I read years ago in comp.risks about a similar story. A guy in 1979(!) requested a personalized plate "SAILING", with second choice "BOATING". He didn't want a customized plate if he couldn't get those, so for his third choice he put down "NO PLATE". Of course, he ended up with "NO PLATE". He ended up getting 2500 parking tickets, since cars with no plate had "NO PLATE" written on the ticket.
This reminds me about my own name. Everyone always gets it wrong (including people from where I am from). Except the Dutch. They always get it right, every single time!
There was also a meme about a person that wrote on her ID application "note the hat on the 'e'" and of course her name was Sarah Note The Hat On The E on the issued ID.
EDIT: Yes her name was not Sarah and there is no 'e' in Sarah.
A colleague used an app's "generate secure password" feature to change their ISP's web portal login - which then also became the WAN router's password - which they didn't realise.
It was about a week before the router dropped its connection and needed to re-authenticate - and that's when I was called in to investigate the loss of connectivity - which Windows 10 very unhelpfully reported as the network cable disconnected and was resetting or power-saving on the NIC so the "link active" LED on the switch was going out for about 2 secs every 10 sec. Cue a round of cable and switch swapping to no benefit. The LEDs for all other devices on the switch (running Linux and mostly internal servers) were behaving normally.
I finally backtraced to the router and a useful error message. We put two-and-two together and my colleague called up the auto-saved details in their password manager; it was long, and ALL non-alpha numeric characters - starting with a backtick, which the router would not accept. I tethered my phone to my laptop and tried to login to the Web account portal - which would NOT accept the passphrase. I tried it without the backtick "just in case" - nope.
We had to do a "lost password" reset on the portal..and wait for the email with link.
Lessons learned:
The ISP's password change page did not seem to validate input, but the login page did.
Many, many websites will happily accept passwords of $X characters and then hash only $(X-Y) characters on registration, but try to hash all $X characters on login, so of course the hashes don’t match. And at no point do they tell you the maximum number of characters.
I once had a page that prevented pasting, but last pass's password generator still worked. So I put in a long password using that, but when I clicked to register it came up with a blank error message. Turns out they had a 16 character limit that was only enforced when you typed in the box, so I had to count the number of letters they allowed me to type and then let lastpass generate a password of that length. Infuriating.
Square Enix's account management on the PS4 allowed me to set a password with a space on the end, but their website strips spaces from the password field when you sign in.
Fun fact: it's actually really easy to submit a string with a space on the end when entered via a PS4 controller.
Had this issue with Google a few years ago when I tried to set my password to something ludicrously long (think 5000+ characters). It would happily change my password, but I couldn't log in to anything afterwards…
For many years, Schwab ignored any characters after 8 in its password. Discovered that when I knew I flubbed one of the last characters, and it still worked.
I still can't believe a major bank got away with that for so long, apparently unharmed.
I learned this the hard way when I started using a password manager. I had the bright idea to start using 90 character passwords for all my accounts and suddenly I couldn't log into a lot of accounts.
I had something similar happen with (iirc) spectrum of the power company a couple years ago. Their customer portal let me use a complicated password to sign up, it sent me the confirmation email prompting me to log in, and refused my password for forbidden characters. But then I couldn’t reset my password because I hadn’t verified, and I couldn’t modify the account cause I couldn’t log in. I was just trapped in limbo. Customer service said they couldn’t fix it for me. I had to pay my bill by phone until I moved.
Ah yes, this reminds me of my University account. I chose a long password generated with my password manager, which of course contained a chara66 that was both allowed at set up and usage. But because I had to frequently type it in without my password manager (i.e. on a University PC), I wanted to change it. But the change dialog asked for the old password and didn't accept it, due to the forbidden character. I had to go to the support who refused to believe my story and wasn't able to change my password. It took a few weeks to get hold of a person who was allowed to change passwords.
So many home-routers are run with horrid CGI-scripts on the back-end - I'd not be amazed to learn that submitting a form-field with `blah` in it would try to run the command blah (probably via busybox).
If you have time/patience it might be worth exploring.
I've actually rooted an Asus router owned by a relative, this was about 5 years back so it's hopefully fixed now. Noticed some strange behavior after a mistype and tried something like `whoami` (not exactly) and got root back so tried a reverse she'll with NC which worked perfectly. Googled it afterwards and found a ton of similar flaws on other home routers.
Tried to do some kind of responsible disclosure but never got a reply or saw a fix then I forgot about it.
Is there even a reason to include special characters in passwords? They add 10% more security[1] but cause all sorts of issues with systems. Just use an alphanumeric password that's 10% longer, and if special characters are mandatory, use a safe character at the end like _ or -.
[1] 6.55 bits per character (all printable ascii characters) rather than 5.95 (only alphanumeric)
Special characters in passwords were highly recommended when rainbow tables were an effective way to attack password hashes. See this old Coding Horror blogpost for an idea what it was like at the time: https://blog.codinghorror.com/rainbow-hash-cracking/
Salted hashes have made rainbow tables less effective. Password managers have made single-use passwords more tenable.
Not knowing how a system will store my password, I still prefer to include special characters where available. Anecdotally, I tend to see the systems that are most averse to special characters are also strict about character limits, so simply increasing password length is not possible.
Another way to say this that wouldn't rile so many people up is "In order to achieve the same size search space, you'd have to use ~10% more alphanumeric characters than all of printable ASCII."
Based on your numbers they add 10% entropy per character. Which compounds into an increase of 210% over a length of 12 characters. Thus you'd need the password to be at least 3 times longer with only alphanumeric characters to have the same entropy.
I went to change my password on a forum site that I had not used in a few years. My old password was really weak - think "abc123" or something similar.
I logged in and then attempted to change my password to my new standard of 20+ character upper/lower/symbol. The problem was, they'd upgraded their forum software, and there was a bug that added password strength validation to the "old" password field.
So I was putting in:
Old: abc123
New: sZp10VzIoZI9g143
And was getting the error message "error: your password must be 8+ characters long". After about 10 minutes of frustration and realising they had both client and server validation I went down a similar route as you and used forgot-password even though I knew the password.
Oh yeah, I've run into a lot of similar problems with even very well tested applications. The password reset field would accept inputs not valid at login time. I mostly ran into this when generating random passwords 100 characters in length from LastPass.
At one point GitHub even changed reduced their max password input to a sane amount, and I couldn't log in anymore with my existing insane password length a few years ago.
In most cases they fix the case when I report it, but my bank is terrible.
Similarly, my Belgian ISP (Telenet) has WiFi home gateways that are configured by their web portal, and config is pushed by the ISP.
I figured out that they only did validation on SSIDs client-side, so managed to get around that to put emoji's in my SSID.
Which then proceeded to soft-brick the entire thing on config push. I'd have to log in to the web portal via another connection, change the SSID there, and then reset the hardware with the reset button to get internet working again.
The stereo in my 2013 GTI crashed hilariously if you tried to pair a Bluetooth device with anything in the name outisde of [a-zA-Z0-9]. I wish I'd have messed around with it some more before I sold it (it was a silly car to own for how little I drive)
Oooh this reminds me, I am trying to learn a language that of course has ‘non-standard’ characters, and not even anything particularly exciting - Ä, Ö and the like. I thought it’d be cool to help memorise words (and be super secure) by changing frequently used passwords to phrases that contained these words...
...Caused me some trouble.
I learned that lesson a different way: When I had a Windows phone my email password had a backtick, and the only way to enter it on the phone was to long-press the apostrophe, pick backtick from the three or four apostrophe variants that appeared, and pray I didn't fat-finger it and enter the wrong character. In general, there are just some second class citizen characters you should always avoid, because you never know how hard they're going to be to enter when you're on a phone or a kiosk or whatever. (Tilde, I'm looking at you, too.)
There are regional keyboard layouts lacking backtick completely. (I would have to use alt+96 or switch keyboard from my default (and only) Czech QWERTZ layout to type `, if I hadn't more convenient AutoHotkey shortcut in effect.)
The Indian version of personal retirement fund NPA website does this, I learnt a lesson. Every certain weeks you Have to change password. No big deal. I will just add an incremental number. Ok, password now is PasswordPass1. Lets login, Wrong password? Why? Error Password length exceeded.
So, the password change page will accept any length password, will silently truncate it if longer & save it. Now on login page you have to guess the password length or reset.
This is one reason why I stick to alphabet (+case) in my passwords, when I can make them long.
I had the exact same issues with some passwords which were accepted when creating them, then not accepted anymore when used to log in.
This plus emails such as a@example.com or hjghgfggv@example.someweirdtld show how much sites are broken because of some philosophical ideas of developers.
I once had the bright idea to use a backslash as a one character password for my girlfriends computer, thinking it would provide amazing convenience – a single character, just above the enter key. Turns out this doesn't work very well, even on a Mac, which you would think would have gone through fairly robust testing.
Once upon a time, I went through my logins and tried to change them to strings with weird characters. I ended up with a password of on an internal school site and couldn't change it to anything else, since the "change password" site somehow rejected it.
I had a similar issue when my bank introduced a new banking app. The web login page has different requirements for the password than the app. I.e. on either I can set my password to something that the other will not accept.
I had a backtick in one of my passwords very long ago. When I first got my iPhone I couldn't figure out how to type that backtick until I realized one needs to press and hold and apostrophe.
When I was a foolhardy college student I figured out that if the cited vehicle make on my city parking ticket didn’t match my registration, I could get appeal the ticket via a web form very easily and succeed every time.
Naturally I removed the badges from my car and put on different badges from another manufacturer. After a while they started to cite me as “other” and the trick no longer worked.
All we had to do was register our cars in each others names. When I was married, my car was registered to her and vice versa. The redlight/photoradar laws in my state required that the company operating the devices had to match the pic of the driver violating the law, to the pic of the registered owner via the license plate. If they couldn't match them, no ticket was issued as you can't prove who was driving. That's probably changed now that a lot of DMV's are doing facial scans with datapoints. They probably just scan the whole DMV DB now to find the driver. Wear a mask.
Where i am from the ticket is issued to the vehicle owner, doesn't matter who was driving. On the plus side it means that you can get a photoradar ticket for driving 300km/h and not lose your licence, just pay the fine.
P.S. If the driver must be recognized does it mean that motorcyclists are exempt from photoradar fines?
In the UK we fixed this by making it a legal requirement for the owner of the car to identify the driver (obviously unless there's a valid reason you can't, such as it being stolen).
Two MPs have actually been caught out by this law, convicted of perverting the course of justice and sent to prison:
Here I think you are asked to directly wire transfer the penalty amount or you can challenge the ticket, then you will be heard as a witness for who drove the car. If you refuse to tell that or don't know, the judge can order you to keep a log of all joruneys of your car that can be inspected for finding the culprit of a future offense.
I knew a kid in college who would get a ticket, and then look around the parking lot for another Black Nissan Maxima. Most people don't actually look at the plate number, just the make model. I think he got one ticket paid this way ... guy was kinda an asshole.
