I happen to work in this world, and it is much much worse than this.
CAP codes are white space sensitive, they often have leading whitespaces. So you need to store " PINGPONG", but if you store "PINGPONG" then you are going to be a in world of hurt.
Then each manufacturer has their own code (e.g BMW has IVS, Stellantis has titre and so on).
Then there are mapping files between CAP and manufacturer specific code.
Then manufacturers often need to quickly react to new models being available so you get things like overrides, which is literally a string replace "OO" with "XX" and that makes it into a "electric diesel".
Then along side CAP codes, you other industry codes (e.g. Glasses, HPI).
And they _ALL_ need to interact with each other.
It sounds like a fun problem to solve, it isn't. You basically become a glorified data mangler.
In Australia we have a show called "Utopia" that does fill this gap reasonably well. Australian politics are close enough to the UK that it'd probably translate well enough to be enjoyable.
I've heard many government workers say that it's funny but they can't watch it, as it's so accurate it's depressing.
Well having worked for the government in an ancillary security role about 20 years ago on contract, I don't think they could produce a parody notably worse than reality to use as a contrast. Today, I suspect it is worse.
Hire an expert they said. From the pool of experts they had heard about through contacts in the civil service. None of whom have any industry or real world experience. At best, someone was on an industry eating and drinking with the right people panel. I was there for 3 months and crawled back to my previous job cap in hand, bruised and educated.
It was long enough ago that I can away with rounding errors of months on my CV thank goodness...
It is worthy of note that most of the incidents in Yes, Minister were based on things that really happened. At some level it was more curation than invention.
Not really. I was a civil servant and gave advice on this.
Civil servants aren't there to say whether a policy is good, sensible, or a vote-winner. The CS policy profeasion is there, in part, to advise on risks. Ministers decide whether to accept those risks.
There were plenty of people (like me) who would have pointed out the various risks and problems. Some of which caused policy to change, and some were accepted.
I don't think I've ever seen in recent years the CS be blamed for something like this.
> I don't think anyone is going to be seriously fooled by this.
Do you think porn sites are more interested in a) correctly preventing unauthorized people from accessing their site, or b) selling as many subscriptions as they can while nominally complying with the law?
I’m not from the UK, so I’m not familiar with what their IDs are supposed to look like.
I was suspicious, though—the hands holding the ID cards looked kind of “crispy.” But at the same time, I thought, “woah, where did the website owner even get these photos?”
It wasn’t until I read the Hacker News post that I realized they were all AI-generated (and now cached).
And here’s the thing: I’m an engineer at Apple with decades of experience in the tech industry—I’m not exactly new to this stuff. If I got fooled even for a couple of seconds, imagine how easy it would be to trick someone who isn’t technical.
The text is slightly misaligned and weird-looking; it screams "AI". The hand holding the ID looks like CGI. And the photos don't look anything like the actual MP, at least for the ones that I tried.
There's also some obvious tells if you know what UK driving licenses look like: the layout is wrong, the background is too plain, and all the anti-forgery features are missing. Real licenses have much more detail: https://en.wikipedia.org/wiki/Driving_licence_in_the_United_...
I'd say they're obviously AI fakes, just trying a few: B249AL (it made her bald), SA487AB (different shape, hair color and hair), TN248DF (it grew his hair back), HA26ND (bald, again) and NG166QE (I don't even need to explain)...
That does not completely turn off the federated sign-in popup you see on the top right in various websites. The solution is actually already mentioned in the article.
Adding the other side; we use ja3/ja4 * for rate limiting and it works a treat, especially when we set our rate limits to much higher than normal traffic.
I've pushed back any attempts for any kind of tracking for business purposes (e.g. fancy charts).
* ja3 seems to be slightly better, ja4 sometimes groups too many "people".
I once got an email about the funeral arrangements for somebody's mother. I know this person very well, because he uses my email address for everything. I know what internet subscription he has. I know where he bought his e-bike. Where he goes on holiday. Etc.
And he's actually not the only person doing this! As far as I can tell, the only unusual thing about my Gmail is that it's relatively short and has no numbers. I suspect people just forget to add the digits at the end of their own address.
I have the opposite of this. My primary email address is hello@firstnameMIlastname.com. But there's another guy who has the same name, and doesn't include his middle initial in his domain. It doesn't appear that uses hello@, so maybe he doesn't get my mail, but there have been many times where someone insists they've sent me something, only for me to find out they didn't include my middle initial and were sending stuff to him, despite the fact that I sent them my email correctly. Why didn't they just copy and paste?
