The meme says “IRS”, so it’s obviously intended to refer to America.
But outside of that context, they’d fucking deserve it for their shitty dark pattern UX trying to export American tipping culture into the civilised world. If people want to tip, they can do it using cash (so the money actually goes to the person you intended it to!). Or at most, there could be a little “tip” button in the corner somewhere that then takes you to a page like this. It shouldn’t be shoved in our faces like this.
Live in a country where tipping is practically unheard of. Lately pay terminals have started appearing in restaurants that have asking for tip enabled by default, and restaurants often don’t know how to disable it.
Well, at least there are some safeguards. I was handed the terminal so I put in my PIN code, not realising it was actually asking for a tip. I was pretty confused when it said “value too high” or something like that.
Taalen’s PIN > 0001 confirmed.
restaurants often don’t know how to disable it.
The owners know how. They also know that by leaving it there they make extra money on top of sales. They also know that the person getting berated for having it there is the worker who can’t change it.
I was the SME over POS terminals in a past job.
Owners are often the biggest morons at the location.
Before that, I used the same basic software package at Subway because the owner couldn’t be bothered, and the manager, great lady, was not technically apt.
I, an American, was ashamed when I had to ask that a tip be removed from my bill at a restaurant in Camden.
CAMDEN WAS SUPPOSED TO BE WOKE AND Y’ALL FUCKING DOG OVER HERE
Pay your damn staff a good wage
Camden in Sydney? That’s appalling. It’s bad enough to be presented with a screen like in the OP. Needing to actually speak to a person to not have a tip added sounds probably illegal.
Camden Town in London actually; historically counterculture, but punk is dead at The Cheese Bar.
Ah right, cheers. Tbh my first guess was that it might be a place in Britain, but I didn’t know so I Googled it and all the results were about Sydney (including one from brittanica.com…).
Well, we did almost end up in Canberra at one point, but as luck would have it the wife’s boss didn’t support the transfer. It’s no Sydney, but anything would have been better than staying stateside. I don’t really miss it, and all my friends say it’s worse now 🙂
its worse now
Your friends are correct.
Sorry about that. I wish everyone with the sense to leave had the option.
Yes, if it had been in Australia. Report it when you see it.
In most places even if you tip cash they are supposed to keep that for the tip pool and it is split. Often among the cook staff and other people at the restaurant.
Who carries cash, though?
Germans.
Farmers. Farmers’ mums.
Am farmer, can confirm. I also have my chequebook with me… Non-farmers, when was the last time you wrote a cheque, aside from rent? I feel like we’re the only ones still using them.
Australian here. Last time I wrote a cheque, Michael Jackson was still black.
Yarp.
I do.
Me too.
Same.
People buying drugs
Bartenders and servers
People named Johny for one.
People who live in safer countries than the US.
Americunts shit on you when you tell them tipping culture is bad. Like, here in my third world country, where we all earn a misery compared to the minimum wage in burger land, we can say no to tips or just give a few cents or some more…fuck this. Food is already expensive. I am not going to waste extra cash for my food.
Who the fuck defends tipping culture, you’re just making shit up to justify your hatred of an entire country
I’ve seen plenty of wait staff show up to defend tipping in Reddit threads. They’d rather shame customers than demand fair wages from their employers. Or maybe they were all just bots.
I think those people tend to make a lot of money off tips. There have been times I could get way more than you’d get from any paycheck a restaurant would ever be willing to pay, even with the laws changed for that sector, for “less” work. Depending on the place you work at you could have $300+ a night cash Friday-Sunday and that’s me going back to what I remember from 12 years ago so who knows what they’re able to get now.
I don’t even make $900 a week now in a psudo-managment position in a factory. Not that the $900 is consistent there for those in food service, I just think that’s one reason people would be openly resistant to the idea of changing how tipping works.
Plenty. I have had people tell me I am inhumane for criticising tipping culture, and if I point out it is related to the extreme class system and slavery history of America they downvote me to hell and try to justify that it is “land of tha free” or whatever.