I've had a friend do the reverse: parking in illegal spot, and borrowing a ticket from another car that already received one. Upon return some hours later, he returned the ticket to the correct windshield.
Quite brazen, and frankly a bit of an asshole thing to do.
Someone tried that on me on campus but I noticed. I wasn’t supposed to be parked there either and was skating by on a technicality that worked as long as no one looked too closely into it. Otherwise I’d have called security and made his life uncomfortable for awhile. As far as I’m concerned, it’s fraud.
In the Starcraft 2 community it is called barcoding. Basically, I 1 | l are all accepted characters for a name and I think some do look actually identical on most fonts used in the game. So yeah, one person doing that you call "barcode", 2 persons doing that, you already have deniability. Be more than 10, and that's a crowd.
I own a rare collector car with a three-digit VIN. This has caused endless hassles at the DMV as well as the insurance office.
Sometimes we find success by prepending the necessary number of zeros, before the VIN. Other instances in the same system require appending zeros after the VIN. The true VIN has a hyphen but that never makes it into the DMV's system. One time I got stuck in a particularly nasty loop where the DMV mailed over thirty notices claiming the register would expire on 01/01/0000.
I had a car—a 1971 Toyota Landcruiser FJ55–that technically had a tilde(~) in the VIN. It was in the format: FJ55~123456. When I bought it, the title had the VIN as FJ550123456. I just accepted and ignored it for a while, but when I decided to sell the car, given that most of my potential buyers were out of state (and in most states, out of state purchases require a VIN inspection) I tried to get it fixed. After six months of working The motor vehicles department here, getting an inspection by state police, and everything else, I found out that their software couldn’t handle and non-alpha numeric characters. In the end they decided to change the title to FJ55123456 so it skipped the tilde but didn’t replace it with a character that didn’t exist on the vehicle.
>I own a rare collector car with a three-digit VIN. This has caused endless hassles at the DMV as well as the insurance office.
I have a similar problem with my own identity. I was born in Canada's smallest province, PEI, and now live in its largest, Ontario. Some Ontario government software seems to have problems recognizing the relatively low numbers on PEI birth certificates.
Hmm, is this just because it is so few digits? I've had plenty of classic cars that have commission numbers with between six and twelve digits instead of VINs, and haven't ever had any issue with the DMV here in MA.
I used to work for ClassicCars.com ... there's a LOT of variation to VINs before 1980, they standardized in the early-mid 70's, used to know the specific year.
Tangentially related somewhat-common bug: YAML files will interpret the literal 'no' as boolean false if it's not quoted, instead of as a string.
Many developers have wondered why, when they stuck country-specific configurations in a YAML file, that things suddenly stopped working when they expanded support for Norway.
I always felt Yaml is far too complicated of a format for storing hierarchical data. JSON is too simple (no comments; hard to store multi-line strings).
HCL, the hierarchical data storage language used by Terraform, is the closest thing I’ve seen to a happy medium between JSON and Yaml.
Another option, if the string values are not multi-line, is CommentJSON (use the Python module or write 10 lines of code that strips out comments from JSON if using another language).
Also as an example of "always deserialize to known types". Flexible boolean values can be convenient since it's relatively human-readable, but "deserialize into [whatever the heck you think is appropriate]" is a problem for quite a few reasons beyond confusion: https://lgtm.com/blog/swagger_snakeyaml_CVE-2017-1000207_CVE... (same techniques have been used against other kinds of serialization in many languages for many years)
Every feature is a source of bugs. Be careful when constructing end user affordances for systems that have broad applicability and need to run over a very long time span.
Afterwards I just try to avoid yaml if I can. While it looks cleaner than json, I don’t find it especially easy to read and there is unnecessary ambiguity due to unquoted strings. And it seems to have a thing against Norway ;)
I don't have a problem with any of those representations, and also no problem with all of them at the same time.
But not only the value representation keeps the types ambiguous, also there is no off-channel place to disambiguate the types, and no value-independent rules for deciding on the types. If any of those was different, there wouldn't be a problem.
I remember a story when Microsoft translated some ancient version of Internet Explorer for Mac, there was a menu where you could select TLDs (I can't remember what for) and the .no domain ended up getting translated as the word
I've also heard a similar story of a Finnish man who got a ticket in the UK, and on closer inspection found his name on the ticket listed as Mr. Ajokortti Körkort. Thats "driver's licence", first in Finnish, then Swedish, and is written at the top of the driver's license card.
That said, I find these stories a little hard to credit, since you'd expect police officers in the EU to be fairly familiar with the standard EU driver's license layout.
You’d expect offices in the US to be familiar with US states and territories, but that doesn’t stop them from occasionally demanding a passport from people from New Mexico, or saying a license is fake because there’s no such state as “District of Columbia.”
Irish driving licences didn't start to use the standard credit-card-sized EU format until a few years ago. They were paper booklets which had long since been phased out in the rest of Europe.
I have a family member who's license plate started with "&". The DMV accepts it, plates were ordered online fine, but police systems can't handle it apparently, to my family members ultimate discomfort. I commonly joke it probably gets the individual out of automated tickers for speeding and red lights, but when an officer pulls them over we sometimes need to explain that the "&" is dropped in the system (or so we've been told) and that seems to clear up issues
In Washington State, you can register period-correct plates for your car. The problem is that you can't register the actual digits that are printed on the plate. The cops and cameras can't pull up your information, and you get stopped and questioned all the time. Explaining how the plates work to the Police gets pretty tiring.
Any word on whether the plate without the preceding '&' is in circulation? I'd be curious if your records in the police systems would be merged with the records of the owner of that plate.
The rules for california are the special symbols (which don't include &) are non-significant. Everything but the plate itself ignores them. Washington doesn't have special symbols, but does have an optional dash, which is also not significant.
I sometimes see California tags with a heart character in them. Does anyone know if those considered part of the number, or are they just ignored as decoration?
The DMV made a mistake, they know it, and they aren't fixing it. In this case, the problem is relatively inconsequential but it is an institutional failure. The DMV is a government agency which is, at least in theory, somewhat indirectly accountable to the people. Which means that if they're treating one particular citizen unfairly, one option that citizen has is publicly shaming them. (Another option is to file a lawsuit. That's more work, though.)
As I see it, this person is performing a public service by not budging on this. It's nowhere near on the same level as Rosa Parks not going to the back of the bus, but sometimes we need people to not simply go with the flow because it's the easiest thing to do.
Considering that the DMV in most places already has a lot of shame heaped on it, I doubt this extra spoonful meaningfully moves the needle.
This guy is really just wasting his own time for no actual benefit to anyone. If he genuinely enjoys it, then sure, I guess each to their own, but if not...
But they're only performing a public service if it gets fixed -- which there's no indication in the article is happening.
And frankly, why would it? Different government agencies likely have zero reason to cooperate on it. Especially if, say, the DMV is responsible for the error, but the courts are the ones dealing with the cost.
So unless this guy has a reason to think it will get fixed because of him... he's just wasting his time, no?
Sure he did nothing wrong because it backfired like one of Wile E. Coyote's schemes but the article makes it clear he was hoping to confuse automatic ticketing systems. He was trying to get out of tickets. Sure he didn't break the letter of the law but he tried to break the spirit of the law and it bit him. Some might call that karma, I think he needs a better hobby than standing in line at the DMV which is ultimately what he has taken up. I wonder how long he'll keep going.
Exactly! All he has to do is collect all the notices and deal with them every few months. Not to say there aren't other implications that might be more troublesome :P
On top of that, if anything, forcing the government to fix it's bad code (insert snarky ambiguity between software code and legal code) can't be a bad thing. I'd buy the guy a beer.
If he sees spending time and effort expunging his record every few weeks as worth the trade-off for the 'extra notoriety', then power to him. I wouldn't do that.
There was a similar issue in California where, in the days before on-line choosing of vanity plates, you would give three choices. One guy couldn't come up with a third option so he wrote "NO PLATE" and ended up with that as his plate with similar results. Snopes has the story:
Earlier this summer I decided that I'd found a loophole and ordered 'N0 TAG' and 'N0NE' (zeros) for my motorcycles. The license plate font doesn't distinguish between 0 and O but the computers seem to account for visually similar characters -- I could not order the same plates with Os after they'd issued.
Haven't caught anyone else's tickets so far. SunPass won't accept 'N0 TAG' being associated with my transponder tho (have not tried 'N0NE' yet).
I did get pulled over on my very first ride with 'N0 TAG' and the first words out of the cop's mouth were 'Is that tag legit?' That may or may not have been a factor in catching a warning instead of a ticket that I absolutely earned.
> The license plate font doesn't distinguish between 0 and O
When the German license plates were redesigned in the mid 1990-ies, also a different font was incorporated, which was engineered explicitly to thwart similar-shape attacks: https://en.wikipedia.org/wiki/FE-Schrift
It seems meaningful to me that the wired website works (sort of; the left margin is 1/3 of my screen) with JavaScript disabled, and outline doesn't work at all.
Years ago (in the late 90's or early aughts) when ordering vanity plates online became a thing, I got approved for the plate "127.0.0.1". This was a California or NC plate- can't remember as I lived in both states. I checked the mailbox excitedly every day like Ralphie from A Chrismas Story for my uber cool plate. When I finally did get something from the DMV, it was too small to be a license plate and was simply a note that said "Sorry, your requested plate conflicts with a motorcycle plate, so we have to deny your request." Huge bummer, but I guess 127.0.0.1 becomes 127001 in their systems.
I have DBA registered in my local county. The DBA name is:
' or 1=1; drop table sys.systable; -- Computer Services
I had a lot of fun at Bank of America when I signed up for my business bank account shortly after registering the name. Not quite a license plate but similarly themed
It always makes me so happy to see a "little Bobby tables we call him" reference when data inputs are discussed!!!
I will assume that we are all aware of the Exploits of a Mom, but just in case we have anyone reading this that doesn't already appreciate XKCD: https://www.xkcd.com/327/
Another picture (which I can't seem to find now) purportedly showed how one of the screens over the highway was displaying just an error message after triggering this exploit.
I doubt that. Normal people do not tend to use the word NULL at all.
What this usually is is the result of systems that talk to systems that talk to systems that talk to systems, all in different legacy formats never written to be interchange formats. One system has true SQL NULLs, the next system down the chain only accepts strings for that field, NULL gets written as the most sensible string, and then from that point on all downstream systems can't tell the difference between the original system having had an SQL NULL or having had the string NULL.
Actually, I think it's doubtful the folks at the private processing facility are actually writing 'NULL', but my guess is the DB field is just not set (i.e. left as NULL), and then when the info is read out somewhere it's just printed as the string literal value.
A colleague’s name is “True.” When we ran some reports to generate a check in list for an event - it was converted to either “TRUE” or “1” depending on the script.
I was amused.
Even without sql doing odd things certain strings will just cause problems.
