Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Transportation Security United States IT

Getting Cool Vanity License Plate 'NULL' Is Not Really a Cool Idea, Infosec Researcher Discovers (mashable.com) 106

Choosing NULL as your license plate might seem like a funny idea. But as an infosec researcher discovered recently, the cool-looking NULL vanity plate comes with its own consequences. Researcher Droogie, that's his handle, who presented at this year's DEF CON in Las Vegas, said he has been on the receiving end of thousands of dollars worth of tickets that aren't his. From a report: Droogie registered a vanity California license plate consisting solely of the word "NULL" -- which in programming is a term for no specific value -- for fun. And, he admitted to laughs, on the off chance it would confuse automatic license plate readers and the DMV's ticketing system. "I was like, 'I'm the shit,'" he joked to the crowd. "'I'm gonna be invisible.' Instead, I got all the tickets." Things didn't go south immediately. As Droogie explained, he's a cautious driver and didn't get any tickets for the first year he owned the vanity plate. Then he went to reregister his tags online, and, when prompted to input his license plate, broke the DMV webpage. It seemed the DMV site didn't recognize the plate "NULL" as an actual input.

That was the first sign that something was amiss. The next sign was, well, a little more serious: After receiving a legitimate parking ticket, thousands of dollars in random tickets starting arriving in the mail at his house, addressed to him. It seemed that a privately operated citation processing center had a database of outstanding tickets, and, for some reason -- possibly due to incomplete data on their end -- many of those tickets were assigned to the license plate "NULL." In other words, the processing center was likely trying to tell its systems it didn't know the plates of the offending cars. Instead, with Droogie's vanity plate now in play, it pegged all those outstanding tickets on him. Specifically, over $12,000 worth of outstanding tickets.
Long story short, Droogie went on the painstaking process to explain the situation to the DMV and the LAPD, both of whom advised him to change his plate. At any rate, the DMV reached out to the private vendor and sorted the issue.
This discussion has been archived. No new comments can be posted.

Getting Cool Vanity License Plate 'NULL' Is Not Really a Cool Idea, Infosec Researcher Discovers

Comments Filter:
  • by iggymanz ( 596061 ) on Monday August 12, 2019 @01:52PM (#59079850)

    Just get one called "nil" instead

    bonus points if any DMV contractors use Ruby and choke on that

  • by account_deleted ( 4530225 ) on Monday August 12, 2019 @01:56PM (#59079872)
    Comment removed based on user account deletion
    • What a shame "'); DROP TABLE TICKETS;--" has too many characters to be a legitimate US license plate.

      Most won't let you put non-alphanumeric characters in, either.

      However, "ROP TABL" is perfectly valid in all 50 US states, so if one were to cut out two pieces of paper of a similar color to the plate, and print on the first '"); D"' and then 'E TICKETS;--"' on the second, and align them enough that the OCR detects it and passes it along to the database query, it would on systems that aren't intelligent enough to at least make sure they send the plate image to a human if more than 8 characters are detected.

      I

  • Every thing old (Score:5, Informative)

    by OverlordQ ( 264228 ) on Monday August 12, 2019 @01:57PM (#59079880) Journal

    is new again [snopes.com].

  • by swimboy ( 30943 ) on Monday August 12, 2019 @01:58PM (#59079888)

    Poor little Bobby Tables is all grown up and still causing problems.

  • WHAT??? (Score:5, Funny)

    by BringsApples ( 3418089 ) on Monday August 12, 2019 @02:00PM (#59079896)

    At any rate, the DMV reached out to the private vendor and sorted the issue.

    They had me up to that point.

    • Likely fix (certainly the easiest) is to just stop sending all tickets with a plate of "null" so he should be off the hook forever.
      • The right answer is not to have legal tag text indicate any sort of special case. Either have a separate field for the case, or indicate it with tag text that cannot be a legal tag.

    • It depends on the state. I've lived in California, Massachusetts, and Washington long enough to get a license and register my car in each of those states. Massachusetts (RMV) and Washington (DOL) seem to run competent operations. I only had to wait about 15 minutes with 5-10 people ahead of me in line, and was out with my new license and plates in less than an hour.