They don’t even have freedom from hunger or illness in their messed up country.
And tipping culture has creeped in both magnitude (i.e. 15% used to be standard, but now it’s the low end) and scope (e.g. tips prompts at fucking fast food places)
Well capitists, the rich, government, industry, ect… Oh yea don’t forget the capitalist boot lickers.
I’ve seen a lot of people, including servers and diners, defending tipping culture.
Sadly.
I’m on the side of tipping while in a tipping culture, but only because of the crap way servers are payed and they’re the only ones hurt by protesting through refusing to tip. Otherwise, it’s a practice that needs to die.
Little Bobby Tables says hi.
Hi!
You’re not so little anymore!
Oh no! He’s arrived
Whaaaaaaaat!?!?
the adjectives on the tip options are so weird lol What a shitty system to even exist
I want to know what it says under 30%.
“Best Service Ever!”
bazinga
I think it’s “Best Service Ever”.
The picture on this page seems to have the same screen minus the red box.
Thank you, my curiosity is now fully satisfied!
“I’m drunk”
“Scammed”
One day someone will use the SQL injection to execute code on the remote server to add message to the web site that tells the workers to unionise and demand actually fair wages and put an end to the whole tipping nonsense
Please write this code and I’ll do it
tomorrowwhen stuff opens today.
Jokes on you. Restaurant owner too rich, behavior is within normal range for IRS AI.
Though the AI is interested on how your bank account is higher than it’s supposed to be.
Joke’s* on you
(Short for “The joke is on you”.)
No, jokes. It’s plural because there are many jokes on you.
Thank’s.
Too complicated. Just enter a negative number.
No negative sign on the keyboard. But you can enter 2147483647
Risky gamble there
I’d love to know what this would actually do.
Edit: Thanks for the responses and lively discussion!!
Assuming the accounting system this thing links with both does not protect from SQL injection attacks (many don’t, despite it being easy to protect against) and also has a table named “Bills” with a field named “amount”; what this would do is go through every single Bills record and half the value in the amount field. This would completely fuck the system, particularly when it came to billing and tax filing as the numbers for accounts billing and receivable wouldn’t even come close to matching each other. The accounting department would have a hell of a time fixing the damage.
Need to throw a rand() in there to make it less easy to unfuck
In the amount/2 term?
Yup. Rand() chooses a random float value for each entry. By default I believe it’s anywhere between 0 and 1. So it may divide the first bill by .76, then the second by .23, then the third by 0.63, etc… So you’d end up with a completely garbage database because you can’t even undo it by multiplying all of the numbers by a set value.
Satan?
Also, by dividing by a number between 0 and 1, you increase the amount it looks like it billed. So income will look like it’s higher than outgoing funds, which will raise suspicions of embezzlement. And if someone actually is embezzling, whatever accounting tricks they’ve been using to hide it might just stop working because everything might need to be examined with a fine tooth comb. “Oh, the billing numbers aren’t right, and also it turns out the invoice numbers aren’t right either. Billing issue was tracked to a hack, but what’s going on with these invoices?”
if you’re trying to be malicious, wouldn’t it be better to multiply by
Rand()
instead of divide byRand()
?assuming there are a decent number of recorded sales, you’d end up seeing many of the calls to
Rand()
returning values very close to0
. so, if you’re dividing by those values, you’d end see lots of sales records reporting values in the thousands, millions, or even billions of dollars. i feel like that screams “software bug” more than anything. on the other hand, seeing lots of values multiplied by values close to 0 would certainly look weird, but it wouldn’t be as immediately suspicious.(of course a better thing would just be to use
Rand()
on a range other than[
) ]
Couldn’t they just *2 all the bills from before this was ran and straighten it out?
I imagine they could if they knew exactly what you did and when, but if it doesn’t get discovered until later and nobody knows what happened, it would probably be a bitch to figure out
It seems like it would be fairly easy to find. All you need to do is find out where the price drops massively, and work backwards from there, since it doesn’t change the code going forward.