I presume this is already on thread but Irish police conducted a manhunt for serial traffic offender "Prawo Jazdy" - till they realised that was "Driving License" in Polish
I recently saw a car with a license plate of B8B88BB8 (or something to that effect) that I am almost certain the owner chose to make it hard to read and transcribe correctly by either humans or computer vision systems.
I read that someone tried to register a license plate with a random sequence of Os and zeros (e.g. "OO0O00"). Unfortunately, it worked too well because the person doing data entry at the DMV ordered him a plate with all Os. :)
It doesn't take much to break some of those though.
I have a custom plate that is two common words, on a California 60s vintage plate (black plate with yellow lettering) and most parking garages that check and print your plate on the ticket always butcher it. Instead of (replaced for privacy) "FOO BAR" it will say "8A2M31W" or some garbage.
I'm surprised more places don't do what Nintendo did with course ids in Super Mario Maker 2. They intentionally removed some characters that are visually similar to avoid confusion when writing out codes.
base32? "an alphabet of A–Z, followed by 2–7. 0 and 1 are skipped due to their similarity with the letters O and I (thus "2" actually has a decimal value of 26)."
https://en.wikipedia.org/wiki/Base32
"Droogie contacted the DMV who told him to change his plate. He refused because he didn't do anything wrong. While they wiped the fines off his record, unfortunately for him, they didn't fix the problem in the system so once again, Droogie has accrued another $6,000 in tickets"
So wait, after he knew this was the outcome from using this plate he just decided 'nope, the DMV will definitely rectify this error'? Maybe he has a much higher tolerance for dealing with the DMV than I do, but surely there are far more productive ways to spend your time than constantly battling against invalid tickets. Additionally, I would be concerned about not being able to waive some of these tickets at some point and actually having to pay them,6k isn't exactly an insignificant amount and could also really impact insurance rates.
Its a matter of principle though. Droogie hasn't done anything wrong, and is receiving fines due to errors made by the DMV.
You're right that when faced with a choice between acting on principle vs acting pragmatically/for one's own benefit/convenience/need, people often don't have the luxury of (or patience for) choosing the former. But it's nice to see when someone does.
That's arguable, actually. The article states, but doesn't provide evidence, that Droogie "hoped it might confuse automatic license plate readers or the DMV's ticketing system".
If this was done in an attempt to evade enforcement of existing laws, then sorry: that's a crime, folks. You aren't allowed to pen test live systems!
TBH it's a very silly principle to fight for: "I DEMAND YOU HAVE NO BUGS!" And the DMV could just as well argue "Sorry, the bug is that we never should have accepted your NULL plate application in the first place, so we'll send you a non-vanity plate".
This post has way too much traction to flag now but I wish we didn’t have sites like this that take a bit of admittedly interesting content from elsewhere and repost it with an infinite scroll of spammy ads.
Seems to be a clever technique here too, ending the article with what seems like a non-ending, so the user will keep scrolling.
If I remembered where the original content was I’d post it, or had a desktop/laptop browser to search with right now, I’d post a link, but I don’t. I just remember having read a much better article about this in the past.
My buddy Stan registered for null@verizon.com back in the early 2000s so you could link sms to email delivery. Wound up with so. many. text messages. Reminders to take medicine, personal convos, sports results, everything.
I recently bought a *.ninja domain name and started using it for my personal email address. Probably 20% of the time, when I try to sign up for a service it gets rejected by web forms that have been hardcoded to check for traditional top-level domains.
Oh you think that's bad? My email address ends in that most exotic of domains, .net
I find websites that won't accept it because they think it's an invalid address all the time. I have no idea what logic they're using, would love to find out.
If I recall correctly, this comes up a lot with null.com too with respect to emails, etc. I think there was even an HN post about all the null@null.com emails collected by someone.
Let's talk about one specific thing from the article:
>Things started to go awry when he first registered the tags. He tried typing in his license plate but the DMV website wouldn't accept it.
Let's talk about the fact that the DMV website wouldn't accept it. Do you think this is all right behavior on the part of the DMV website?
It's really interesting because if you're coding up the DMV web site, it makes sense to disallow NULL just as a preventative measure, like not allowing '-- in a query (to prevent SQL injection attacks.)
I would generally think that on the whole you should accept -- as a substring in a password. But is it wrong programming if you don't allow that substring?
Disallowing it could cause someone's chosen password to fail, so they have to change it for you to accept the password they want, but if you know for sure that you use sql as part of processing passwords you might well decide that it is acceptable to make people have to try a new password before you'll accept theirs, in case you are not confident that you are escaping everything correctly.
So from my end it seems okay to do something like disallow NULL.
If you consider the choice of the programmer on DMV's web site, what do you think about their choice to reject this input, even though in fact it turned out to be legitimate? Is it acceptable programming practice?
I don't believe this is acceptable. By any modern sane best practice, the word NULL in a string from a web form (where your input is basically by definition a string) is a string like any other
Blocking -- in a string does not prevent SQL injection attacks. Using proper parameterised queries does. This might sound mildly hostile but "you are not confident that you are escaping everything correctly" - when this is a well defined and solved problem - means you should not be building this application as you're too incompetent to. For the millions of taxpayer money wasted on this kind of thing, it is absurd.
Blacklisting keywords used in XSS is also completely futile, pointless, useless, and does nothing but piss off users that can no longer use anything containing the word log or window or whatever.
That's a bit curious though. If the code relies on a magic value, you'd think it's in order to skip trying to get data it doesn't have, like the address of the unidentifiable cars.
Even if NULL then does have this address attached, why does it take the branch where it looks for the data?
I suppose it would be in a relational DB, perhaps there's a join that drops missing entries, but if they aren't missing they show up?
The code doesn't rely on a magic value, the humans have decided that an empty value will be typed, by hand, into their terminals as the characters "NULL".
The problem is that the employees with access to the system are required to enter a 'valid' value. But in some cases there is no value. So the 'valid' value they've come up with is the string "NULL" - they can't use "~~NULL~~" because ~ isn't allowed on a license plate. So because A) anyone can request a valid value on a plate, and B) nonce values must also be "valid" within the system, the tax payer is capable of ordering a nonce value on a plate.
They're likely different organizations. The one that entered 'NULL' license plates was a "privately operated citation processing center" so they presumably weren't in charge of looking up the addresses for each license plate. If they were it would be rather pointless to save the 'NULL' value in the first place.
I bricked my profile page on Zomato, There is(was) a feature where you can choose a custom URL for your profile page, I chose something which already was a valid URL for them. Now when i click on "my profile", it goes to "https://www.zomato.com/genjs" . I can't edit anything in my profile now.
Danny White, a resident of Washington, DC, had a similar problem: his vanity license plate read "NO TAGS", which happens to be what police there put down in the license plate slot for missing plates.
The same issue is seen on social networks that identify users by their usernames: - before it was suspended, twitter.com/null had just 2 tweets, but over 70K followers: http://archive.is/Dt6af.
I have a friend who told me his story enrolling in his university. He's a German national who grew up in Spain. I'm going to call him Andres Schmidt, as the actual name is not relevant.
In Spain, people normally have two surnames, one from the mother and one from the father (no, it doesn't exponentially grow with generations :D). He had issues enrolling in uni, as the system required two surnames so he ended up with "Andres Schmidt Schmidt". He had issues down the road as well, having to explain himself every time he needed to register for something. I think the student id was also a hash which included the name and he hadn't been consistent with his "full" name in all systems.
The interesting question this article poses is whether there's a system in place for the government to revoke vanity plates it's already approved. Can they force him to change the plate?
Ontario Canada has an anesthesiologist with a “FENTANYL” license plate.
Was funny in 1995, not so much now.
So he went to the DMV and asked them to change it, and they wanted to charge him to do that.
He’s like, no, i’m not paying.
Eventually he writes a letter to his politician saying “please revoke my license plate” and eventually he gets a letter saying they got a complaint (ie: his) and the DMV wants to revoke his plate.
But he had to wait 30 days For the appeal clock to run out, just in case he wanted to appeal his own complaint.
Kinda funny, but kinda sad that someone paid $400k+ per year by the government wasted thousands more because he didn’t want to pay the $100 plate change fee.
Yes, of course they can revoke vanity plates. For example, the story (2002-2004) of the Washington software engineer who spent a couple of years fighting to keep his "GOTMILF" license plate and ended up having it canceled.
I never understand how these sorts of bugs happen - is the database something like:
plate VARCHAR(8) NOT NULL DEFAULT "NULL"
Or rather the type is actually Option<String>:
plate VARCHAR(8) NULL DEFAULT NULL
In which case, how is it the software can't tell the difference between Some("NULL") and None()?
The only thing I can think of is the software (or it's database driver) handles everything in strings; so None() and Some("NULL") both get converted to "NULL"?
Based on the description in the article, it's a separate system that is actually entering "NULL" in the license plate string field, probably for things like red light camera violations. Chances are it's a human doing this according to a procedure or the system is setup to require entry of some text in the field, so they have to enter something and opted for "NULL" if the actual plate is unreadable / unreliable / not present. This is unfortunately how a lot of things in the real world work, especially on legacy systems.
It would seem to me that issuing frivolous citations to a man who has not actually broken the law is a violation of the general prohibition against unreasonable fines and punishment.
Reminds me of myself: when gmail came out I got my name@gmail
The name is my 6 letter last name.
I've received thousands of emails from random people. There are so many letter.name or number.name similar addresses that I'm constantly getting very personal emails of other people (deaths, marriages, invoices, business reports, etc)
Reminds me of a recent groceries delivery to my home. I had ordered online the day before and had some trouble filling in the form but managed to validate it anyway.
The delivery man called to tell me my address was incorrect. When I asked him what was wrong, he told me it said 'Null Null Null Null'.
Actually, it was brilliant because it pointed out how flawed the system is, that it can be passively broken or circumvented. This could be used to invalidate all citations that were issued from agencies using that software.
I rather think that it did work. Or, at least, if he continues being successful having tickets for "NULL" dropped. Because any tickets he actually gets will be to "NULL".
>Apparently, when they didn't have the right data for a vehicle, a privately operated citation processing center used the word NULL in the license plate field for many tickets.
I have named my phone "Null Pointer Excpetion" whenever I connect my phone to friend's Bluetooth they immediately scream- "oh look! null pointer excpetion!"
It's not a database sanitization issue. The problem is that for cars that don't have a plate or the plate wasn't entered for whatever reason, in some cases people were entering "NULL" (the string). That then ended up matching his plate.
The 'NULL' string was being entered by the private company:
> Apparently, when they didn't have the right data for a vehicle, a privately operated citation processing center used the word NULL in the license plate field for many tickets.
Confusing the value NULL for a non-null string-sequence which says “NULL” shows the clear sign of a system where no data can be assumed to hold any integrity.
These bugs and categories of errors should simply not be possible in sane languages or frameworks.
> Apparently, when they didn't have the right data for a vehicle, a privately operated citation processing center used the word NULL in the license plate field for many tickets. Since that just happens to be Droogie's license plate, he got all of them.