I get a lot of random email for other people with the same first initial/last name as me. I had one specific person using my email for a lot of things.
I just canceled her membership in a bowling league, and when the league reached out to ask why, I told them I have no idea who <her name> is. I stopped getting email meant for her after that.
Ugh, I could've written this. I have my HN username at one of the old webmail providers. I log in there about once a year to keep the account live (because said provider re-issues unused accounts after a while). Each time, I see another person's info. My name isn't freakishly unusual, but neither is it John Smith.
I've used my personal experience in a design meeting where some newer PMs were IMO unreasonably sure that users wouldn't mistype their own email address. Oh, let me tell ya, they absolutely 100% do.
I have a similar thing, [firstname][number]@gmail.com and I get all sorts of crap. It's honestly mind-boggling how much.
It really makes you appreciate proper email address validation - all sorts of services let people sign up, don't validate and there's no good way to have your email address removed from their account...
I once got an email about the funeral arrangements for somebody's mother. I know this person very well, because he uses my email address for everything. I know what internet subscription he has. I know where he bought his e-bike. Where he goes on holiday. Etc.
I, too, have the full name email address and I, too, have received mail for others with the same name. I've long since stopped acting on any emails except for extraordinary situations. I don't understand why people react so negatively to news they've made a mistake as if it's my fault they're using the wrong address.
But, yeah, one of my namesakes has a boyfriend who still hasn't realized the photos of antiques and his penis aren't reaching my namesake. Another has a son attending a British school in Hong Kong who is somehow earning poor marks in Mathematics /and/ Physical Education. I'm worried for a third that still hasn't finished his required food safety and hygiene courses. I believe a fourth is an Irish landlord with an increasingly frustrated tenant - who appears to be emailing both my namesake and me every time. Recently, it's been issues with her kitchen sink plumbing.
"When one of them [played by George Clooney] inherits a derelict amusement park, which turns out to include an active marijuana field, hilarity ensues."
I have one like that. I have the email first.last@gmail.com, and I have a very uncommon last name. Lo and behold, Google let some dude in Australia who happens to share my name sign up with firstlast@gmail.com. According to the docs the two should be equivalent, so they shouldn't have let him sign up, but they did... and now I get his email all the time. I have gotten job offers, bills from medical offices, even one follow up email from his therapist. And lots and lots of ads, of course. I have tried to let people know (when it's a real person contacting me) to let this guy know about the email situation, but either they don't reach out to him or he doesn't care. At this point I just delete all the emails meant for him without reading them, and figure if he misses out on a job offer or something... I tried my best.
Still, bizarre that the situation was allowed to occur in the first place by Google. Clearly they need to beef up their account creation checks a bit.
> I have the email first.last@gmail.com, and I have a very uncommon last name. Lo and behold, Google let some dude in Australia who happens to share my name sign up with firstlast@gmail.com.
What evidence do you have that this happened, aside from the fact that you're receiving mail intended for him and sent to that address?
Unless you have something much stronger than that, chances are the other guy actually has firstlast2@gmail.com (or whatever) and frequently forgets to add the number.
If this story is true, this would appear to be a simple vector for hijacking email intended for other gmail users. Hard to understate the severity if true.
Have you tested whether you can receive email directed to firstlast@gmail.com? Perhaps theirs is really firstlastt@gmail.com and all their contacts "correct" it.
This feels like a bug that he snuck through early or during a temporary window, before Google started defaulting to . as an ignored alias. Maybe not ¯\_(ツ)_/¯
Have you ever tried just logging in as firstlast@gmail.com? If it works, with the usual password you use for first.last@gmail.com, it makes me think he has firstlastt@gmail.com or something similar and people sending him emails input it wrong, which causes them to send it to you. Maybe he also inputs it wrong sometimes when he is signing up for stuff.
Do you have proof? Really, firstlast@gmail.com is your account, even if you use first.last to sign in. People simply give out email addresses that don’t belong to them. Plain and simple. 100%, this is just some person giving out firstlast@gmail.com as their email addresses because it sounds good to them.
Do you have any proof that that separate address exists, with its own account, mailbox and such, and it is not just someone putting your email in the email field?
I have the same problem. There are about 5-7 active idiots using “firstlast@gmail.com” and I get them all.
Suspect their real email is something like “firstlast10” or “firstlest” (minor spelling variant). Not sure if they deliberately misspell their email or are just stupid.
For a while really thought amount was compromised.