Pretty sure it would be obvious to anyone working there that chicken tenders are $10 not $5. Even a quick glance at any single bill would show the issue.
No it would change the value of all past bills, future bills would still be correct.
And anyone who looks at a past bill would see half price tenders.
No. The bill given to the customer would still show the correct amount.
And if anyone looked at previous bills from the backend, they would see normally priced chicken tenders. The total for the bill would be wrong though.
does not protect from SQL injection attacks (many don’t, despite it being easy to protect against)
Every modern database library automatically protects against SQL injection, usually by using prepared statements (where the query with placeholders, and the placeholder values, are sent as two separate things). so a system would have to be written extremely poorly to be vulnerable to it.
This post is just a joke as developers should hopefully be aware of the OWASP top 10 security vulnerabilities.
Edit: Bad developers will do bad things, but any reasonable developer should be well aware of these risks.
Well no. If the programmer uses prepared statements, they are protected. If they use a prepared statement but actually just put their own unsanitized statement in there and execute it, it’s not protected.
Now, I’d like to say it is 2024 and everyone should be using AT LEAST prepared statements for security. I’ve seen people doing some scary things in my time, and that includes quite recently.
Bad developers will do bad things, but most DB framework documentation points people towards the right way to do things, which is why I said it’s not common any more.
Bad developers are common though. And good documentation won’t stop a bad developer from doing a bad thing.
I agree that SQLi isn’t as common as it once was, but it still very much exists.
Oh sweet summer child.
First, injection attacks are third on the owasp list, although they do roll xss into it too, which changed the name, since “shit sanitization on input” and “shit escaping before use” are the cause of both.
https://owasp.org/Top10/A03_2021-Injection/Secondly, SQL injection is freakishly common and easy. I don’t know of any database libraries that prevent you from directly executing an SQL literal, they just encourage parameterized statements.
I have personally run into plenty of systems where people build SQL via string concatenation because for whatever reason they can’t use an orm or “proper” SQL generator.
You can find them in the wild fairly often by just tossing
' or 1=1;--
into fields in forms. If it gets mad in a way that doesn’t make sense or suddenly takes forever, you win!Don’t do that though, because it’s illegal.
Secondly, SQL injection is freakishly common and easy.
Do you have any recent examples of major SQL injection holes?
https://www.darkreading.com/remote-workforce/critical-security-flaw-wordpress-sql-injection
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a
You can fiddle with the nvd search settings to find whatever severity score you like, or filter by execution parameters.
https://nvd.nist.gov/vuln/detail/CVE-2024-1597
That one was a treat when I check under critical, since it’s an injection attack that can bypass parameterized query protections for the database driver, which is why “defense in depth” and “always sanitize your fucking inputs” are such key things to remember.
I hope that provided what you’re looking for, and maybe increases your awareness of SQL injection. 😊
Great comment. Thanks!
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sql+injection
And without giving away specifics, I’ve personally found SQLi vulns in the wild within the last 5ish years.
Every modern database library automatically protects against SQL injection,
No. Every modern library allows using prepared statements, but very few (of any) force using them. If the developer doesn’t use them the libraries won’t do shit to protect you.
What I meant is that not many people write raw SQL in product code any more, other than for analytical purposes (which are often in a system like Apache Airflow rather than in product code). ORM systems have mostly taken over except for cases where you really need raw SQL for whatever reason.
Practically every dev learnt SQL and it’s really easy to put hands crafted SQL in code so it’s an easy mistake to make
EOM recon will be a bitch.
its an sql injection attack.
its rather unlikely that it works in a modern app.assuming this would work,
it injects a command in the sql database.it is assumed that the app runs a sql querry with the input field as a parameter e.g.
INSERT INTO "bills" (item, ammount, tip) VALUES ("steak", "20,00 $", "content of the custom tip goes here");
the semicolon indicates the end of the querry,
so the the text would cause the app to run an unfinished querry, and then start a new querry that messes up the content of the bills table.Further: xkcd.com/327
Is that Bobby?
