Drop Table “Companies”;– LTD (2016)(find-and-update.company-information.service.gov.uk)
find-and-update.company-information.service.gov.uk
Drop Table “Companies”;– LTD (2016)
https://find-and-update.company-information.service.gov.uk/company/10542519
80 comments
Similarly, in 2003, they had some code-under-caps promotion. I wrote a script to submit thousands of random codes to the website, and subsequently someone from Coca-Cola NZ called my home. They calmed down when my dad said I wasn't home, but at school.
Mind you, in 2002 no called, and I got a free shirt and a folding chair.
Mind you, in 2002 no called, and I got a free shirt and a folding chair.
> I wrote a script to submit thousands of random codes to the website, and subsequently someone from Coca-Cola NZ called my home.
I managed to get a phone call and a personal visit from a script.
Much less interesting than it sounds: I was downloading satellite data from NASA, the increased bandwidth use worried the sysadmin in my research lab, and we each had landline phones on our desks because this was the mid-noughties.
I managed to get a phone call and a personal visit from a script.
Much less interesting than it sounds: I was downloading satellite data from NASA, the increased bandwidth use worried the sysadmin in my research lab, and we each had landline phones on our desks because this was the mid-noughties.
I got my TI-99/4 confiscated by law enforcement when, after watching War Games, I wrote a script to "war dial" connection strings on the local Tymnet POP. Turns out one of the systems I connected to was the backend clearing system for Credit Suisse. They were neither happy nor had a sense of humor. After logs showed I didn't try to steal money or do anything damaging I got my computer back in a couple of weeks.
A couple of takeaways:
a. Credit Suisse did not have a username / password to log in. They were using "security by obscurity" in 1980.
b. The local FBI guys in Dallas didn't know you could purchase a modem for a couple hundred bux and hook it up to a $1000 personal computer. They seemed truly surprised to discover I wasn't part of a well-funded white collar crime syndicate and just a kid in jr. high school whose parents eventually gave in when I begged for a modem for a couple months.
c. You can apparently do damage to your reputation at 300 baud.
A couple of takeaways:
a. Credit Suisse did not have a username / password to log in. They were using "security by obscurity" in 1980.
b. The local FBI guys in Dallas didn't know you could purchase a modem for a couple hundred bux and hook it up to a $1000 personal computer. They seemed truly surprised to discover I wasn't part of a well-funded white collar crime syndicate and just a kid in jr. high school whose parents eventually gave in when I begged for a modem for a couple months.
c. You can apparently do damage to your reputation at 300 baud.
In the 1980's, the New York State Police visited the local police department in the town I lived because of some dialup mischief I caused. The local police chief toldd them he'd handle it.
The lesson I learned was to do a better job of covering my tracks. But I stayed away from that mainframe after that.
The things many of us did to learn about computers back then would get someone prison time today.
The lesson I learned was to do a better job of covering my tracks. But I stayed away from that mainframe after that.
The things many of us did to learn about computers back then would get someone prison time today.
In the early 90's I worked for Louisiana State University's AG Center purchasing department and had a mainframe TSO account. I figured out how to use Gopher to various other research universities and download weather satellite photos and other various weather data (sometihng I was interested in at the time). I was then able to subsequently use Zmodem downloads over a 3270 dial up session to do this from home. I thought being able to get this info was pure magic at the time, since it was primarly only available to researchers.
My supervisor got the next month's TSO departmental chargeback bill for my user account from the University's IT group, and it was tens of thousands of dollars of TSO time :). They told me "don't do that anymore"
My supervisor got the next month's TSO departmental chargeback bill for my user account from the University's IT group, and it was tens of thousands of dollars of TSO time :). They told me "don't do that anymore"
> Then I received a letter from the MD of Coke UK telling me I was a very naughty boy.
Truly better than any prize. I got a similar letter from my school's headteacher after some extracurricular IT shenanigans. I'm still proud of that one.
Truly better than any prize. I got a similar letter from my school's headteacher after some extracurricular IT shenanigans. I'm still proud of that one.
Ha! Within weeks of entering primary school at 11 I had persuaded the son of the IT teacher to give me his Dad's admin password for the school network. I caused untold chaos and was banned from touching the computers for the rest of my school history.
