Getting Cool Vanity License Plate 'NULL' Is Not Really a Cool Idea, Infosec Researcher Discovers (mashable.com) 106
Choosing NULL as your license plate might seem like a funny idea. But as an infosec researcher discovered recently, the cool-looking NULL vanity plate comes with its own consequences. Researcher Droogie, that's his handle, who presented at this year's DEF CON in Las Vegas, said he has been on the receiving end of thousands of dollars worth of tickets that aren't his. From a report: Droogie registered a vanity California license plate consisting solely of the word "NULL" -- which in programming is a term for no specific value -- for fun. And, he admitted to laughs, on the off chance it would confuse automatic license plate readers and the DMV's ticketing system. "I was like, 'I'm the shit,'" he joked to the crowd. "'I'm gonna be invisible.' Instead, I got all the tickets." Things didn't go south immediately. As Droogie explained, he's a cautious driver and didn't get any tickets for the first year he owned the vanity plate. Then he went to reregister his tags online, and, when prompted to input his license plate, broke the DMV webpage. It seemed the DMV site didn't recognize the plate "NULL" as an actual input.
That was the first sign that something was amiss. The next sign was, well, a little more serious: After receiving a legitimate parking ticket, thousands of dollars in random tickets starting arriving in the mail at his house, addressed to him. It seemed that a privately operated citation processing center had a database of outstanding tickets, and, for some reason -- possibly due to incomplete data on their end -- many of those tickets were assigned to the license plate "NULL." In other words, the processing center was likely trying to tell its systems it didn't know the plates of the offending cars. Instead, with Droogie's vanity plate now in play, it pegged all those outstanding tickets on him. Specifically, over $12,000 worth of outstanding tickets. Long story short, Droogie went on the painstaking process to explain the situation to the DMV and the LAPD, both of whom advised him to change his plate. At any rate, the DMV reached out to the private vendor and sorted the issue.
That was the first sign that something was amiss. The next sign was, well, a little more serious: After receiving a legitimate parking ticket, thousands of dollars in random tickets starting arriving in the mail at his house, addressed to him. It seemed that a privately operated citation processing center had a database of outstanding tickets, and, for some reason -- possibly due to incomplete data on their end -- many of those tickets were assigned to the license plate "NULL." In other words, the processing center was likely trying to tell its systems it didn't know the plates of the offending cars. Instead, with Droogie's vanity plate now in play, it pegged all those outstanding tickets on him. Specifically, over $12,000 worth of outstanding tickets. Long story short, Droogie went on the painstaking process to explain the situation to the DMV and the LAPD, both of whom advised him to change his plate. At any rate, the DMV reached out to the private vendor and sorted the issue.
no problem (Score:3)
Just get one called "nil" instead
bonus points if any DMV contractors use Ruby and choke on that
Re:no problem (Score:5, Funny)
RM -RF *
See if that messes with any of their systems...lol
Re: (Score:2)
too bad *nix is case sensitive, does powershell care about case?
Use your head: plate names to mess with OCR (Score:2)
80OBO0D
711II|L
BBB88B8
0O00OO0
etc...
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
How about doing: RM -RF *
My mom's license plate is: )'; DROP TABLE Drivers; --
Re: (Score:3)
Re: (Score:2)
My mother's middle name is Nell, on many forms she enters initial 'N', which many people have assumed to mean 'None'
Nothing new to see here, now let me tell you about my grand-daughter, Truncate, she's always losing data to the wind :)
Re: (Score:2)
My grandfather had no middle name, not done in the country where his parents born. So he wrote "none" on his drivers license form for middle name, the state he lived in put all name on license, and so his full name on the license had "none" in the middle
Re: (Score:1)
Not Sure, paging Not Sure
Re: (Score:2)
or write N/A and get "Nia" as middle name or last name. I know most people in Malaysia just have their "first name", they don't do the "last name" thing.
Re: (Score:2)
I was thinking about @Notnull or @NonNull or something :D
Re: (Score:2)
It's probably down to some millennial ("easy to learn!") scripting language comparing the value null to the string "null" and returning 'true!!' or something like that.
Re: (Score:2)
shoulda been (Score:2)
VOID
discuss
Re: (Score:2)
Or make it , "Fine paid". Never pay a ticket again.
Re: (Score:2)
This is actually brilliant. It will only work in places that allow 8-character tags, but it would be worth it.
Comment removed (Score:5, Funny)
Re: (Score:2)
What a shame "'); DROP TABLE TICKETS;--" has too many characters to be a legitimate US license plate.