So it's 'confusing' the string NULL used incorrectly (kind of, it's fine under the assumption that no one will have the license plate NULL but that assumption is wrong) with the string NULL.
This isn't an issue with the program lacking a valid input. The 'NULL' was hardcoded as a default value by a private processing company. (See the third paragraph in the article.)
Stories like these and the bobby droptables xkcd are the reason I ended up with this plate, https://i.imgur.com/O7KEFrn.jpg It gets a lot of compliments and attention even if most people don't know what "null" is
This reminds me of the bit that mentions that St. Peter has a list of questions he asks people at the Pearly gates. Among them he asks, “Did you have a vanity plate?”
There are ways to properly sanitize inputs these days so NULL becomes "NULL" (string), BUT also tons of systems moved into JSON format assuming its safe. It is not. JSON is not binary safe and there are tons of unicode chars that will break JSON. I was once overseeing system that people would bring down all the time by registering usernames that the app could not properly sanitize and they in return were breaking JSON format to the halt of the whole system. I should not admit but using same chars I myself broke few youtube channels when comments and votes were working in JSON format themselves without properly removing unsafe char codes. Good times.
Well not me. More like large vast of websites used to or still have. The assumption was all I need is JSON and it will properly format data during exchange.
This isn't even a coding error, NULL is apparently valid license plate, and for some reason there is a private processing center typing it in to the government system.
First of all they are accidentally committing fraud (libel?) against this guy. But more importantly, why is there a private processing center? Don't the officers type this in as they fill out the ticket? or even just scan the plates? If there aren't plates on the vehicle it should be towed or booted. What is the point of recording tickets with no plates? Is the processing center paid per ticket recorded?
> This isn't even a coding error, NULL is apparently valid license plate, and for some reason there is a private processing center typing it in to the government system.
I would take that with a grain of salt. The linked article on a talk-radio site, and was likely intended as a wacky news bite that the hosts breeze through and then make jokes about. I figured the exact technical details of what is causing the problem was lost in translation. More likely that they were leaving the plate blank, and then the backend software was confusing null database fields with the string "NULL".
Brand new cars don't yet have plates. Granted, most states now have dealer-printed labels with an identifier on them, but still, new cars don't immediately have plates when they roll off the lot.
When I lived in West Virginia, recently sold cars did not have temporary tags. It was very common to see hand-scrawled signs "TAF" in the back windows. TAF stood for "Tags Applied For."
I think if you want to blame scripting languages, you need a license plate that says "None" or "undefined".
What happened in this case was that people used the literal value "NULL" to mean "I don't know". They could have used the word "LOLCAT" and the effect would have been the same. Overuse of in-band signalling is a general design flaw not specific to any programming language. (Remember when people would whistle a 2600Hz tone to make free phone calls? Same thing as this.)
If you want to throw darts at someone, I think database systems with three-valued logic would be a better target. This criticism (not for these reasons) has been leveled...
Ignoring the lack of 'NULL' in Python for a moment, this wasn't even an issue with the code lacking an invalid input. If you read the article, you might have realized that.
I read years ago in comp.risks about a similar story. A guy in 1979(!) requested a personalized plate "SAILING", with second choice "BOATING". He didn't want a customized plate if he couldn't get those, so for his third choice he put down "NO PLATE". Of course, he ended up with "NO PLATE". He ended up getting 2500 parking tickets, since cars with no plate had "NO PLATE" written on the ticket.
References: http://www.mekabay.com/overviews/risks/risks03_1986_06-04-19...
https://www.snopes.com/fact-check/licensed-to-bill/
This reminds me about my own name. Everyone always gets it wrong (including people from where I am from). Except the Dutch. They always get it right, every single time!
There was also a meme about a person that wrote on her ID application "note the hat on the 'e'" and of course her name was Sarah Note The Hat On The E on the issued ID.
EDIT: Yes her name was not Sarah and there is no 'e' in Sarah.
I saw a car with that specific plate a year or two ago.
It seemed like it might work like humor in the TSA line.
Fine as long as you have extra time on your hands.
I wonder if it has even been towed/impounded?
> Fine as long as you have extra time on your hands.
And of course, in programmer humour, this translates to "while you're not busy with anything else, issue a fine." :)
1 reply →
Similar thing happened to someone in DC with "NO TAGS"
https://www.nbcwashington.com/investigations/The-20000-Ticke...
I remember a different story where the guy had to fight every ticket in court
On the plus side, he could also contest legitimate tickets unless they recorded other information.
4 replies →
It has happened multiple times.
NULL, NV, XXX, MISSING, NO PLATE
7 replies →
A colleague used an app's "generate secure password" feature to change their ISP's web portal login - which then also became the WAN router's password - which they didn't realise.
It was about a week before the router dropped its connection and needed to re-authenticate - and that's when I was called in to investigate the loss of connectivity - which Windows 10 very unhelpfully reported as the network cable disconnected and was resetting or power-saving on the NIC so the "link active" LED on the switch was going out for about 2 secs every 10 sec. Cue a round of cable and switch swapping to no benefit. The LEDs for all other devices on the switch (running Linux and mostly internal servers) were behaving normally.
I finally backtraced to the router and a useful error message. We put two-and-two together and my colleague called up the auto-saved details in their password manager; it was long, and ALL non-alpha numeric characters - starting with a backtick, which the router would not accept. I tethered my phone to my laptop and tried to login to the Web account portal - which would NOT accept the passphrase. I tried it without the backtick "just in case" - nope.
We had to do a "lost password" reset on the portal..and wait for the email with link.
Lessons learned:
The ISP's password change page did not seem to validate input, but the login page did.
Avoid backticks in passwords.
Many, many websites will happily accept passwords of $X characters and then hash only $(X-Y) characters on registration, but try to hash all $X characters on login, so of course the hashes don’t match. And at no point do they tell you the maximum number of characters.
I once had a page that prevented pasting, but last pass's password generator still worked. So I put in a long password using that, but when I clicked to register it came up with a blank error message. Turns out they had a 16 character limit that was only enforced when you typed in the box, so I had to count the number of letters they allowed me to type and then let lastpass generate a password of that length. Infuriating.
1 reply →
Square Enix's account management on the PS4 allowed me to set a password with a space on the end, but their website strips spaces from the password field when you sign in.
Fun fact: it's actually really easy to submit a string with a space on the end when entered via a PS4 controller.
4 replies →
Yes, this is terribly annoying, often there is a minimum length but no mention of maximum length. I see this on many, many websites...
16 replies →
Had this issue with Google a few years ago when I tried to set my password to something ludicrously long (think 5000+ characters). It would happily change my password, but I couldn't log in to anything afterwards…
For many years, Schwab ignored any characters after 8 in its password. Discovered that when I knew I flubbed one of the last characters, and it still worked.
I still can't believe a major bank got away with that for so long, apparently unharmed.
I learned this the hard way when I started using a password manager. I had the bright idea to start using 90 character passwords for all my accounts and suddenly I couldn't log into a lot of accounts.
I had something similar happen with (iirc) spectrum of the power company a couple years ago. Their customer portal let me use a complicated password to sign up, it sent me the confirmation email prompting me to log in, and refused my password for forbidden characters. But then I couldn’t reset my password because I hadn’t verified, and I couldn’t modify the account cause I couldn’t log in. I was just trapped in limbo. Customer service said they couldn’t fix it for me. I had to pay my bill by phone until I moved.
Ah yes, this reminds me of my University account. I chose a long password generated with my password manager, which of course contained a chara66 that was both allowed at set up and usage. But because I had to frequently type it in without my password manager (i.e. on a University PC), I wanted to change it. But the change dialog asked for the old password and didn't accept it, due to the forbidden character. I had to go to the support who refused to believe my story and wasn't able to change my password. It took a few weeks to get hold of a person who was allowed to change passwords.
So many home-routers are run with horrid CGI-scripts on the back-end - I'd not be amazed to learn that submitting a form-field with `blah` in it would try to run the command blah (probably via busybox).
If you have time/patience it might be worth exploring.
I've actually rooted an Asus router owned by a relative, this was about 5 years back so it's hopefully fixed now. Noticed some strange behavior after a mistype and tried something like `whoami` (not exactly) and got root back so tried a reverse she'll with NC which worked perfectly. Googled it afterwards and found a ton of similar flaws on other home routers. Tried to do some kind of responsible disclosure but never got a reply or saw a fix then I forgot about it.
>Avoid backticks in passwords.
Is there even a reason to include special characters in passwords? They add 10% more security[1] but cause all sorts of issues with systems. Just use an alphanumeric password that's 10% longer, and if special characters are mandatory, use a safe character at the end like _ or -.
[1] 6.55 bits per character (all printable ascii characters) rather than 5.95 (only alphanumeric)
Special characters in passwords were highly recommended when rainbow tables were an effective way to attack password hashes. See this old Coding Horror blogpost for an idea what it was like at the time: https://blog.codinghorror.com/rainbow-hash-cracking/
Salted hashes have made rainbow tables less effective. Password managers have made single-use passwords more tenable.
Not knowing how a system will store my password, I still prefer to include special characters where available. Anecdotally, I tend to see the systems that are most averse to special characters are also strict about character limits, so simply increasing password length is not possible.
4 replies →
> 10% more security (6.55 vs. 5.95 bits per character)
That's not how this works. By your logic having a password consisting of 1,2,3,4 is only twice as secure as having just 1,2.
17 replies →
If passwords are hashed should any character be prohibited at all?
3 replies →
Another way to say this that wouldn't rile so many people up is "In order to achieve the same size search space, you'd have to use ~10% more alphanumeric characters than all of printable ASCII."
Is there a special reason to forbid using native languages unless your native language is English?
bits usually add exponential complexity, so that '10% more' security might mean a password that's a million times harder to brute force..
1 reply →
Based on your numbers they add 10% entropy per character. Which compounds into an increase of 210% over a length of 12 characters. Thus you'd need the password to be at least 3 times longer with only alphanumeric characters to have the same entropy.
2 replies →
I went to change my password on a forum site that I had not used in a few years. My old password was really weak - think "abc123" or something similar.
I logged in and then attempted to change my password to my new standard of 20+ character upper/lower/symbol. The problem was, they'd upgraded their forum software, and there was a bug that added password strength validation to the "old" password field.
So I was putting in:
Old: abc123 New: sZp10VzIoZI9g143
And was getting the error message "error: your password must be 8+ characters long". After about 10 minutes of frustration and realising they had both client and server validation I went down a similar route as you and used forgot-password even though I knew the password.
Oh yeah, I've run into a lot of similar problems with even very well tested applications. The password reset field would accept inputs not valid at login time. I mostly ran into this when generating random passwords 100 characters in length from LastPass.
At one point GitHub even changed reduced their max password input to a sane amount, and I couldn't log in anymore with my existing insane password length a few years ago.
In most cases they fix the case when I report it, but my bank is terrible.