Somewhat related, in '99 my school gave everyone shell accounts, so they could check their email through pine. But the shell accounts were pretty functional with access to command line tools, such a perl.
It took me a lot of restraint not to harvest everyone's usernames (which was just the name of the home directory easily grokked) and email everyone at [email protected] (since sendmail was also available) something silly during winter break- like the fact that flooding had happened in the dorm rooms, and that everyone would have to move out before Spring semester due to needed maintenance and everyone will receive $500 in compensation because everyone's stuff in their dorm was destroyed.
Surely I would have been expelled, but what a story to tell my next employer.
Anyways, looking for a QA job if anyone's hiring. I would like to break your stuff.
It took me a lot of restraint not to harvest everyone's usernames (which was just the name of the home directory easily grokked) and email everyone at [email protected] (since sendmail was also available) something silly during winter break- like the fact that flooding had happened in the dorm rooms, and that everyone would have to move out before Spring semester due to needed maintenance and everyone will receive $500 in compensation because everyone's stuff in their dorm was destroyed.
Surely I would have been expelled, but what a story to tell my next employer.
Anyways, looking for a QA job if anyone's hiring. I would like to break your stuff.
Bidding on a “cokeauction” is a very different thing in 2023.
What is a cokeauction in 2023?
I assume it would be something folks would do on the dark web.
A white house activity
Naughty but very informative to their devsec team . I think that should have been a given you a reward for finding that issue.
Around this era, you could make posts on message boards where your subject was all spaces, and make an unclickable post.
This ultimately resulted in a new restriction in a bill making its way through Parliament that "a company must not be registered under this Act by a name that, in the opinion of the Secretary of State, consists of or includes computer code".
See page 16 of the Economic Crime and Corporate Transparency Bill (https://bills.parliament.uk/publications/49554/documents/283...)
See page 16 of the Economic Crime and Corporate Transparency Bill (https://bills.parliament.uk/publications/49554/documents/283...)
Amazing. I would absolutely love to sit down with the Secretary of State and test their knowledge of what does of does not consist of of computer.
Assuming this means the Secretary of State for Business and Trade (the UK has 17 Secretaries of State), the current one has a degree in computer systems engineering and has worked as a software engineer [1], so she probably has a fairly good idea.
[1] https://en.m.wikipedia.org/wiki/Kemi_Badenoch
[1] https://en.m.wikipedia.org/wiki/Kemi_Badenoch
I didn't know this, and have made the same snarky joke in dumb interviews about the company registration etc. - that's very cool and I will eat my words.
⇡ This is the founder of Drop Table
You’re sure it wasn’t just comment on the original thread? Looks like it was submitted by someone else?: https://news.ycombinator.com/item?id=13280494
He wrote a blogpost about it https://pizzey.me/posts/no-i-didnt-try-to-break-companies-ho...
She somehow got away with hacking into a rivals computer/server — she would contest the use of the word hacking but by the wording of the computer misuse act it's what she did.
Wait till they learn about Whitespace .. ( https://en.wikipedia.org/wiki/Whitespace_(programming_langua... )
So "SELECT TRAVELS LTD." is prohibited? How about "Class Moving Ltd.", or "Sarah's wedding functions", or "Goto Grocery"?
> in the opinion of the Secretary of State
The Secretary of State gets to decide whether it's "computer code." It's not an objective decision. This is how things are supposed to work.
The Secretary of State gets to decide whether it's "computer code." It's not an objective decision. This is how things are supposed to work.
That's kind of awesome!
Although it would be sad if this meant that, for example, one couldn't name a company after a programming language keyword (!?).
Although it would be sad if this meant that, for example, one couldn't name a company after a programming language keyword (!?).
Like
https://find-and-update.company-information.service.gov.uk/c...
https://find-and-update.company-information.service.gov.uk/c...
https://find-and-update.company-information.service.gov.uk/c...
... I could go on.
https://find-and-update.company-information.service.gov.uk/c...
https://find-and-update.company-information.service.gov.uk/c...
https://find-and-update.company-information.service.gov.uk/c...
... I could go on.
That's why the Secretary of State (very important person) gets to make the call.
Blog on it by the company founder:
https://pizzey.me/posts/no-i-didnt-try-to-break-companies-ho...