Most won't let you put non-alphanumeric characters in, either.
However, "ROP TABL" is perfectly valid in all 50 US states, so if one were to cut out two pieces of paper of a similar color to the plate, and print on the first '"); D"' and then 'E TICKETS;--"' on the second, and align them enough that the OCR detects it and passes it along to the database query, it would on systems that aren't intelligent enough to at least make sure they send the plate image to a human if more than 8 characters are detected.
I
Re: (Score:2)
PSSSTTTT: Not all states allow the same number of character. some limit it to 6
Every thing old (Score:5, Informative)
is new again [snopes.com].
Re: (Score:1)
Re: (Score:2)
Came here to post this story. Glad someone else remembers.
Obligatory XKCD (Score:5, Funny)
Poor little Bobby Tables is all grown up and still causing problems.
Re: (Score:2)
WHAT??? (Score:5, Funny)
At any rate, the DMV reached out to the private vendor and sorted the issue.
They had me up to that point.
Re: (Score:2)
Re: (Score:2)
The right answer is not to have legal tag text indicate any sort of special case. Either have a separate field for the case, or indicate it with tag text that cannot be a legal tag.
Re: (Score:2)
California... Everything you see in Zootopia is true. I heard it was a mess so I tried to make a reservation, only to find that unless I
Re: (Score:2)
kinda makes me wonder how homeless people are supposed to do this
You don't need a home to have a mailing address.
Name of Computer Science professor (Score:5, Interesting)
Re:Name of Computer Science professor (Score:4, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Devina the Developer. It has a nice ring to it.
Re: (Score:2)
Short for Deverly.
Re: (Score:2)
Even Deb(orah) Null would be close enough for punning purposes.
Re: (Score:2)
That's a short name, but it's relatively common to get errors with long names. Even today when you would think most database people know about pitfalls and good design, but occasionally there are some web sites, data base apps, and the like that have a maximum size to names. All sorts of backend and customer support issues arise that way, such as being in the system but not able to be queried without knowing how the name was shortened.
Re: (Score:2)
Just ran into this problem with a new system only allowing first names to be 11 characters or shorter.
Re: (Score:2)
Re: (Score:2)
And I'm baffled why this still happens. I think a lot of developers just have extremely little experience and they're hired because they're cheaper, or the hiring manager also has little experience, or everyone's in such a tight time-to-market (agile?) that there's no plan for extensive design reviews, code reviews, and testing.
Comment removed (Score:5, Interesting)
Re: (Score:2)
I am replying to this so I can find it at a later date. This is news to me, and I will be taking this advice to heart.
Thank you.
Re: (Score:2)
Or Spanish last names, like "Cartagena y Vega", with mixed case and multiple words in the name.
Re: (Score:3)
Of course, the issue was actually that the developer had assumed that the text entered wouldn't exceed eight characters, but I
Re: (Score:2)
Back on a BSD 4 system, I got a new account as a reader in a university course. As I recall, the account name was too long, even though it was 8 characters. The sysadmin looked at the code, patched it up, reloaded the library/daemon, and it was fixed all while I was looking over his shoulder.
Re: (Score:1)
When I was a kid I broke my left tibia and one of the doctor's names was William L. Null.
Here's a prime example of this computer idiosyncrasy at work. his last name is missing:
https://www.yellowpages.com/ki... [yellowpages.com]
Re: (Score:2)
I've run into that with my own work and had to set up a way to handle it properly.
The easy way is to make the column not nullable and then use an empty string for "unknown" rather than null.
Only numeric columns really need to be able to be set to null to distinguish between not set and zero.
Re: Name of Computer Science professor (Score:2)
Re: (Score:2)
That's really stupid. You could also not use Oracle, which fucks up by thinking an empty string is the same as a NULL string. Then you can properly distinguish between empty and missing data.
Re: (Score:2)
Go to PSU Harrisburg?
Re: (Score:2)
Re: (Score:2)
This is why (Score:2)
Should have gone with "" instead.
Re: (Score:2)
This one I remember.
I was custodian of a legacy database (not the designer or the owner) at one of my sites.
Came time to migrate to something that was post-stone age dBase, and ran into data cleaning problems out the wazzo.
There were no data entry validations and name would be like, Tommy "Bubba" Jones and Jones, "Bubba," Jones.
Export/export delimiter. Another ball-buster was spaces. Years were mm/dd/yy, dd/mm/yyyy, yy,mm,dd, all over the place.