Slowly I realized they are just idiots and assholes. They don’t always pay bills, buy $100 T-shirts, own crappy vehicles, and seem to conduct business with people who don’t verify email either.
Even once got into an argument with an idiot persistently claiming he owned “firstlast.com” (as I replied to a thread using such from my email server. I’ve owned the domain for 20+ years). He was a certifiable idiot, also by trade…
I also get a lot of “mcafee subscription” PayPal scam mails. Also have seen a lot of spam real subscription accounts created using the same email but with wildly different names. Suspect it is fraudsters testing credit cards.
The sheer number of big name companies that don’t validate emails surprises me…
If they're giving their e-mail address to other people, it's possible that those other people are hearing "lest" and respelling it as "last". So it's not the person that shares a name with you that's stupid, but the people they deal with.
I had someone send me their entire credit report. Luckily I am not a scammer and I deleted it for them. They sent me an Amazon gift card to thank me for not stealing their PII.
I get DoorDash order notifications, Uber notifications, etc
I am not sure how they signed up with my email as I never got a sign up notification
Part of this also is because email / gmail is not case sensitive Jsmith@gmail.com is the same as jsmith@gmail.com. I see a lot of Jsmith vs jsmith (like how I actually use my email).
Nothing is getting stolen from me but not sure how this is actually working for people.
>email / gmail is not case sensitive Jsmith@gmail.com is the same as jsmith@gmail.com
gmail is not case sensitive. email systems are allowed to be case sensitive, most choose not to be. This used to be an issue to deal with when pre-internet legacy email addresses (like Lotus Notes corporate email, or Outlook/Exchange systems) were put onto the internet.
Oh so much fun with my yearly quiz testing students about case-sensitivity! They're always wrong because thinks are so horribly broken.
It is absolutely foolish, assuming case _may_ not matter in the Internet. Case does not matter, true, except it does.
One of my favourite parts: URL paths are case-sensitive, except most servers do not care (because of a case-insensitive filesystem), and they're not always case-sensitive, e.g. for the mailto-scheme the path is case-insentive, because the path is actually an e-mail adress (which is itself case-insensitive).
I have firstnamelastname@gmail.com and it surprises me how many other people have my same name. I get so much unintended mail, usually to firstname.lastname at gmail. I have found that in a lot of cases they have forgotten a middle initial. I usually let it go as spam unless it looks important like a credit card. What frustrates me is that these companies will not interface with me at all, sometimes not even leaving a note on the account.
I understand from the security side why they wont, but I wish there was something they could do. I could easily log in and change a password then cancel the account, but I figure there's probably some legal trouble if I did that.
I get credit card stuff and credit report stuff from bozos with similar nanes to me. I used to try to inform them, they won't let me. The worst are Experian, who won't let me interact with them at all, because I can't prove I'm the person or people who've been mistakenly using my email address.
My stock reply to this used to be that you can send emails from anyone - who the email is sent from is not authenticated.
It's a little less true now with some of the newer protections, but only today I received a fairly subtle spam/scam supposedly from the main email address of a major retailer, so I think it's still sensible to never every trust the "From:" part of an email.
Sure, but they could just sent a link back to the same address with a form to fill out the complaint, or even just a phone number saying "call this number to speak to customer service about the issue you're having". From a technical standpoint, it's not hard at all to invert things to use the address as a recipient in a way that confirms that someone is able to access the email sent to it. A company like Experian that claims to have info on literally a billion people would be silly not to recognize that their scale is going to occasionally end up with mistaken contact info, so if they cared at all about the quality of their data, they would have some sort of system established to handle this.
Is this something you come across often? I always give the canonical spelling of my email, dots included, and can't remember a time when it wasn't accepted.
Everyone I know that made an email on the major free providers using just a common surname (and maybe initial) in some language are getting other people's communications.
It's like regular people don't use email unless forced to and forget what it is when giving it out...
Yep, same here. I've closed accounts folks opened with my email address, sent replies to humans confused why I haven't shown up to an appointment, etc. I just can't stop the flow of emails from these folks using my email address for seemingly legitimate business.
Google doesn't offer anything in the way of migration or consolidation of various email-linked data (e.g., store purchases) so I just let mail accumulate and delete everything manually once every few months.
My HN username is also my gmail. I've got most of the stuff you mentioned, including unencrypted copies of US tax returns (with SSN) and house buying paperwork.
> I used to reach out and tell them I didn't sign up for their service. But honestly, after doing it for a few years I gave up.