See also
https://find-and-update.company-information.service.gov.uk/c...
>THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD
>Previous company names
>[NAME AVAILABLE ON REQUEST FROM COMPANIES HOUSE]
https://forum.aws.chdev.org/t/cross-site-scripting-xss-softw...
>THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD
>Previous company names
>[NAME AVAILABLE ON REQUEST FROM COMPANIES HOUSE]
https://forum.aws.chdev.org/t/cross-site-scripting-xss-softw...
Related:
; DROP TABLE "COMPANIES";-- LTD - https://news.ycombinator.com/item?id=27815396 - July 2021 (30 comments)
Drop Table “Companies”;-- LTD - https://news.ycombinator.com/item?id=21534156 - Nov 2019 (7 comments)
Drop Table “Companies”;– LTD - https://news.ycombinator.com/item?id=20583540 - Aug 2019 (2 comments)
Drop Table Companies Ltd - https://news.ycombinator.com/item?id=17003588 - May 2018 (27 comments)
Drop Table Companies Ltd - https://news.ycombinator.com/item?id=13280494 - Dec 2016 (23 comments)
; DROP TABLE "COMPANIES";-- LTD - https://news.ycombinator.com/item?id=27815396 - July 2021 (30 comments)
Drop Table “Companies”;-- LTD - https://news.ycombinator.com/item?id=21534156 - Nov 2019 (7 comments)
Drop Table “Companies”;– LTD - https://news.ycombinator.com/item?id=20583540 - Aug 2019 (2 comments)
Drop Table Companies Ltd - https://news.ycombinator.com/item?id=17003588 - May 2018 (27 comments)
Drop Table Companies Ltd - https://news.ycombinator.com/item?id=13280494 - Dec 2016 (23 comments)
A company used to have an xss attack in its name. https://www.theregister.com/2020/10/30/companies_house_xss_s...
They changed it and you can only see the old name upon request
https://find-and-update.company-information.service.gov.uk/c...
They changed it and you can only see the old name upon request
https://find-and-update.company-information.service.gov.uk/c...
The old name was in this tweet:
https://x.com/zofrex/status/1319286955314614275
Looks like the XSS tried to load this script that has since been banned: https://mjt.xss.ht/
Edit: huh, looks like HN translate 𝕏 into xn--971h.com, but the link still works. So much for my dumb twitter link.
Looks like the XSS tried to load this script that has since been banned: https://mjt.xss.ht/
Edit: huh, looks like HN translate 𝕏 into xn--971h.com, but the link still works. So much for my dumb twitter link.
I believe that's called punycode, and it's a common way to encode Unicode as ASCII. It also means you can use emojis in your domain.
https://en.m.wikipedia.org/wiki/Punycode
https://xn--i-7iq.ws
https://en.m.wikipedia.org/wiki/Punycode
https://xn--i-7iq.ws
Yup! I was just surprised that HN translates unicode into punycode rather than letting the browser do it. I suppose it's an anti phishing system?
To stop this happening again, the Economic Crime and Corporate Transparency Bill (which hasn't finished going through Parliament yet) adds the following text to the Companies Act 2006:
> A company must not be registered under this Act by a name that, in the opinion of the Secretary of State, consists of or includes computer code.
> A company must not be registered under this Act by a name that, in the opinion of the Secretary of State, consists of or includes computer code.
I remember this - the companies house website actually wasn’t vulnerable to the attack. They removed it because someone else who downloaded and hosted the data might be.
Similarly-named Polish company: https://aplikacja.ceidg.gov.pl/ceidg/ceidg.public.ui/searchd...
Also relevant: https://www.theguardian.com/uk-news/2020/nov/06/companies-ho...
Also relevant: https://www.theguardian.com/uk-news/2020/nov/06/companies-ho...
I wonder what happened to it; maybe there's another company named "; UPDATE COMPANIES SET STATUS='DISSOLVED' WHERE ID=10542519;-- LTD"
There's a piece of software that's used by insurance companies for providing online quotes that (used to) contain some pretty egregious SQL injection vulns.
When this was discovered during the development of an integration, their solution wasn't to fix the disgusting spaghetti of SQL functions causing it, their recommendation was to use Javascript to remove any special characters from html inputs.