Company names were duplicated out the butt: Carson Co., Carson
What to name your boat? (Score:3)
That one is taken. Oh! How about naming your boat . . .
Error vessel name must be less than 45 charac
Why? Null is not equal to Null (Score:2)
Re:Why? Null is not equal to Null (Score:4, Informative)
They shouldn't have matched his plate.
Notice it didn't happen until it went to an external processor. One of the options when doing a database export to flat file is to output NULLs as empty strings or as the text string "NULL" and then vice-versa when importing. I bet the external outfit had their import of the text string "NULL" treated as a text string.
STR("NULL") != NULL (Score:1)
I find this story a bit far-fetched.
Re:STR("NULL") != NULL (Score:5, Insightful)
Re: (Score:2)
Maybe if you are using an explicitly typed language like pl/sql (of course with ' and not "), but may languages that do not force typing would be vulnerable
NOT a good practice, bit on this side of possible
Re: (Score:2)
That's entirely language or implementation dependent. Also, why on earth would you disbelieve that there are some really, really bad programmers out there? I mean, it's not like there's an entire site dedicated to idiotic programmers (and those they work with) [thedailywtf.com].
Re: STR("NULL") != NULL (Score:2)
Re: (Score:2)
I find this story a bit far-fetched.
Null is a word used in everyday English, particularly in the office. It's entirely plausible that an email/memo/company training/piece of paper taped to each monitor said something like "If you don't have the number plate, type NULL." And with any manual process, there are likely variants like "NIL", "NA", "", "NONE", etc
Surprised (Score:2)
I never was interested in vanity plates so please excuse my ignorance but how is it possible ?
Many countries offer the possibility to get customized plates but they explicitly forbid problematic names. Usually swear words of the local language.
Re: (Score:2)
And apparently they uniqueness also is not a requirement. Well at least not unique enough to avoid being confused with others.
That is how this is possible. And that is probably also the crux here.
NULL just happens to be a popular enough string of characters to stand out enough to be noticed.
Re: (Score:2)
One would think requesting for such a vanity plate would already show the problematic nature of 'NULL'. So that Droogie had to find out only when he tried to register his plate with the DMV site? Do they not share information on their own there?
Re: (Score:3)
Usually names are forbidden for decency reasons and not technical ones. The people who write the policies aren't aware of issues like NULL and NOPLATE and the programmers are too lazy to tell them just like they are too lazy to sanitize text inputs anyways.
Re: Surprised (Score:2)
At first glance, especially to a non programmer or even to a properly written automated system, the letters NULL do not look problematic. They usually screen for profanity and stuff similar to existing plates but itâ(TM)s easy to slip something thru especially if itâ(TM)s a new or obscure abbreviation.
Re: (Score:2)
In most of these sorts of cases, the problem isn't with the DMV per se, but rather with the practices of local law enforcement. Each police department generally has their own policy for what to do when a plate is missing, damaged, or otherwise illegible. One department may have officers write "NO PLATE", another "NULL", another "NONE", and yet another may just leave it up to the individual officers to write something at their own discretion. Snopes has a number of examples [snopes.com] of this sort of thing.
Sure, the DM
Relevant (Score:2)
I assume.... (Score:2)
...this was Bobby Tables' [xkcd.com] car?
NOPLATE (Score:2)
https://www.snopes.com/fact-ch... [snopes.com]
Not exactly on subject (Score:1)
but I saw the best standard plate ever once: 5EXB055
Re: (Score:2)
May be zero div (Score:2)
How about '1 / 0'
Real H4XX0R have solution (Score:2)
ZED NULL
(oops, gave away my primary login)
Could have been worse! (Score:3)
First World Problems (Score:2)
A buddy of mine's actual last name is Null [wired.com]. Imagine the hilarity.
Other potentially problematic plates (Score:3)
EMPTY, BLANK, NOTHING, or NONE
This post was going to just be the one line above, but Slashdot's lameness filter objected.
Re: (Score:2)
I tried to get 3 spaces but they wouldn't give it to me.
Something else I have found breaks a lot of organizations is not having a phone number, or even just not having a landline. Once I had a problem signing up for gas and electricity because they insisted I must have a landline (I didn't). In the end I just gave them their own phone number, but the version with the area code rather than the special 0800 free one.
That was back when calling area codes on your mobile was free because you could use your minut
Re: (Score:2)
I was just at the Nike outlet store today, they didn't have my size (13) in stock so it needed to be shipped; the app on the store device wouldn't accept my address until the phone number field was also filled in.
