Techdirt. Stories filed under "urls"

UK Parking Enforcement Contractor Leaves Sensitive Driver Data Exposed; Compounds Embarrassment By Issuing Bogus Legal Threats

Tim Cushing — Wed, 10 Apr 2013 03:38:56 PDT

Another day, another self-inflicted privacy breach. This time it's a UK private parking enforcement contractor that's leaving its supposedly-secret stuff right out in the open.

UK Parking Control (UKPC) is accused of revealing photographs of Brits' cars parked with number plates clearly to be read and in some cases the location revealed. In some images it's alleged that other details such as identification cards, shopping or belongings are clearly visible. Campaigners against private parking firms believe these images - allegedly made easily accessible to anyone on the UKPC website - exposed drivers' personal information.

When UKPC tickets a car, its enforcers take photos of the vehicle (and, apparently, inside the vehicle, among other places), which are uploaded to UKPC's site. The ticket itself has a printed URL pointing to the damning photos of the illegally parked vehicle. It's a slick system, but its "security" is easily thwarted by a process AT&T might find strangely familiar.

[O[ne ticket recipient claimed to have found that by tweaking values in this web address, he could access thousands of other digital photographs of other people's vehicles... Some shots show personal items on view inside the vehicles, such as an ID card placed next to a disabled-driver badge.

As you may recall, tweaking URLs allowed "Weev" to access the email addresses of hundreds of iPad users (and landed him in jail). The same lack of basic security is on display here. Changing a few values in the URL results in access to photos you were never meant to see.

A blog called Nutsville, which has been a longtime critic of the UK's private parking enforcement, posted several photos obtained from UKPC's website. Among the expected photos of vehicles (with visible license plates) are other oddities, including shots of the lower extremities of parking enforcement employees relaxing at home, several photos of vehicle interiors and most disturbingly, crystal clear photos of drivers' identification cards.

After the Register reported this story, the UK Information Commissioner's office pledged to investigate the leak. UKPC hasn't publicly responded to the breach, but it did send its lawyers after Nutsville in the form of a bizarre Letter Before Action that mixes and matches criminal and civil actions and seems unable to decide on when exactly Nutsville should respond/comply. Nutsville's response to the letter is well worth reading, punching holes in its paper-thin claims and generally deriding the ineptitude of the correspondence.

The letter claims Nutsville has breached the Computer Misuse Act, claiming these photos were acquired by "using a password, without authorisation, to access their website." Nutsville points out this is completely false. The only thing accessed were various URLs on UKPC's site by manipulating values in the URL themselves. From that point on, UKPC's legal representative goes completely off the rails, threatening to inform the police (a criminal matter) of Nutsville's actions. Mere sentences later, the lawyer threatens "injunctive High Court proceedings," suddenly making it a civil matter. On top of that, UKPC's rep demands Nutsville take down the blog post by 10 AM on April 2nd, only to wrap up the bungled legalese by requesting a reply by no later than April 8th.

As both deadlines have come and gone with no follow-up post from Nutsville (or response from UKPC), it would appear that the parking enforcement contractor has either given up on pursuing these bogus legal claims or is tied up attempting to clean up its own backyard ahead of the pending investigation.

The most disappointing aspect of this story is UKPC's response. Disappointing, but far from unexpected. For many businesses, the most common reaction to being informed of a data breach is to shoot the messenger. Rather than issue an apology and fix the problem, they tend to fire off legal threats about "unauthorized access" or other vague hacking claims as if the end user making the discovery should be treated as a criminal for their own negligence.

Permalink | Comments | Email This Story

Anti-Medical Marijuana Committee Fails To Register Published URL, Hilarity Ensues

Tim Cushing — Tue, 18 Sep 2012 14:57:00 PDT

Time for a pop quiz: get out your no. 2 iPads and see if you can figure out which steps in this process are out of order.

It's election season, a time when man's (and more recently, woman's) thoughts turn towards shutting off the TV, radio and phone until mid-November. But! Things must be voted on, including such controversial issues as legalizing medical marijuana and authorizing dispensaries. As an opponent of weed-based medicines, you vow to fight this with every ounce/gram of your being. You set your plan in action.