      California... Everything you see in Zootopia is true. I heard it was a mess so I tried to make a reservation, only to find that unless I
      • by tsqr ( 808554 )

        kinda makes me wonder how homeless people are supposed to do this

        You don't need a home to have a mailing address.

  • by jfdavis668 ( 1414919 ) on Monday August 12, 2019 @02:03PM (#59079904)
    One of my Computer Science professors last name was "Null". She runs into this problem everywhere, many systems telling her her name is invalid. Kind of an ironic choice of professions with a name like that.
    • by olsmeister ( 1488789 ) on Monday August 12, 2019 @02:07PM (#59079926)
      was her first name Dev?
    • That's a short name, but it's relatively common to get errors with long names. Even today when you would think most database people know about pitfalls and good design, but occasionally there are some web sites, data base apps, and the like that have a maximum size to names. All sorts of backend and customer support issues arise that way, such as being in the system but not able to be queried without knowing how the name was shortened.

      • Just ran into this problem with a new system only allowing first names to be 11 characters or shorter.

        • Ran into a limit when one of our customers was from Truth or Consequences New Mexico. Had to expand the limit for the name of town.
        • And I'm baffled why this still happens. I think a lot of developers just have extremely little experience and they're hired because they're cheaper, or the hiring manager also has little experience, or everyone's in such a tight time-to-market (agile?) that there's no plan for extensive design reviews, code reviews, and testing.

        • Or Spanish last names, like "Cartagena y Vega", with mixed case and multiple words in the name.

      • During an internship, I was tasked with testing a device driver for a tape library. There were a set of commands that you would enter and it would trigger the little tape robot to perform some task, or data would be written/read to tape. One of the commands involved entering some text. Grasping for something to enter, on a whim I typed in "segmentation fault". The code crashed.

        Of course, the issue was actually that the developer had assumed that the text entered wouldn't exceed eight characters, but I
        • Back on a BSD 4 system, I got a new account as a reader in a university course. As I recall, the account name was too long, even though it was 8 characters. The sysadmin looked at the code, patched it up, reloaded the library/daemon, and it was fixed all while I was looking over his shoulder.

    • When I was a kid I broke my left tibia and one of the doctor's names was William L. Null.

      Here's a prime example of this computer idiosyncrasy at work. his last name is missing:

      https://www.yellowpages.com/ki... [yellowpages.com]

    • by KalvinB ( 205500 )

      I've run into that with my own work and had to set up a way to handle it properly.

      The easy way is to make the column not nullable and then use an empty string for "unknown" rather than null.

      Only numeric columns really need to be able to be set to null to distinguish between not set and zero.

    • by spitzig ( 73300 )

      Go to PSU Harrisburg?

    • I had a friend call "Con" which can't be used for the user directory on DOS/Windows machines. In fact any system that uses the name of a person as the directory name gets tripped up by this.
    • Dave Evnull was playing this joke in (UK) computer magazines as an editor/ column writer back in the 1980s.
  • Should have gone with "" instead.

    • This one I remember.

      I was custodian of a legacy database (not the designer or the owner) at one of my sites.

      Came time to migrate to something that was post-stone age dBase, and ran into data cleaning problems out the wazzo.

      There were no data entry validations and name would be like, Tommy "Bubba" Jones and Jones, "Bubba," Jones.

      Export/export delimiter. Another ball-buster was spaces. Years were mm/dd/yy, dd/mm/yyyy, yy,mm,dd, all over the place.

      Company names were duplicated out the butt: Carson Co., Carson

  • by DickBreath ( 207180 ) on Monday August 12, 2019 @02:06PM (#59079916) Homepage
    Boaty Mc Boat Face?

    That one is taken. Oh! How about naming your boat . . .

    Error vessel name must be less than 45 charac
  • They shouldn't have matched his plate.
    • by magarity ( 164372 ) on Monday August 12, 2019 @03:07PM (#59080154)

      They shouldn't have matched his plate.