Re: (Score:2)
EMPTY, BLANK, NOTHING, or NONE
This post was going to just be the one line above, but Slashdot's lameness filter objected.
NaN?
Re: Other potentially problematic plates (Score:2)
FALSE! That's another one.
TRUE!
And the only other special value I know is UNKNOWN.
Re: (Score:2)
MISSING
ERROR
EMPTY
or just fill with alternate unicode spaces: ""
My own experience (Score:2)
In 2007 I took delivery of a Mitsubishi L300 Delica van, privately imported from Japan. She looked like something from outer space compared to other vehicles around town so I figured I might as well have some fun. In for a penny and all that...so I named her Gumdrop (after the Apollo 9 command module) and got license plates to match. I still have them, though they are now bolted to a VW Golf. Whose license plate frame ("A woman's place is in the cockpit") attracts almost as much attention.
Here in B.C. you
California DMV data security (Score:2)
I wonder what else can break the DMV web site and how many millions records could become vulnerable/hackable if something simple like this can break it.
My cars plate used to be DEVCAR (Score:2)
/dev/car. I was the device driver....until it got totalled.
He WILL pay the damn tickets..... (Score:2)
......if they have a warrant issued for his a** for non-payment and cuff him when he goes to the DMV next time.....
Re: (Score:2)
No, they aren't his.
T\could charge him for their time, sine he intentionally set to disrupt the DMV,
revoke is license.
Revoke his plates.
Edgelord asshole (Score:1)
Since he did it to INTENTIONALLY to disrupt system, they should bill him for their time.
Also, people that do this clearly aren't grown up enough to be allowed the privilege to drive, so revoke his privilege.
Re: (Score:2)
Re: (Score:3)
You must be fun at parties.
I Work in Transportation... (Score:4, Interesting)
I worked in transportation software, for a Large Global Company that does a little bit of everything technology-wise. I wouldn't have to predict this as an outcome, as I would know that it would happen, even without knowing the systems involved.
Many systems are just plain outdated, backed by outdated pseduo-database or flat-file technologies that were homegrown. NULL? Yeah right.
Then, many systems were made to talk to those systems. They, in turn, might expect or need different data. They, themselves, were probably built a while ago by companies that might be technology creators, or might might be consultants with government ties. If the latter, you probably have some rigid kind of rules and practices.
These talk to more modern systems that do things like "hey, we can identify someone by their plate and just ticket/fine/invoice them. We just need to know who owns the vehicle. Oh, and state law says we have to send the registered owner the first invoice and the registered address, and then we can skip-trace past that with future notices."
Great! We need to use the registration info anyway! How do we do this? We build a system to take inbound infraction information. That system we build to identify the plate - mostly automatically, because machines are less expensive than people. (please note: NULL is pretty easy to OCR under real-world conditions). Now, we just need to 'dumb down' that information for the interfaces to the company system that talks to the government system that in turn maintains the government data originally used to - in isolation - invoice and track registration. Oh, everything is a pipe-delimited string cut off at 32 bytes and some other wonky stuff, but that's cool it's legacy and has worked rock-solid for 32 years...
BTW, 'we' were smart enough to know that not all infractions can have an image we can identify. So we store these with NULL or some integral value like NOPLATE. Also, some people have TEMP plates and we can't send those on. However, we need to report on all of this, so we understandably store this data.
Whether we sent "NULL" and it matched somewhere along the way, or an update back made its way into our system...well... let's just say "OK then".
And someone comes along with the bright idea of having "NULL" or "TEMP" or "NOPLATE" etc. and is genuinely shocked. I can understand the shock - surely this shouldn't happen... but as soon as you think about my (very simplified) example, you realize the inevitability of it.
I can only imagine the bureaucracy of trying to fix it...No joke, at that point I'd probably retain a lawyer, one who preferably knows the governor or commissioner or something.
Re: (Score:2)
I know of one Microsoft product that used the string "leprechans" for invalid data.
Predictable (Score:2)
I very first day I ever learned any SQL (in the '80s) I saw things like this happening.
But to see it still happening in 2019... that surprises me.
Comment removed (Score:3)
Thatâ(TM)s exactly why... (Score:2)
wrong fix (Score:2)
"Droogie went on the painstaking process to explain the situation to the DMV and the LAPD, both of whom advised him to change his plate."
instead of fixing the bug in the system...
if you have these 'restrictions', at least make it impossible to request these plates.
what will happen now is somebody else will request a NULL plate and we're back at the start of the story.