1. Pick a name for your committee. ("No on Question 3")
2. Pick out a suitable URL ("votenoonquestion3.org")
3. Get your committee and its pertinent information added to the official voters' guide (both print and online.)
4. Register URL.
5. Become aghast.

Can anyone point out where Vote No on Question 3 went wrong? Here are some visual aids, taken from votenoonquestion3.org:

You see, the internet is like magic. And like most magic, it can be used for entertainment purposes. All the do-gooding in the world doesn't amount to much if you forget to register your URL. While you're busy enjoying that "new ink" smell of freshly printed Voter's Guides, someone quicker on the draw is undermining your "marijuana is bad" ~~propaganda~~ ~~proselytizing~~ information with hilariously over-the-top headlines.

The good news is that the online voters' guide sports the corrected URL: mavotenoonquestion3.com

The bad news is that the paper version will carry the old URL permanently. Of course, very few people are willing to type in a URL by hand, but as news of this blunder spreads, the fake site with the real URL will be receiving much more attention, voters' guide correction or no.

Here's the official reaction from No on Question 3 spokesman, Kevin Sabet:

"It's funny and upsetting, I guess, at the same time."

Yeah. Largely the first part. And to think, the committee can't even blame a late afternoon smokeout for the mental slip.

This statement, however, seems both more on point and more disingenuous:

The group sent out a press release saying proponents of medical marijuana were tampering with the democratic process through “underhanded efforts.”

Sabet admits the committee made a mistake and yet, the press release attempts to paint No on Question 3 as the victim of villainous pot smokers rather than treating it like the self-inflicted wound it is.

Oh, and here's more bad news for the "No" side:

The Globe notes that the No on Question 3 campaign has managed to collect all of $600 so far, compared to the $1 million or so that supporters of the initiative have received from Peter Lewis, a longtime patron of drug policy reform.

Maybe it's time to admit your fears of a weed-loaded America are overblown, especially when you've just been outmaneuvered (and outspent) by a bunch of stoners.

Permalink | Comments | Email This Story

Israeli Claims Patent Over Adding .com To The End Of The Address Bar

Mike Masnick — Wed, 9 Sep 2009 09:09:00 PDT

TechCrunch points us to a story about an Israeli company by the name of Netex who is claiming a patent over "www.addressing." What's that? Well, apparently it's the process of simply adding a ".com" to the end of a word you put in a browser address bar. There are all sorts of questions raised by this, and the reporting at the Israeli site Ynetnews leaves a lot to be desired. First, neither Ynetnews nor TechCrunch point to the actual patent. I've been searching on both the supposed inventor's name (Aviv Refuah) and his company's name and I can't find it. If anyone out there can find the actual patent, please post a link in the comments.

The next problem with the article is the claim that this patent is "worth millions" and that Google, Microsoft and Yahoo "will have to pay royalties." It remains to be seen if that's true (and given what's stated, it seems quite doubtful).

Next problem? The article claims that this patent is about the address bar in the browser -- not a search engine box -- though, the reporter doesn't seem to understand the difference between the two. Admittedly, Google now offers a browser in Chrome, but the article keeps referring to the patent as a "search option." Yahoo doesn't offer a browser.

Then there's the issue of claiming that Google and Yahoo "use" this technology:

Refuah says various internet giants such as Google, Microsoft, and Yahoo have been using the program for years, and now they will have to pay royalties to Netex.

That implies -- falsely -- that Google, Microsoft and Yahoo have somehow been using some technology that they got from Netex. It's a common trick used in reporting about patents, but its highly misleading. Much, much, much more likely is that Google, Microsoft and Yahoo simply added a useful and obvious feature, that Netex is now showing up and claiming ownership years later.

Finally, it's tough to say much about the actual patent claims in question -- seeing as we haven't seen them -- but from the Ynetnews description, it's difficult to see how such a thing could possibly be considered patentable (and one would think that Netscape would have some prior art, though I can't remember exactly when Netscape added the ability to add .com to the end of something put in the browser bar). But, honestly, can anyone with a straight face explain why such a thing should be patentable?

Permalink | Comments | Email This Story