Similarly, my Belgian ISP (Telenet) has WiFi home gateways that are configured by their web portal, and config is pushed by the ISP.
I figured out that they only did validation on SSIDs client-side, so managed to get around that to put emoji's in my SSID.
Which then proceeded to soft-brick the entire thing on config push. I'd have to log in to the web portal via another connection, change the SSID there, and then reset the hardware with the reset button to get internet working again.
The stereo in my 2013 GTI crashed hilariously if you tried to pair a Bluetooth device with anything in the name outisde of [a-zA-Z0-9]. I wish I'd have messed around with it some more before I sold it (it was a silly car to own for how little I drive)
Oooh this reminds me, I am trying to learn a language that of course has ‘non-standard’ characters, and not even anything particularly exciting - Ä, Ö and the like. I thought it’d be cool to help memorise words (and be super secure) by changing frequently used passwords to phrases that contained these words... ...Caused me some trouble.
> avoid backticks in passwords
I learned that lesson a different way: When I had a Windows phone my email password had a backtick, and the only way to enter it on the phone was to long-press the apostrophe, pick backtick from the three or four apostrophe variants that appeared, and pray I didn't fat-finger it and enter the wrong character. In general, there are just some second class citizen characters you should always avoid, because you never know how hard they're going to be to enter when you're on a phone or a kiosk or whatever. (Tilde, I'm looking at you, too.)
There are regional keyboard layouts lacking backtick completely. (I would have to use alt+96 or switch keyboard from my default (and only) Czech QWERTZ layout to type `, if I hadn't more convenient AutoHotkey shortcut in effect.)
The Indian version of personal retirement fund NPA website does this, I learnt a lesson. Every certain weeks you Have to change password. No big deal. I will just add an incremental number. Ok, password now is PasswordPass1. Lets login, Wrong password? Why? Error Password length exceeded.
So, the password change page will accept any length password, will silently truncate it if longer & save it. Now on login page you have to guess the password length or reset.
This is one reason why I stick to alphabet (+case) in my passwords, when I can make them long.
I had the exact same issues with some passwords which were accepted when creating them, then not accepted anymore when used to log in.
This plus emails such as a@example.com or hjghgfggv@example.someweirdtld show how much sites are broken because of some philosophical ideas of developers.
I once had the bright idea to use a backslash as a one character password for my girlfriends computer, thinking it would provide amazing convenience – a single character, just above the enter key. Turns out this doesn't work very well, even on a Mac, which you would think would have gone through fairly robust testing.
Once upon a time, I went through my logins and tried to change them to strings with weird characters. I ended up with a password of on an internal school site and couldn't change it to anything else, since the "change password" site somehow rejected it.
I had a similar issue when my bank introduced a new banking app. The web login page has different requirements for the password than the app. I.e. on either I can set my password to something that the other will not accept.
I had a backtick in one of my passwords very long ago. When I first got my iPhone I couldn't figure out how to type that backtick until I realized one needs to press and hold and apostrophe.
When I was a foolhardy college student I figured out that if the cited vehicle make on my city parking ticket didn’t match my registration, I could get appeal the ticket via a web form very easily and succeed every time.
Naturally I removed the badges from my car and put on different badges from another manufacturer. After a while they started to cite me as “other” and the trick no longer worked.
All we had to do was register our cars in each others names. When I was married, my car was registered to her and vice versa. The redlight/photoradar laws in my state required that the company operating the devices had to match the pic of the driver violating the law, to the pic of the registered owner via the license plate. If they couldn't match them, no ticket was issued as you can't prove who was driving. That's probably changed now that a lot of DMV's are doing facial scans with datapoints. They probably just scan the whole DMV DB now to find the driver. Wear a mask.
Where i am from the ticket is issued to the vehicle owner, doesn't matter who was driving. On the plus side it means that you can get a photoradar ticket for driving 300km/h and not lose your licence, just pay the fine.
P.S. If the driver must be recognized does it mean that motorcyclists are exempt from photoradar fines?
4 replies →
In the UK we fixed this by making it a legal requirement for the owner of the car to identify the driver (obviously unless there's a valid reason you can't, such as it being stolen).
Two MPs have actually been caught out by this law, convicted of perverting the course of justice and sent to prison:
- https://en.wikipedia.org/wiki/Fiona_Onasanya
- https://en.wikipedia.org/wiki/Chris_Huhne
3 replies →
Or get a right-hand drive car:
https://www.dailymail.co.uk/news/article-1081607/Speeding-pu...
5 replies →
Or just don't speed.
Here I think you are asked to directly wire transfer the penalty amount or you can challenge the ticket, then you will be heard as a witness for who drove the car. If you refuse to tell that or don't know, the judge can order you to keep a log of all joruneys of your car that can be inspected for finding the culprit of a future offense.
Here in AZ, they'll lookup and assume the spouse. Of course, they're also required to serve the ticket in person.
Or use Juggolo face paint.
So, you were just running red lights, and you think this is a hack worth bragging about?
2 replies →
I knew a kid in college who would get a ticket, and then look around the parking lot for another Black Nissan Maxima. Most people don't actually look at the plate number, just the make model. I think he got one ticket paid this way ... guy was kinda an asshole.
I've had a friend do the reverse: parking in illegal spot, and borrowing a ticket from another car that already received one. Upon return some hours later, he returned the ticket to the correct windshield.
Quite brazen, and frankly a bit of an asshole thing to do.
8 replies →
Someone tried that on me on campus but I noticed. I wasn’t supposed to be parked there either and was skating by on a technicality that worked as long as no one looked too closely into it. Otherwise I’d have called security and made his life uncomfortable for awhile. As far as I’m concerned, it’s fraud.
I really enjoyed my parkingservices@ email address at my university. Took them many years to catch up and take that alias away.
Relevant xkcd comic https://xkcd.com/1105/
In the Starcraft 2 community it is called barcoding. Basically, I 1 | l are all accepted characters for a name and I think some do look actually identical on most fonts used in the game. So yeah, one person doing that you call "barcode", 2 persons doing that, you already have deniability. Be more than 10, and that's a crowd.
7 replies →
I actually saw a car with a license plate like this last week. Some combination of I's and 1's. White Ford Mustang driving around Santa Clara.
2 replies →
Saw a similar one on the road in front of me with a combination of N's, M's and I think a W ... man it was impossible to get straight while moving.
Bobby tables we call him
1 reply →
I own a rare collector car with a three-digit VIN. This has caused endless hassles at the DMV as well as the insurance office. Sometimes we find success by prepending the necessary number of zeros, before the VIN. Other instances in the same system require appending zeros after the VIN. The true VIN has a hyphen but that never makes it into the DMV's system. One time I got stuck in a particularly nasty loop where the DMV mailed over thirty notices claiming the register would expire on 01/01/0000.
I had a car—a 1971 Toyota Landcruiser FJ55–that technically had a tilde(~) in the VIN. It was in the format: FJ55~123456. When I bought it, the title had the VIN as FJ550123456. I just accepted and ignored it for a while, but when I decided to sell the car, given that most of my potential buyers were out of state (and in most states, out of state purchases require a VIN inspection) I tried to get it fixed. After six months of working The motor vehicles department here, getting an inspection by state police, and everything else, I found out that their software couldn’t handle and non-alpha numeric characters. In the end they decided to change the title to FJ55123456 so it skipped the tilde but didn’t replace it with a character that didn’t exist on the vehicle.
>I own a rare collector car with a three-digit VIN. This has caused endless hassles at the DMV as well as the insurance office.
I have a similar problem with my own identity. I was born in Canada's smallest province, PEI, and now live in its largest, Ontario. Some Ontario government software seems to have problems recognizing the relatively low numbers on PEI birth certificates.
Which numbers?
Hmm, is this just because it is so few digits? I've had plenty of classic cars that have commission numbers with between six and twelve digits instead of VINs, and haven't ever had any issue with the DMV here in MA.
I used to work for ClassicCars.com ... there's a LOT of variation to VINs before 1980, they standardized in the early-mid 70's, used to know the specific year.
Is it possible to register it as a "custom" with a completely new (and more friendly to the systems) VIN?
What car is it?
It must be a car manufactured before VIN standardization in 1981, at the very least.
7 replies →
Tangentially related somewhat-common bug: YAML files will interpret the literal 'no' as boolean false if it's not quoted, instead of as a string.
Many developers have wondered why, when they stuck country-specific configurations in a YAML file, that things suddenly stopped working when they expanded support for Norway.
I always felt Yaml is far too complicated of a format for storing hierarchical data. JSON is too simple (no comments; hard to store multi-line strings).
HCL, the hierarchical data storage language used by Terraform, is the closest thing I’ve seen to a happy medium between JSON and Yaml.
Another option, if the string values are not multi-line, is CommentJSON (use the Python module or write 10 lines of code that strips out comments from JSON if using another language).
Both a bare > and a sequence of 3 quotes are invalid in JSON, so it should be really simple to add multi-line strings wither Python or Perl style.
1 reply →
YAML has tons of warts like this.
https://yaml.org/type/bool.html
This should be used in schools as an example to illustrate how not to do things.
Also as an example of "always deserialize to known types". Flexible boolean values can be convenient since it's relatively human-readable, but "deserialize into [whatever the heck you think is appropriate]" is a problem for quite a few reasons beyond confusion: https://lgtm.com/blog/swagger_snakeyaml_CVE-2017-1000207_CVE... (same techniques have been used against other kinds of serialization in many languages for many years)
Every feature is a source of bugs. Be careful when constructing end user affordances for systems that have broad applicability and need to run over a very long time span.
I am one of those developers.
Afterwards I just try to avoid yaml if I can. While it looks cleaner than json, I don’t find it especially easy to read and there is unnecessary ambiguity due to unquoted strings. And it seems to have a thing against Norway ;)
I don't have a problem with yes/no per se , I just don't like that it also takes true/false
It’s not only that. YAML also interprets on / off as boolean.
I don't have a problem with any of those representations, and also no problem with all of them at the same time.
But not only the value representation keeps the types ambiguous, also there is no off-channel place to disambiguate the types, and no value-independent rules for deciding on the types. If any of those was different, there wouldn't be a problem.
I remember a story when Microsoft translated some ancient version of Internet Explorer for Mac, there was a menu where you could select TLDs (I can't remember what for) and the .no domain ended up getting translated as the word
Reminds me of the story of Ireland's worst Polish driver who never got caught: http://news.bbc.co.uk/2/hi/uk_news/northern_ireland/7899171....
I've also heard a similar story of a Finnish man who got a ticket in the UK, and on closer inspection found his name on the ticket listed as Mr. Ajokortti Körkort. Thats "driver's licence", first in Finnish, then Swedish, and is written at the top of the driver's license card.
That said, I find these stories a little hard to credit, since you'd expect police officers in the EU to be fairly familiar with the standard EU driver's license layout.
You’d expect offices in the US to be familiar with US states and territories, but that doesn’t stop them from occasionally demanding a passport from people from New Mexico, or saying a license is fake because there’s no such state as “District of Columbia.”