Same here. It's surprising that most of the services don't use double-opt in before sending emails.
Some day, I want to use an LLM to identify those emails and label them.
This happens to me too - mostly from people in South America: i get their phone bills, receipts, etc... And now the knock on effect of spam is crushing my inbox. I know its spam related to these emails because its all in Spanish. I am thinking of abandoning my gmail to something new.
Haha. Do you have a similar character for Japanese? Some douche bag added my GitHub email address into some Japanese spam farm a few weeks ago. I am now flooded with Japanese spam. I don't read or speak a word of Japanese.
Wow, the first one 'は' seems really good. Out of 279 messages in my Spam folder, 216 messages matched that character, missing only 24 additional Japanese spam. (That means 240/279, or 86% of my spam is Japanese, god damn it).
The second one 'す' matched only 10 Japanese spam messages.
You could also try the particle for belonging の which is a bit like " 's " in English. Should appear in hiragana (as a standalone syllable) frequently since it is a particle much like the first one they suggested (ha for the theme of a sentence). The second one (su) tends to be at the end of maybe half the verbs, might be why it's less likely.
Another one which might match is Japanese punctuation, such as the comma 、 and the period 。
Nice! The 'の' (237 matches) is even better than 'は' (216 matches). The 'の' matches every Japanese spam in my Spam folder.
I was not able to use comma 、 and the period 。 because I think FastMail disables searches on common punctuations, so those matched nothing.
(In case people are wondering, I sometimes scan through my Spam folder to check for false positives, i.e. things which were incorrectly marked as spam. It's difficult to do that when it is flooded with Japanese spam.)
This is me. I was one of first batches of gmail users when it went public. I have a common name. It’s wild that people will just use my email because they forget their own email address.
I'm in the same boat. I assume people do it because some website is demanding an email address and they don't want to give one, so they give the "default" one.
I always assumed that the "default" email addresses get flooded with spam nowadays. I can't imagine the email address lee@gmail.com or similar to be usable by now
I haven't gotten any that I know of for years, but when my school initially created email forwarding, it let you choose anything--so I just used my first name which is common but not that common. (To this day if I'm in a meeting with someone who shares it, we regularly get confused when someone else asks something that I have no idea about.) I got all sorts of board meeting minutes and other emails from people who assumed I was that first name early-on.
I get quite a few misaddressed e-mails to my gmail address as well. Everything from residential solar install invoices through a facebook account that someone continues to try to recover every couple months for years now I cannot delink (and thus cannot sign up for a Facebook account if I even wanted to with my primary e-mail address short of taking over that existing account in the wrong full name).
The best one so far is I've been on a group e-mail chain from some folks in France (I'm in the US) who organize a skiing trip each year to the Alps. I initially sent a couple "I am not the Phil you are looking for!" e-mails, but they continue to re-add me. I have thought about one day just showing up since I've been "invited" and have all the details for booking and just seeing what hilarity ensues.
This seems incredibly rampant on gmail.
On the one hand I signed up early enough to have <common non-english surname><first initial>@gmail.com
Unfortunately people in countries of my parents native language seem to think my email address is theirs, and I get EVERYTHING. Vacation photos, medical records, car service reminders, the whole lot.
What's interesting is that none of the spam filters seem to have a "I'm a dumb American, I cannot read this language, therefore anything in this language should be spam" rule.
Same for me... I have a relatively obscure last name, but that's my Gmail address. I receive numerous random emails intended for other individuals with a similar name.
I've owned the domain name richardson.co.nz for some 25 years now and since then someone started a Richardson's realestate and registered richardsons.co.nz (note the additional "s").
I left the catch-all on my domains email going for a year or two before I had to disable it. The sheer amount of house blueprints, sensitive information about transfers etc was overwhelming.
I have a reasonably common name. I am in Bay Area, and have received mail meant for people in Fresno or Bakersfield, someone in Toronto, someone in Australia, and I think someone in a London suburb. There are drug test results, online orders, legal discussions, store receipts and hotel bookings. I even connected with 2-3 folks with my name - don't recall how I figured their other email. It was quite common for a while, but then I haven't seen anything like this for 2-3 years. When I say common, I mean once every 6-8 months and I guess I have had that email for 15 years or so. Maybe my universe of overlap was finite and all those people have figured out how to type their email now :)
That email is my first name dot last name but at one point I had been able to secure both first name at email provider dot come and last name at email provider dot com which somehow I abandoned. I wonder what level of erroneous emails I would have received at them.
