sounds: I was downloading satellite data from NASA, the increased bandwidth use worried the sysadmin in my research lab, and we each had landline phones on our desks because this was the mid-noughties.
A couple of takeaways:
a. Credit Suisse did not have a username / password to log in. They were using "security by obscurity" in 1980.
b. The local FBI guys in Dallas didn't know you could purchase a modem for a couple hundred bux and hook it up to a $1000 personal computer. They seemed truly surprised to discover I wasn't part of a well-funded white collar crime syndicate and just a kid in jr. high school whose parents eventually gave in when I begged for a modem for a couple months.
c. You can apparently do damage to your reputation at 300 baud.
lol. that's a great line.
The lesson I learned was to do a better job of covering my tracks. But I stayed away from that mainframe after that.
The things many of us did to learn about computers back then would get someone prison time today.
My supervisor got the next month's TSO departmental chargeback bill for my user account from the University's IT group, and it was tens of thousands of dollars of TSO time :). They told me "don't do that anymore"
It took me a lot of restraint not to harvest everyone's usernames (which was just the name of the home directory easily grokked) and email everyone at username@highered.edu (since sendmail was also available) something silly during winter break- like the fact that flooding had happened in the dorm rooms, and that everyone would have to move out before Spring semester due to needed maintenance and everyone will receive $500 in compensation because everyone's stuff in their dorm was destroyed.
Surely I would have been expelled, but what a story to tell my next employer.
Anyways, looking for a QA job if anyone's hiring. I would like to break your stuff.
See page 16 of the Economic Crime and Corporate Transparency Bill (https://bills.parliament.uk/publications/49554/documents/283...)
Although it would be sad if this meant that, for example, one couldn't name a company after a programming language keyword (!?).
https://find-and-update.company-information.service.gov.uk/c...
https://find-and-update.company-information.service.gov.uk/c...
https://find-and-update.company-information.service.gov.uk/c...
... I could go on.
[1] https://en.m.wikipedia.org/wiki/Kemi_Badenoch
The Secretary of State gets to decide whether it's "computer code." It's not an objective decision. This is how things are supposed to work.
ie. end the single quote first, so that searching by the text would be:
I love this - great idea :-)