8 replies →
I've been at some tournaments where a couple of the kids had the last name "Bye". They picked up a fair number of forfeits during the season.
2 replies →
> you'd expect police officers in the EU to be fairly familiar with the standard EU driver's license layout
The common design for all the EEA countries was supposed to be implemented by the members by the start of 2013 according to Wikipedia.
Until 2033 there will be valid licenses that were issued before the common license, so there's still a lot of different designs out there.
1 reply →
I once had a BevMo cashier in California ask me, “Massachusetts? Is that in Canada?”
Very little faith left.
12 replies →
Irish driving licences didn't start to use the standard credit-card-sized EU format until a few years ago. They were paper booklets which had long since been phased out in the rest of Europe.
1 reply →
Annyong!
They rank their Polish drivers?
I have a family member who's license plate started with "&". The DMV accepts it, plates were ordered online fine, but police systems can't handle it apparently, to my family members ultimate discomfort. I commonly joke it probably gets the individual out of automated tickers for speeding and red lights, but when an officer pulls them over we sometimes need to explain that the "&" is dropped in the system (or so we've been told) and that seems to clear up issues
In Washington State, you can register period-correct plates for your car. The problem is that you can't register the actual digits that are printed on the plate. The cops and cameras can't pull up your information, and you get stopped and questioned all the time. Explaining how the plates work to the Police gets pretty tiring.
Any word on whether the plate without the preceding '&' is in circulation? I'd be curious if your records in the police systems would be merged with the records of the owner of that plate.
The rules for california are the special symbols (which don't include &) are non-significant. Everything but the plate itself ignores them. Washington doesn't have special symbols, but does have an optional dash, which is also not significant.
1 reply →
I sometimes see California tags with a heart character in them. Does anyone know if those considered part of the number, or are they just ignored as decoration?
They're a special vanity style plate in CA. They probably just are ignored/not entered when searching. https://www.dmv.ca.gov/portal/dmv/detail/online/elp/elp
I recall the heart and plus symbols are being ignored in the system.
I had a standard 8-digit Indiana TK series truck plate which would get flagged as "unregistered" by the broken ALPR systems in other states.
Looks like you can't have the character '&' on a personalized license plate in WA: https://fortress.wa.gov/dol/extdriveses/NoLogon/_/
That link redirects to the DOL homepage.
2 replies →
Would this be an example of a bug that could have been detected with contract-style testing?
https://martinfowler.com/bliki/ContractTest.html
Well, in their credit, they're the ones whose system won't go down from an XSS payload on a plate.
I love when people double down out of principle, when the only person getting hurt is themselves.
He refuses to change it because he did nothing wrong...sure, but you are also the only one being hurt by it. Is this really the hill to die on?
The DMV made a mistake, they know it, and they aren't fixing it. In this case, the problem is relatively inconsequential but it is an institutional failure. The DMV is a government agency which is, at least in theory, somewhat indirectly accountable to the people. Which means that if they're treating one particular citizen unfairly, one option that citizen has is publicly shaming them. (Another option is to file a lawsuit. That's more work, though.)
As I see it, this person is performing a public service by not budging on this. It's nowhere near on the same level as Rosa Parks not going to the back of the bus, but sometimes we need people to not simply go with the flow because it's the easiest thing to do.
Considering that the DMV in most places already has a lot of shame heaped on it, I doubt this extra spoonful meaningfully moves the needle.
This guy is really just wasting his own time for no actual benefit to anyone. If he genuinely enjoys it, then sure, I guess each to their own, but if not...
But they're only performing a public service if it gets fixed -- which there's no indication in the article is happening.
And frankly, why would it? Different government agencies likely have zero reason to cooperate on it. Especially if, say, the DMV is responsible for the error, but the courts are the ones dealing with the cost.
So unless this guy has a reason to think it will get fixed because of him... he's just wasting his time, no?
Sure he did nothing wrong because it backfired like one of Wile E. Coyote's schemes but the article makes it clear he was hoping to confuse automatic ticketing systems. He was trying to get out of tickets. Sure he didn't break the letter of the law but he tried to break the spirit of the law and it bit him. Some might call that karma, I think he needs a better hobby than standing in line at the DMV which is ultimately what he has taken up. I wonder how long he'll keep going.
AKA he was attempting to commit fraud or rather obstruct justice. I don't particularly feel sorry for him.
But it does actually work! He can never get any tickets. If he does he'll just claim it was a false one.
Yeah he ends up paying all those tickets with his time though. And time is more valuable than money for a lot of people...
1 reply →
Exactly! All he has to do is collect all the notices and deal with them every few months. Not to say there aren't other implications that might be more troublesome :P
1 reply →
It reminds me of the guy who owns nissan.com, who probably blew his life savings on lawyers defending himself from Nissan Motors lawyers for decades.
Nissan treated that man very badly. I never owned a Nissan car, and never would because of this.
His family name was Nissan, and he registered the domain when Nissan still called itself "Datsun" in the U.S.A.
I wonder how much you could sell that to them for if you were really good at negotiating. Maybe as much as $100k?
1 reply →
Die on?
But how - he can challenge the fines in a court of law. Since it's a vanity plate, adding an extra notoriety won't hurt.
On top of that, if anything, forcing the government to fix it's bad code (insert snarky ambiguity between software code and legal code) can't be a bad thing. I'd buy the guy a beer.
9 replies →
Figure of speech... I just mean he is making a stand for something not that important but causes him (and only him, really) inconvenience
11 replies →
>he can challenge the fines in a court of law.
If he sees spending time and effort expunging his record every few weeks as worth the trade-off for the 'extra notoriety', then power to him. I wouldn't do that.
1 reply →
Court isn't cheap.
You're paying for it with a lawyer or with your own time
10 replies →
I can image something more fun to do with my free time than sitting in court every few weeks...
He can challenge the fines but still has to pay court costs most likely.
Yeah, pick your battles.
Sure, it would be nice if the systems where patched. But maybe he should just get a job at the DMVs IT department instead :)
In the end I would probably rather pay the fines than fix this bug, it's probably a lot of horrible systems barely held together..
> But maybe he should just get a job at the DMVs IT department instead :)
Ew.
There was a similar issue in California where, in the days before on-line choosing of vanity plates, you would give three choices. One guy couldn't come up with a third option so he wrote "NO PLATE" and ended up with that as his plate with similar results. Snopes has the story:
https://www.snopes.com/fact-check/licensed-to-bill/
Earlier this summer I decided that I'd found a loophole and ordered 'N0 TAG' and 'N0NE' (zeros) for my motorcycles. The license plate font doesn't distinguish between 0 and O but the computers seem to account for visually similar characters -- I could not order the same plates with Os after they'd issued.
Haven't caught anyone else's tickets so far. SunPass won't accept 'N0 TAG' being associated with my transponder tho (have not tried 'N0NE' yet).
I did get pulled over on my very first ride with 'N0 TAG' and the first words out of the cop's mouth were 'Is that tag legit?' That may or may not have been a factor in catching a warning instead of a ticket that I absolutely earned.
> The license plate font doesn't distinguish between 0 and O
When the German license plates were redesigned in the mid 1990-ies, also a different font was incorporated, which was engineered explicitly to thwart similar-shape attacks: https://en.wikipedia.org/wiki/FE-Schrift
Lol. Third vehicle should have N0 L1C
P0L 1CE
1 reply →
Related, for those who missed it the last time it was here on HN, the tales of Christopher Null, who has an unfortunate surname: https://www.wired.com/2015/11/null/ , and Jennifer Null , http://www.bbc.com/future/story/20160325-the-names-that-brea... , likewise.
Much-needed Outline.com of the wired.com article: https://outline.com/WMzjYK
It seems meaningful to me that the wired website works (sort of; the left margin is 1/3 of my screen) with JavaScript disabled, and outline doesn't work at all.
1 reply →
I once had a product owner for a student/university web app who complained that for a particular user, their lastname was displayed as 'None'.
This was a Python project and the product owner apparently already had learned 'None' equals NULL.
I dug into the file which we used to import the users from and discovered the user's lastname actually was 'None'.
Maybe it could be added to the list of falsehoods programmers believe about names: https://shinesolutions.com/2018/01/08/falsehoods-programmers...
Now, was it a case of number 20 and they were required to enter something, or was it actually legally None?
https://www.houseofnames.com/none-family-crest
1 reply →
I think this example falls under falsehood 31, where None would be considered a "bad word" that can't appear in names.
1 reply →
There was a manager i worked with whose last name was "Null". She complained that every few months her account would get wiped from the HR system.
Years ago (in the late 90's or early aughts) when ordering vanity plates online became a thing, I got approved for the plate "127.0.0.1". This was a California or NC plate- can't remember as I lived in both states. I checked the mailbox excitedly every day like Ralphie from A Chrismas Story for my uber cool plate. When I finally did get something from the DMV, it was too small to be a license plate and was simply a note that said "Sorry, your requested plate conflicts with a motorcycle plate, so we have to deny your request." Huge bummer, but I guess 127.0.0.1 becomes 127001 in their systems.
Could someone devise a SQL injection attack using a custom-made license plate? I'm imagining someone printing up
on a plate, and driving up and down the highway past automated license-plate readers.
Already done in Poland.
https://reposti.com/i/m/0W.jpg
I have DBA registered in my local county. The DBA name is:
I had a lot of fun at Bank of America when I signed up for my business bank account shortly after registering the name. Not quite a license plate but similarly themed
Ah little Bobby drivers ...
It always makes me so happy to see a "little Bobby tables we call him" reference when data inputs are discussed!!!
I will assume that we are all aware of the Exploits of a Mom, but just in case we have anyone reading this that doesn't already appreciate XKCD: https://www.xkcd.com/327/
; DROP TABLE "COMPANIES";-- LTD
https://beta.companieshouse.gov.uk/company/10542519
With how these systems seem to be written, absolutely.
https://hackaday.com/2014/04/04/sql-injection-fools-speed-tr...
Another picture (which I can't seem to find now) purportedly showed how one of the screens over the highway was displaying just an error message after triggering this exploit.
1 reply →
OMG!
This is funny. I wonder what would happen if you could put a 'NOT ' in front of your plate number... would everyone but you get a ticket?
Nah, because it's not unsanitized SQL at fault, but people writing a literal NULL in the license plate field when there isn't one.
I doubt that. Normal people do not tend to use the word NULL at all.
What this usually is is the result of systems that talk to systems that talk to systems that talk to systems, all in different legacy formats never written to be interchange formats. One system has true SQL NULLs, the next system down the chain only accepts strings for that field, NULL gets written as the most sensible string, and then from that point on all downstream systems can't tell the difference between the original system having had an SQL NULL or having had the string NULL.
6 replies →
Actually, I think it's doubtful the folks at the private processing facility are actually writing 'NULL', but my guess is the DB field is just not set (i.e. left as NULL), and then when the info is read out somewhere it's just printed as the string literal value.