I was an early Gmail adopter and have a common ethnic first initial last name. People mess up their email all of the time and I get insane stuff.
One lady, a general manager of a factory, sent a zip file with her VPN client, a list of backup MFA codes and a list of SCADA and IT systems for a large factory.
A police detective sent a video from a paratransit bus that was in an accident. I got a bitcoin years ago. One dude had a hobby of test driving luxury cars from almost every dealer in the Washington DC region. I have a $50 gift card for an Australian electronics store.
I have first initial last name @gmail.com and it is a VERY common English language last name. This phenomenon got so bad I just abandoned that address and account. At some point you can't keep up with it, and marking legit email as spam has consequences of now MY email is getting marked as spam
My first name is "Save" in Spanish and Portuguese, and apparently people think they are saving documents when they send them to that gmail address. I have received medical records, employment documents, so many photos, insurance information, you name it.
I have an extremely common first and last name and my email address is first.last@gmail.
I get my fair share of misaddressed mail but it doesn’t help that I share the same name as the CEO of a major hotel chain’s timeshare business so I’ve getting tons of complaints about that :/
Your email address is actually firstlast@gmail.com.
GMail doesn't care about dots, so you could say your email address is f.i.r.s.t.l.a.s.t@gmail.com for all the good it does. Using the dot probably does more harm, as it makes people think it's a legit differentiator.
I recently logged into one of my email addresses that I hadn't used in years and discovered quite a few people had used it as their address for multiple things (of course they didn't have access to it so everything was unread). Lots of services do not really bother to validate the email address (there were e.g. Facebook, Instagram & TikTok emails).
One bigger item was that people were sending details regarding an estate & inheritance. This included an attorney office in Finland (to be clear, I'm also originally from Finland). After finding out I sent email to their DPO as this likely qualifies as GDPR security incident as the emails contained things like names, SSNs, addresses & of course details regarding how inheritance was split. I never got an answer so I reported it to Finnish DPA. I got reply from them pretty quickly that they contacted the DPO and that DPO will be in contact with me soon & the case is closed from DPA side. This was 4 months ago, I'm yet to be contacted by them.
Mine is {{random-initial}}{{random-initial}}{{uncommon-French-Canadian-surname}}@gmail.com, and I still get lots of wrong peoples' email messages. I've emailed more than one company to let them know they just violated HIPAA, and that they should really send a verification email first.
Also, when Venmo was new, and they were playing extra fast and loose, they set me up with someone else's bank account, so I just closed the Venmo account and used PayPal instead, which was a different company at the time.
I share a name with a retired professional sportsperson. Alas for them, I hold the naturally occurring gmail account, having registered it two decades ago. Whilst they were active this account received regular sponsorship offers from unsuspecting apparel manufacturers, equipment makers etc etc, and it was always my pleasure to string these along as long as possible until someone twigged
I have {{popular job title in tech}}@gmail.com , and let me tell you.... yikes. Actually it's not that bad, I just tweak my enormous blacklist keyword filter once a month or so. For some reason, 99% of the junk is from India, which makes filtering easier. But brother you should see my "misdelivered crap" folder.
The problem is if you are also a user of these services you can't mark as junk because you'll stop geting paypal, bank, airline, car rental emails, etc.
I have the same issue. My gmail is {{my last name}}@gmail.com Just my last name. It's not that common, but there are about 500 people with it according to US Census data.
Yeah love Hurl, we stared using it back in 2023-09.
We had a test suite using Runscope, I hated that changes weren't versioned controlled. Took a little grunt work and I converted them in Hurl (where were you AI?) and got rid of Runscope.
Now we can see who made what change when and why. It's great.
![https://nexy.blog/0006-How-I-hacked-my-washing-machine/cyber...](https://nexy.blog/0006-How-I-hacked-my-washing-machine/cyberchef-2-small.avif"></a>){kind=link}
CAP codes are white space sensitive, they often have leading whitespaces. So you need to store " PINGPONG", but if you store "PINGPONG" then you are going to be a in world of hurt.
Then each manufacturer has their own code (e.g BMW has IVS, Stellantis has titre and so on).
Then there are mapping files between CAP and manufacturer specific code.
Then manufacturers often need to quickly react to new models being available so you get things like overrides, which is literally a string replace "OO" with "XX" and that makes it into a "electric diesel".
Then along side CAP codes, you other industry codes (e.g. Glasses, HPI).
And they _ALL_ need to interact with each other.
It sounds like a fun problem to solve, it isn't. You basically become a glorified data mangler.
reply