HEAD DESK
When this was discovered during the development of an integration, their solution wasn't to fix the disgusting spaghetti of SQL functions causing it, their recommendation was to use Javascript to remove any special characters from html inputs.
HEAD DESK
I believe in their culture this is called a “total mad lad move”
You're almost there. Just s/total/totes
Now I want to register a company named "Pure Big Mad Computer Man" (with apologies to Iain Banks).
From what I've seen, gov contractors don't really know what an SQL injection is, but they use frameworks so its all good. Bad thing is that some of these frameworks sanitise rather than escape data and the injection may slip through. I wouldn't be surprised if a system somewhere that reads this company name will just crash one day out of the blue.
I can assure you that as someone that has done a couple Gov-related public-sites, some developers do think about it, and use suitable tools to ensure there's no issues.
Before the last-and-stolen-passports site went live (that I spent most of 2014 getting live - not writing - but mostly trying to get deployed), we did have a conversation, and easily proved that people called Mr or Mrs Null and/or O'Brien would have no problems. That conversation was also somewhat prompted by the Dartford Crossing site that went live a little before us - which had 'some issues'.
Before the last-and-stolen-passports site went live (that I spent most of 2014 getting live - not writing - but mostly trying to get deployed), we did have a conversation, and easily proved that people called Mr or Mrs Null and/or O'Brien would have no problems. That conversation was also somewhat prompted by the Dartford Crossing site that went live a little before us - which had 'some issues'.
GDS are great - and at the time this company was registered they were even better, hence this doesn't cause any problems.
However that doesn't mean downstream users of the data treat data sources correctly
However that doesn't mean downstream users of the data treat data sources correctly
shouldn't it be:
ie. end the single quote first, so that searching by the text would be:
'; DROP TABLE "COMPANIES";--
?ie. end the single quote first, so that searching by the text would be:
SELECT * FROM "COMPANIES" WHERE "NAME" = ''; DROP TABLE "COMPANIES";--'From https://pizzey.me/posts/no-i-didnt-try-to-break-companies-ho...
The company name is a bit of hacker sleight-of-hand… or as some astute people have put it, it’s ‘wrong’. Of course it’s wrong - I’m not a /total/ arsehole. :[deleted]
As the blog post says, most SQL databases won't accept a name given in double quotes as the name of a table.
Unfortunately, the Companies House doesn't seem to allow a quote character at the beginning. Gotta terminate that string literal before you start injecting your own statements!
Side note: UK companies are really easy to find & view filings of.
Deserves praise especially considering how much of a black hole the UK can be for conniving businesspeople and so on
Deserves praise especially considering how much of a black hole the UK can be for conniving businesspeople and so on
I have a little bobby tables unit test in my framework and I was grinning the entire time I was writing it.
I know that does not solve the problem, but I find amazing that it is so hard to open a "read-only" connection to a sql database. At least in Sql Server we need to create a User with specific rights in order to do it, and even so it is not perfect.
https://find-and-update.company-information.service.gov.uk/c...
"Fuck Poverty Ltd.", but in Polish.
Over here we're surprised it's still up, after like two years, and no-one did anything.
"Fuck Poverty Ltd.", but in Polish.
Over here we're surprised it's still up, after like two years, and no-one did anything.
Appears on Linkedin [1] as well, albeit automatically generated
[1] https://www.linkedin.com/company/-drop-table-companies----lt...
[1] https://www.linkedin.com/company/-drop-table-companies----lt...
Now we know, Samuel Pizzey is Bobby Tables
I believe he's Bobby's brother... Sammy Tables.
That must be in the top five, possibly even top three of the coolest company names of all time.
Bobby Tables Incorporated
Of course the CEO is "little Bobby Tables"
I love this - great idea :-)
I love this - great idea :-)
Bobby Tables strikes again!
It would have been better if Bobby Tables was listed as an officer.
A missed opportunity, even, as you can trade under any name in Britain as long as it's not deceptive.
Bobby tables, COO
My heros
https://web.archive.org/web/20010223090106/http://cokeauctio...
This worked for a short time. Then my account disappeared with all my (very hard earned) credits in it. Then I received a letter from the MD of Coke UK telling me I was a very naughty boy.