4 replies →
A colleague’s name is “True.” When we ran some reports to generate a check in list for an event - it was converted to either “TRUE” or “1” depending on the script.
I was amused.
Even without sql doing odd things certain strings will just cause problems.
I wonder, what will "DROP *;" license plate do?
8 replies →
I presume this is already on thread but Irish police conducted a manhunt for serial traffic offender "Prawo Jazdy" - till they realised that was "Driving License" in Polish
https://www.telegraph.co.uk/news/worldnews/europe/ireland/47...
I need to change my name to that
Guarenteeing you get chased for hundreds of other people's Traffic violation fines?
I recently saw a car with a license plate of B8B88BB8 (or something to that effect) that I am almost certain the owner chose to make it hard to read and transcribe correctly by either humans or computer vision systems.
I was honestly kind of impressed.
I read that someone tried to register a license plate with a random sequence of Os and zeros (e.g. "OO0O00"). Unfortunately, it worked too well because the person doing data entry at the DMV ordered him a plate with all Os. :)
Or all 1's, L's and I's with a license plate frame that "accidentally" covers up the differentiating marks. >:)
PS: Reminds me, I should get one of those LPR T-shirts with license plates all over it.
1 reply →
It doesn't take much to break some of those though.
I have a custom plate that is two common words, on a California 60s vintage plate (black plate with yellow lettering) and most parking garages that check and print your plate on the ticket always butcher it. Instead of (replaced for privacy) "FOO BAR" it will say "8A2M31W" or some garbage.
I'm surprised more places don't do what Nintendo did with course ids in Super Mario Maker 2. They intentionally removed some characters that are visually similar to avoid confusion when writing out codes.
base32? "an alphabet of A–Z, followed by 2–7. 0 and 1 are skipped due to their similarity with the letters O and I (thus "2" actually has a decimal value of 26)." https://en.wikipedia.org/wiki/Base32
1 reply →
This thought had come to me a few years ago and I've always wanted to try it. Never got around to it, though.
- 1Iil
- B8
- 0Oo
Examples:
- i1lIil1I
- 8BBil8I1
Most states don't use lowercase, but otherwise a solid plan
Relevant xkcd: https://xkcd.com/1105/
"Droogie contacted the DMV who told him to change his plate. He refused because he didn't do anything wrong. While they wiped the fines off his record, unfortunately for him, they didn't fix the problem in the system so once again, Droogie has accrued another $6,000 in tickets"
So wait, after he knew this was the outcome from using this plate he just decided 'nope, the DMV will definitely rectify this error'? Maybe he has a much higher tolerance for dealing with the DMV than I do, but surely there are far more productive ways to spend your time than constantly battling against invalid tickets. Additionally, I would be concerned about not being able to waive some of these tickets at some point and actually having to pay them,6k isn't exactly an insignificant amount and could also really impact insurance rates.
Its a matter of principle though. Droogie hasn't done anything wrong, and is receiving fines due to errors made by the DMV.
You're right that when faced with a choice between acting on principle vs acting pragmatically/for one's own benefit/convenience/need, people often don't have the luxury of (or patience for) choosing the former. But it's nice to see when someone does.
> Droogie hasn't done anything wrong
That's arguable, actually. The article states, but doesn't provide evidence, that Droogie "hoped it might confuse automatic license plate readers or the DMV's ticketing system".
If this was done in an attempt to evade enforcement of existing laws, then sorry: that's a crime, folks. You aren't allowed to pen test live systems!
4 replies →
TBH it's a very silly principle to fight for: "I DEMAND YOU HAVE NO BUGS!" And the DMV could just as well argue "Sorry, the bug is that we never should have accepted your NULL plate application in the first place, so we'll send you a non-vanity plate".
2 replies →
If it got to that point, I’m sure some tech savvy lawyer would have fun with these cases.
This post has way too much traction to flag now but I wish we didn’t have sites like this that take a bit of admittedly interesting content from elsewhere and repost it with an infinite scroll of spammy ads.
Seems to be a clever technique here too, ending the article with what seems like a non-ending, so the user will keep scrolling.
If I remembered where the original content was I’d post it, or had a desktop/laptop browser to search with right now, I’d post a link, but I don’t. I just remember having read a much better article about this in the past.
Stan, are you in here?
My buddy Stan registered for null@verizon.com back in the early 2000s so you could link sms to email delivery. Wound up with so. many. text messages. Reminders to take medicine, personal convos, sports results, everything.
Was great fun to read while waiting for class.
Similarly I used to wonder how awful it would have been to own example.com ... until I found out it was an IANA special-use domain.
But someone still owns test.com, and I can't imagine what that mail server goes through.
Not unlike whoever gets all the email at foo@bar.com
Source article: https://mashable.com/article/dmv-vanity-license-plate-def-co...
Similarly don't get 'none', 'no plate', or 'na' :-)
It would be cool if you could do punctuation so you cloud get "'; drop table;" alas little Bobby Droptables will likely never get that plate. :-)
I did see a plate "I<heart>0X45" which was a cute nerd joke, I expect that would be more difficult to get these days.
I recently bought a *.ninja domain name and started using it for my personal email address. Probably 20% of the time, when I try to sign up for a service it gets rejected by web forms that have been hardcoded to check for traditional top-level domains.
Oh you think that's bad? My email address ends in that most exotic of domains, .net
I find websites that won't accept it because they think it's an invalid address all the time. I have no idea what logic they're using, would love to find out.
Interesting. I have a country topdomain email and never had problems.
If I recall correctly, this comes up a lot with null.com too with respect to emails, etc. I think there was even an HN post about all the null@null.com emails collected by someone.
Let's talk about one specific thing from the article:
>Things started to go awry when he first registered the tags. He tried typing in his license plate but the DMV website wouldn't accept it.
Let's talk about the fact that the DMV website wouldn't accept it. Do you think this is all right behavior on the part of the DMV website?
It's really interesting because if you're coding up the DMV web site, it makes sense to disallow NULL just as a preventative measure, like not allowing '-- in a query (to prevent SQL injection attacks.)
I would generally think that on the whole you should accept -- as a substring in a password. But is it wrong programming if you don't allow that substring?
Disallowing it could cause someone's chosen password to fail, so they have to change it for you to accept the password they want, but if you know for sure that you use sql as part of processing passwords you might well decide that it is acceptable to make people have to try a new password before you'll accept theirs, in case you are not confident that you are escaping everything correctly.
So from my end it seems okay to do something like disallow NULL.
If you consider the choice of the programmer on DMV's web site, what do you think about their choice to reject this input, even though in fact it turned out to be legitimate? Is it acceptable programming practice?
I don't believe this is acceptable. By any modern sane best practice, the word NULL in a string from a web form (where your input is basically by definition a string) is a string like any other
Blocking -- in a string does not prevent SQL injection attacks. Using proper parameterised queries does. This might sound mildly hostile but "you are not confident that you are escaping everything correctly" - when this is a well defined and solved problem - means you should not be building this application as you're too incompetent to. For the millions of taxpayer money wasted on this kind of thing, it is absurd.
Blacklisting keywords used in XSS is also completely futile, pointless, useless, and does nothing but piss off users that can no longer use anything containing the word log or window or whatever.
Bobby Tables started school in 2007, so he'd be around 17 today, seems about right.
That's a bit curious though. If the code relies on a magic value, you'd think it's in order to skip trying to get data it doesn't have, like the address of the unidentifiable cars.
Even if NULL then does have this address attached, why does it take the branch where it looks for the data?
I suppose it would be in a relational DB, perhaps there's a join that drops missing entries, but if they aren't missing they show up?
The code doesn't rely on a magic value, the humans have decided that an empty value will be typed, by hand, into their terminals as the characters "NULL".
The problem is that the employees with access to the system are required to enter a 'valid' value. But in some cases there is no value. So the 'valid' value they've come up with is the string "NULL" - they can't use "~~NULL~~" because ~ isn't allowed on a license plate. So because A) anyone can request a valid value on a plate, and B) nonce values must also be "valid" within the system, the tax payer is capable of ordering a nonce value on a plate.
>the humans have decided that an empty value will be typed, by hand, into their terminals as the characters "NULL"
Almost certainly because of software constraints, like the form not allowing the plate number field to be blank.
3 replies →
They're likely different organizations. The one that entered 'NULL' license plates was a "privately operated citation processing center" so they presumably weren't in charge of looking up the addresses for each license plate. If they were it would be rather pointless to save the 'NULL' value in the first place.
I bricked my profile page on Zomato, There is(was) a feature where you can choose a custom URL for your profile page, I chose something which already was a valid URL for them. Now when i click on "my profile", it goes to "https://www.zomato.com/genjs" . I can't edit anything in my profile now.
Seems like a brilliant idea to me, hopefully it forces them to fix their shitty software. I would chip in to crowdfund this guy's battle for sure.
Danny White, a resident of Washington, DC, had a similar problem: his vanity license plate read "NO TAGS", which happens to be what police there put down in the license plate slot for missing plates.
https://www.google.com/search?client=firefox-b-d&q=danny+whi...
This kind of thing makes me question how tightly we couple (or fail to couple) the "code of Law" to the "code of Computers".
The same issue is seen on social networks that identify users by their usernames: - before it was suspended, twitter.com/null had just 2 tweets, but over 70K followers: http://archive.is/Dt6af.
I have a friend who told me his story enrolling in his university. He's a German national who grew up in Spain. I'm going to call him Andres Schmidt, as the actual name is not relevant.
In Spain, people normally have two surnames, one from the mother and one from the father (no, it doesn't exponentially grow with generations :D). He had issues enrolling in uni, as the system required two surnames so he ended up with "Andres Schmidt Schmidt". He had issues down the road as well, having to explain himself every time he needed to register for something. I think the student id was also a hash which included the name and he hadn't been consistent with his "full" name in all systems.
See also, the person who had the personalized license plate "NO PLATE" (and similar).
https://www.snopes.com/fact-check/licensed-to-bill/
Moral of the story: Test at your own risk!
At least his story brings to light the poor quality of software the DMV is using.
I'm curious about the other, unintended consequences of naming things null in other web applications; maybe its time to explore ...
The interesting question this article poses is whether there's a system in place for the government to revoke vanity plates it's already approved. Can they force him to change the plate?
Ontario Canada has an anesthesiologist with a “FENTANYL” license plate.
Was funny in 1995, not so much now.
So he went to the DMV and asked them to change it, and they wanted to charge him to do that.
He’s like, no, i’m not paying.
Eventually he writes a letter to his politician saying “please revoke my license plate” and eventually he gets a letter saying they got a complaint (ie: his) and the DMV wants to revoke his plate.
But he had to wait 30 days For the appeal clock to run out, just in case he wanted to appeal his own complaint.
Kinda funny, but kinda sad that someone paid $400k+ per year by the government wasted thousands more because he didn’t want to pay the $100 plate change fee.
* some details/numbers estimated from memory.
