>Banks, trade vendors, etc, tend to reject accounts with names like this.
Do they?
https://www.flickr.com/photos/nzphoto/6038112443/
Peter.
Some years ago I sent a cert request to a public CA's test server that
contained, among other things, the following:
static const CERT_DATA certReqData[] = {
/* Identification information */
{ CRYPT_CERTINFO_COUNTRYNAME, IS_STRING, 0, TEXT( "US" ) },
{ CRYPT_CERTINFO_ORGANIZATIONNAME, IS_STRING, 0, TEXT( "Dave's Wetaburgers" ) },
{ CRYPT_CERTINFO_ORGANIZATIONALUNITNAME, IS_STRING, 0, TEXT( "SSL Certificates" ) },
{ CRYPT_CERTINFO_COMMONNAME, IS_STRING, 0, TEXT( "Robert';DROP TABLE certificates;--" ) },
(it's part of the standard self-test data that I use for my own code, used to
be a different SQLI string but I changed it to Bobby Tables as an homage to
XKCD).
Their test server went offline for several days.
I was nice enough not to submit the request to their production systems.
Peter.
>I wonder if you've ever annoyed a taxing authority? They have far less humor
>than one might imagine.
I used to have the account name administrator@<tax authority>, after trying
various SQLI@<tax authority> names and being somewhat disappointed that no
fireworks ensued. They were rather amused, and probably a bit proud of the
fact that no fireworks ensued.
Peter.
From: Wayne Thayer via dev-security-policy Sent: Thursday, May 31, 2018 5:39 PM |
I haven't gone through the full process of opening an account since I didn't
want to actually open a real account, but got most of the way through with
Bobby Tables, so it seems possible here. The account name is pretty much
irrelevant, all that matters is the account number. Then on making a payment
you get texted the details of the transaction (to/from/amount/etc) and asked
to approve it. The name never crops up.
In terms of tax filing it's the same, what matters is your taxpayer number,
not whether you want to file your return as Mister Mxyzptlk.
Peter.