      Notice it didn't happen until it went to an external processor. One of the options when doing a database export to flat file is to output NULLs as empty strings or as the text string "NULL" and then vice-versa when importing. I bet the external outfit had their import of the text string "NULL" treated as a text string.

  • I find this story a bit far-fetched.

  • I never was interested in vanity plates so please excuse my ignorance but how is it possible ?

    Many countries offer the possibility to get customized plates but they explicitly forbid problematic names. Usually swear words of the local language.

    • by fazig ( 2909523 )
      Not every country regulates potentially problematic strings of characters.
      And apparently they uniqueness also is not a requirement. Well at least not unique enough to avoid being confused with others.

      That is how this is possible. And that is probably also the crux here.
      NULL just happens to be a popular enough string of characters to stand out enough to be noticed.
      • by fazig ( 2909523 )
        Well, I should have read TFA again and slower.

        One would think requesting for such a vanity plate would already show the problematic nature of 'NULL'. So that Droogie had to find out only when he tried to register his plate with the DMV site? Do they not share information on their own there?
    • Usually names are forbidden for decency reasons and not technical ones. The people who write the policies aren't aware of issues like NULL and NOPLATE and the programmers are too lazy to tell them just like they are too lazy to sanitize text inputs anyways.

    • At first glance, especially to a non programmer or even to a properly written automated system, the letters NULL do not look problematic. They usually screen for profanity and stuff similar to existing plates but itâ(TM)s easy to slip something thru especially if itâ(TM)s a new or obscure abbreviation.

    • In most of these sorts of cases, the problem isn't with the DMV per se, but rather with the practices of local law enforcement. Each police department generally has their own policy for what to do when a plate is missing, damaged, or otherwise illegible. One department may have officers write "NO PLATE", another "NULL", another "NONE", and yet another may just leave it up to the individual officers to write something at their own discretion. Snopes has a number of examples [snopes.com] of this sort of thing.

      Sure, the DM

  • ...this was Bobby Tables' [xkcd.com] car?

  • I would have thought everyone knew of the NOPLATE issue and avoided this sort of thing.
    https://www.snopes.com/fact-ch... [snopes.com]
  • but I saw the best standard plate ever once: 5EXB055

  • How about '1 / 0'

  • ZED NULL

    (oops, gave away my primary login)

  • by petes_PoV ( 912422 ) on Monday August 12, 2019 @02:51PM (#59080090)
    Hopefully nobody will now be tempted by a plate called NOT NULL
  • A buddy of mine's actual last name is Null [wired.com]. Imagine the hilarity.

  • EMPTY, BLANK, NOTHING, or NONE

    This post was going to just be the one line above, but Slashdot's lameness filter objected.

    • by AmiMoJo ( 196126 )

      I tried to get 3 spaces but they wouldn't give it to me.

      Something else I have found breaks a lot of organizations is not having a phone number, or even just not having a landline. Once I had a problem signing up for gas and electricity because they insisted I must have a landline (I didn't). In the end I just gave them their own phone number, but the version with the area code rather than the special 0800 free one.

      That was back when calling area codes on your mobile was free because you could use your minut

      • by Kaenneth ( 82978 )

        I was just at the Nike outlet store today, they didn't have my size (13) in stock so it needed to be shipped; the app on the store device wouldn't accept my address until the phone number field was also filled in.

    • EMPTY, BLANK, NOTHING, or NONE

      This post was going to just be the one line above, but Slashdot's lameness filter objected.

      NaN?

    • FALSE! That's another one.
      TRUE!
      And the only other special value I know is UNKNOWN.

  • In 2007 I took delivery of a Mitsubishi L300 Delica van, privately imported from Japan. She looked like something from outer space compared to other vehicles around town so I figured I might as well have some fun. In for a penny and all that...so I named her Gumdrop (after the Apollo 9 command module) and got license plates to match. I still have them, though they are now bolted to a VW Golf. Whose license plate frame ("A woman's place is in the cockpit") attracts almost as much attention.