Yes, of course they can revoke vanity plates. For example, the story (2002-2004) of the Washington software engineer who spent a couple of years fighting to keep his "GOTMILF" license plate and ended up having it canceled.
Ref: http://www.thesmokinggun.com/documents/crime/end-road-gotmil...
They usually can, and various states have before.
My favorite such revocation: https://jalopnik.com/virginia-dmv-revokes-worlds-greatest-li... (Virginia's "EATTHE" Children First plate)
I think they should have been allowed to keep it, frankly.
My state has legislation about denying / revoking vanity plates and 'It inconveniences our computers' is not a valid reason.
They just wouldn't let him renew his vehicle registration unless he changes his vanity plate or goes back to the a random number.
I never understand how these sorts of bugs happen - is the database something like:
Or rather the type is actually Option<String>:
In which case, how is it the software can't tell the difference between Some("NULL") and None()?
The only thing I can think of is the software (or it's database driver) handles everything in strings; so None() and Some("NULL") both get converted to "NULL"?
Based on the description in the article, it's a separate system that is actually entering "NULL" in the license plate string field, probably for things like red light camera violations. Chances are it's a human doing this according to a procedure or the system is setup to require entry of some text in the field, so they have to enter something and opted for "NULL" if the actual plate is unreadable / unreliable / not present. This is unfortunately how a lot of things in the real world work, especially on legacy systems.
There's a good chance it's some text file in CSV or fixed-width format being shipped around.
It would seem to me that issuing frivolous citations to a man who has not actually broken the law is a violation of the general prohibition against unreasonable fines and punishment.
For those interested, you can find the slides for the presentation here: https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20pre...
This article is garbage and a lot of the discussion here revolves around the spin and emphasis on facetious scenarios I mentioned in the presentation
I don't know how being able to put any random word in the plate can even work. Always found it funny in movies and thought it was a joke.
Do any states allow emojis on plates. I saw a red heart recently. ButI don't know if that was the license number or the background.
I’ve seen several combinations of B’s and 8’s - like “8B88B8”. Wonder how effective they are at confusing plate readers.
It would be the same as having a single 8, but I guess it's not a problem or plate readers wouldn't be in use.
> He refused because he didn't do anything wrong.
Cool the DMV fixed it. Just try that with so called "identity theft"
Reminds me of myself: when gmail came out I got my name@gmail
The name is my 6 letter last name.
I've received thousands of emails from random people. There are so many letter.name or number.name similar addresses that I'm constantly getting very personal emails of other people (deaths, marriages, invoices, business reports, etc)
Reminds me of a recent groceries delivery to my home. I had ordered online the day before and had some trouble filling in the form but managed to validate it anyway.
The delivery man called to tell me my address was incorrect. When I asked him what was wrong, he told me it said 'Null Null Null Null'.
I've got AFK plates... makes it super easy to remember :-P
A couple of cars in my city have plates like "0O00OO" or "BB88B8B"
One guy that I've seen driving near my place has two cars both with variations of "11ll11l" Both the same make and model and color.
I really dont think this will help him much.
This wouldn't be a problem if people wrote programs in languages that have proper type systems that can correctly classify failure.
I'm thinking of types such as Maybe/Option or Either.
I hate it for example when a C/C++ function has to return a -1 in case of failure.
The Wired article is better https://www.wired.com/story/null-license-plate-landed-one-ha...
Actually, it was brilliant because it pointed out how flawed the system is, that it can be passively broken or circumvented. This could be used to invalidate all citations that were issued from agencies using that software.
Well that's what happen when you use a special value that's actually not that special and is part of the valid values domain.
If they had to use a string (and I doubt they had to), they could at least have used the empty string.
LOL! Can we have a new subcategory on HN for comic relief stuff like this! :)
I rather think that it did work. Or, at least, if he continues being successful having tickets for "NULL" dropped. Because any tickets he actually gets will be to "NULL".
>Apparently, when they didn't have the right data for a vehicle, a privately operated citation processing center used the word NULL in the license plate field for many tickets.
>used the word NULL
Oh god, I feel faint.
I would think a cease and desist, followed by a lawsuit, would clear things up very fast.
BTW, California has a problem with issuing both plates with 0 (zero) and O (letter) in them. They both look the same.
I have named my phone "Null Pointer Excpetion" whenever I connect my phone to friend's Bluetooth they immediately scream- "oh look! null pointer excpetion!"
Is this actually possible? Aren't strings at least surrounded by quotation marks ('NULL') while NULL isn't?
It's not a database sanitization issue. The problem is that for cars that don't have a plate or the plate wasn't entered for whatever reason, in some cases people were entering "NULL" (the string). That then ended up matching his plate.
The 'NULL' string was being entered by the private company:
> Apparently, when they didn't have the right data for a vehicle, a privately operated citation processing center used the word NULL in the license plate field for many tickets.
I once saw a parked BMW and the plates were the current day of the week and date. I am still scratching my head over that one.
update Table set LicensePlate = 'NOPLATES' where LicensePlate = 'NULL';
The case for stronger type systems for layman programmers in an easily understood parable.
Great idea. Any cop writing you up and any traffic cam will suffer segmentation fault.
That’s the closest way yet that I’ve seen Little Bobby Tables come to life :D
Confusing the value NULL for a non-null string-sequence which says “NULL” shows the clear sign of a system where no data can be assumed to hold any integrity.
These bugs and categories of errors should simply not be possible in sane languages or frameworks.
That's not what's happening at all please reread.
> Apparently, when they didn't have the right data for a vehicle, a privately operated citation processing center used the word NULL in the license plate field for many tickets. Since that just happens to be Droogie's license plate, he got all of them.
So it's 'confusing' the string NULL used incorrectly (kind of, it's fine under the assumption that no one will have the license plate NULL but that assumption is wrong) with the string NULL.
Sounds like it worked. He can now accrue tickets without penalty.
There’s a lot of interesting options. How about NaN NaN?
This isn't an issue with the program lacking a valid input. The 'NULL' was hardcoded as a default value by a private processing company. (See the third paragraph in the article.)
Or "[object Object]"
Can you have brackets in license plate?
I like my new vanity license plate:
DROP DATABASE;
Stories like these and the bobby droptables xkcd are the reason I ended up with this plate, https://i.imgur.com/O7KEFrn.jpg It gets a lot of compliments and attention even if most people don't know what "null" is
Should use nullptr :P
i guess nil wouldn't work either - it probably worked because of sql NULL keyword. https://en.wikipedia.org/wiki/Null_(SQL)
Hahahaha best thing I've read all day.
It sounds like a bright idea to me.
NULL strikes again, this time IRL!
This time?
Ah yes, we call him Bobby Nulls.
Guess I should FOIA the DMV to find out what my state's default value is.
These tickets were issued by a privately operated citation processing center.
My state doesn't allow for private companies to automatically mail you a ticket but requires an officer pull you over and cite you.
2 replies →
So this guy doesn't have to pay parking tickets anymore right?
Change the fucking plate you muppet.
Should have gone with NaN
Play stupid games, win stupid prizes.
This reminds me of the bit that mentions that St. Peter has a list of questions he asks people at the Pearly gates. Among them he asks, “Did you have a vanity plate?”
This is clearly an entirely fake anecdote. Show me a pic and change my mind.
It's been blogspammed.
There's photo evidence in the much better article at https://mashable.com/article/dmv-vanity-license-plate-def-co... from the DEFCON talk.
OK, a screenshot of a list of tickets. An 8-year old could create that in Excel. A photo of the license plate?
There are ways to properly sanitize inputs these days so NULL becomes "NULL" (string), BUT also tons of systems moved into JSON format assuming its safe. It is not. JSON is not binary safe and there are tons of unicode chars that will break JSON. I was once overseeing system that people would bring down all the time by registering usernames that the app could not properly sanitize and they in return were breaking JSON format to the halt of the whole system. I should not admit but using same chars I myself broke few youtube channels when comments and votes were working in JSON format themselves without properly removing unsafe char codes. Good times.
No, it’s not the JSON format that is broken - it’s the parser you use for JSON that is broken.
Well not me. More like large vast of websites used to or still have. The assumption was all I need is JSON and it will properly format data during exchange.
1 reply →
This isn't even a coding error, NULL is apparently valid license plate, and for some reason there is a private processing center typing it in to the government system.
First of all they are accidentally committing fraud (libel?) against this guy. But more importantly, why is there a private processing center? Don't the officers type this in as they fill out the ticket? or even just scan the plates? If there aren't plates on the vehicle it should be towed or booted. What is the point of recording tickets with no plates? Is the processing center paid per ticket recorded?
> This isn't even a coding error, NULL is apparently valid license plate, and for some reason there is a private processing center typing it in to the government system.
I would take that with a grain of salt. The linked article on a talk-radio site, and was likely intended as a wacky news bite that the hosts breeze through and then make jokes about. I figured the exact technical details of what is causing the problem was lost in translation. More likely that they were leaving the plate blank, and then the backend software was confusing null database fields with the string "NULL".
It's not fraud or libel, it's an unavoidable problem with in-band signalling [1].
I assume the government entry system doesn't have an explicit way to set the data as missing, so they work around it like this.
[1] https://en.wikipedia.org/wiki/In-band_signaling
Guess they should have used the Maybe monad!
1 reply →
Brand new cars don't yet have plates. Granted, most states now have dealer-printed labels with an identifier on them, but still, new cars don't immediately have plates when they roll off the lot.
When I lived in West Virginia, recently sold cars did not have temporary tags. It was very common to see hand-scrawled signs "TAF" in the back windows. TAF stood for "Tags Applied For."
I'm not sure if that's still happening.
Shout out to all the Python programmers from the other frontpage thread who are responsible for bugs like this with their crappy scripting languages.
Crappy code can be written in any language, see all of the CVEs in C code, even when written by experts.
As surprising as it may be, bad code is often written by bad programmers. It doesn't matter what language you use if you write bad code.
But scripting languages make it especially easy to do so. That doesn't mean people who use them are bad programmers. They just chose a bad tool.
1 reply →
I think if you want to blame scripting languages, you need a license plate that says "None" or "undefined".
What happened in this case was that people used the literal value "NULL" to mean "I don't know". They could have used the word "LOLCAT" and the effect would have been the same. Overuse of in-band signalling is a general design flaw not specific to any programming language. (Remember when people would whistle a 2600Hz tone to make free phone calls? Same thing as this.)
If you want to throw darts at someone, I think database systems with three-valued logic would be a better target. This criticism (not for these reasons) has been leveled...
NULL is in much more widespread use then Python. C and C++ have implementations where NULL == NULL. https://www.infoq.com/presentations/Null-References-The-Bill...
It's spelled 'None' in Python.
Ignoring the lack of 'NULL' in Python for a moment, this wasn't even an issue with the code lacking an invalid input. If you read the article, you might have realized that.
Well - Python doesn’t use NULL, to be clear.
In the other notorious scripting language JavaScript it's also spelled
Which makes for a bit of funny because