Nothing. For one, it won’t let you enter letters. Two, the table structure to these POS systems are more nuanced than a simple bills table with am amounts field.
It’s amusing and all, but it’s not something you can do.
Source: work with, and develop around, these types of POS systems.
deleted by creator
What code could I enter there to get them to pay me for the food? 🤔
Negative tip value.
Amount/0
I wish 15% and 18% were options. Normally it’s more like 20%, 25% (default), 28%, 30%
Eventually people will say that about the current options lol.
There should be no default percent options at all. None.
‘complete transaction’ or ‘add optional tip’.
Literally saw 25% to 50% range the other day
Did you look them dead in the eyes and laugh, then walk away after manually entering 0?
“MILLENIALS ARE RUINING TIPPING!!1”
-Some fucking article written by an asshole boomer
A 50% tip can get your credit card flagged as potentially fraudulent activity.
Wouldn’t they just see the total?
I’ve had transactions flagged for (intentionally) leaving large tips before. These large tips were justified for various reasons, such as comped meals.
Could be the specific credit card company I use?
What makes you think it was flagged for a large tip specifically, rather than just an unusually high transaction?
It still confused me how they would know it was a $20 steak and $80 tip versus 5x $20 steaks and no tip. It would appear the same, a $100 transaction at Bob’s Steakhouse.
The message specifically said it was due to the “unusually large tip”. They wanted me to confirm that it was intended.
If the article linked below is to be believed, the credit card company does indeed know how much of the transaction is a tip due to the way the transaction is processed. Note that this was at a full-service restaurant, not tipping at the counter for fast food or some other thing.
Consider when you pay with a credit card at a sit-down restaurant, they read the card first. Then you write in the tip on the receipt, meaning that they process this part later after the initial card reading. It is probably different with the tabletop self-checkout devices though.
https://www.quora.com/Why-do-tips-given-in-restaurants-never-show-on-credit-card-statements
I hate %, give me a option to round up to the nearest 5. This is useful for my financial tracking, and I’m willing to bet a lot of people would like nice round numbers. If I buy a coffee or whatever and it’s $7 I round up to $10, not because I’m trying to give a good tip but because it’s more convenient for me when I’m sitting there doing my finances (I track everything) and while I know that not everyone would universally agree maybe they would only want to round up to the nearest whole dollar the fact remains I feel like most places would actually end up with more total tips overall if that was a one button option
Now if I could only bypass the float only input field…
F12 lol. The only issue with a dev console helping would be serverside checking
How do you press F12 on a touchscreen interface?
So I have to bluetooth my mobile device to the restaurant’s point of sale app?
You could probably also try peeling off the outer plastic of the device so you can access the USB port and plug in an external keyboard, but the person holding it might notice
you could also bring a regular keyboard and try to plug it in when the cashier isn’t looking. i’m sure that will go over well
Based username
Always nice to meet a fellow adventurer. See you in South Pront 👍
Can’t they trace it back to you since you’re using a card to get that prompt?
In my country, we can buy pre-paid credit cards in the supermarket using cash. I guess that is still traceable using supermarket security cameras and facial recognition, but if you’re attempting this, I’d make it as difficult as possible.
You just have to buy a prepaid card through another third party
Prepaid VISA gift card purchased with cash.
Are there still places you can buy those that you wouldn’t be on camera and immediately trackable?
I’m not shitting on the idea, I’m just trying to make it as good as possible.
Masks don’t only protect from airborne viruses…
Paired with a hat or hoodie with IR LEDs.
This isn’t even remotely viable. There’s so much isolation and “cloud” shit that it wasn’t viable from the start. It’s just a joke.
Maybe. If they can identify which record was the last one changed and the last one changed its directly related to the one that made the change and the ended transaction statement successfully posted a transaction
If the SQL injection crashed that person’s transaction there’s little chance of finding the culprit
I laughed a lot at this.
Does this actually even work any more? I figured most things protected against it nowadays.
I highly doubt it, most frameworks do indeed automatically prevent it these days. Still funny though.