    Here in B.C. you

  • I wonder what else can break the DMV web site and how many millions records could become vulnerable/hackable if something simple like this can break it.

  • /dev/car. I was the device driver....until it got totalled.

  • ......if they have a warrant issued for his a** for non-payment and cuff him when he goes to the DMV next time.....

    • by geekoid ( 135745 )

      No, they aren't his.
      T\could charge him for their time, sine he intentionally set to disrupt the DMV,
      revoke is license.
      Revoke his plates.

  • Since he did it to INTENTIONALLY to disrupt system, they should bill him for their time.
    Also, people that do this clearly aren't grown up enough to be allowed the privilege to drive, so revoke his privilege.

    • by Xenx ( 2211586 )
      At least according to the way it's worded in the summary, he knew the possibility existed but didn't expect it to cause a problem. If he didn't believe it was likely, is it still intentional? (Rhetorical question, since it's a matter of opinion) And frankly, it's on them for allowing it in the first place. This stunt brought an old problem to the front, and it should be properly addressed to prevent it in the future.
    • You must be fun at parties.

  • by tungstencoil ( 1016227 ) on Monday August 12, 2019 @04:02PM (#59080360)
    Oh... no... um... no...please...oh, you did...

    I worked in transportation software, for a Large Global Company that does a little bit of everything technology-wise. I wouldn't have to predict this as an outcome, as I would know that it would happen, even without knowing the systems involved.

    Many systems are just plain outdated, backed by outdated pseduo-database or flat-file technologies that were homegrown. NULL? Yeah right.

    Then, many systems were made to talk to those systems. They, in turn, might expect or need different data. They, themselves, were probably built a while ago by companies that might be technology creators, or might might be consultants with government ties. If the latter, you probably have some rigid kind of rules and practices.

    These talk to more modern systems that do things like "hey, we can identify someone by their plate and just ticket/fine/invoice them. We just need to know who owns the vehicle. Oh, and state law says we have to send the registered owner the first invoice and the registered address, and then we can skip-trace past that with future notices."

    Great! We need to use the registration info anyway! How do we do this? We build a system to take inbound infraction information. That system we build to identify the plate - mostly automatically, because machines are less expensive than people. (please note: NULL is pretty easy to OCR under real-world conditions). Now, we just need to 'dumb down' that information for the interfaces to the company system that talks to the government system that in turn maintains the government data originally used to - in isolation - invoice and track registration. Oh, everything is a pipe-delimited string cut off at 32 bytes and some other wonky stuff, but that's cool it's legacy and has worked rock-solid for 32 years...

    BTW, 'we' were smart enough to know that not all infractions can have an image we can identify. So we store these with NULL or some integral value like NOPLATE. Also, some people have TEMP plates and we can't send those on. However, we need to report on all of this, so we understandably store this data.

    Whether we sent "NULL" and it matched somewhere along the way, or an update back made its way into our system...well... let's just say "OK then".

    And someone comes along with the bright idea of having "NULL" or "TEMP" or "NOPLATE" etc. and is genuinely shocked. I can understand the shock - surely this shouldn't happen... but as soon as you think about my (very simplified) example, you realize the inevitability of it.

    I can only imagine the bureaucracy of trying to fix it...No joke, at that point I'd probably retain a lawyer, one who preferably knows the governor or commissioner or something.
  • I very first day I ever learned any SQL (in the '80s) I saw things like this happening.

    But to see it still happening in 2019... that surprises me.

  • by account_deleted ( 4530225 ) on Monday August 12, 2019 @07:04PM (#59081040)
    Comment removed based on user account deletion
  • ...null is known as a billion dollar mistake.
  • "Droogie went on the painstaking process to explain the situation to the DMV and the LAPD, both of whom advised him to change his plate."

    instead of fixing the bug in the system...
    if you have these 'restrictions', at least make it impossible to request these plates.
    what will happen now is somebody else will request a NULL plate and we're back at the start of the story.

Genius is ten percent inspiration and fifty percent capital gains.

Working...