I read years ago in comp.risks about a similar story. A guy in 1979(!) requested a personalized plate "SAILING", with second choice "BOATING". He didn't want a customized plate if he couldn't get those, so for his third choice he put down "NO PLATE". Of course, he ended up with "NO PLATE". He ended up getting 2500 parking tickets, since cars with no plate had "NO PLATE" written on the ticket.
This reminds me about my own name. Everyone always gets it wrong (including people from where I am from). Except the Dutch. They always get it right, every single time!
There was also a meme about a person that wrote on her ID application "note the hat on the 'e'" and of course her name was Sarah Note The Hat On The E on the issued ID.
EDIT: Yes her name was not Sarah and there is no 'e' in Sarah.
I managed to do this at my university. I had vanity plates with a design made by my local Australia shire, which had the shire emblem between two parts of the plate. The plate was something like "123ABC" but I'm guessing emblem read as an O, so their scanners saw "123OABC", which was not a plate registered with the uni.
Each day there was a 10-20% chance I would get a ticket on my windshield. I would collect them and take them to the uni security office once a fortnite to have them cancelled in bulk. I actually got pretty friendly with some of the staff there.
At least 4 of them were legitimate tickets because I parked overtime, over a line, etc, but the staff cancelled them anyway (:
Like Make, Model, Color, and VIN? The last time I got a parking ticket it certainly included those details in the citation. I can imagine being able to contest and win any citations issued to the same plate but with otherwise non-matching supporting information. But in the case where someone else has the same make, model, and color car, you might be out of luck if the VIN gets recorded as "CANNOT READ" or is left blank.
I think this is unlikely since plates are alphanumeric. Although I suppose if you faked an image of a plate it's possible you could cause problems for a plate scanner.
A colleague used an app's "generate secure password" feature to change their ISP's web portal login - which then also became the WAN router's password - which they didn't realise.
It was about a week before the router dropped its connection and needed to re-authenticate - and that's when I was called in to investigate the loss of connectivity - which Windows 10 very unhelpfully reported as the network cable disconnected and was resetting or power-saving on the NIC so the "link active" LED on the switch was going out for about 2 secs every 10 sec. Cue a round of cable and switch swapping to no benefit. The LEDs for all other devices on the switch (running Linux and mostly internal servers) were behaving normally.
I finally backtraced to the router and a useful error message. We put two-and-two together and my colleague called up the auto-saved details in their password manager; it was long, and ALL non-alpha numeric characters - starting with a backtick, which the router would not accept. I tethered my phone to my laptop and tried to login to the Web account portal - which would NOT accept the passphrase. I tried it without the backtick "just in case" - nope.
We had to do a "lost password" reset on the portal..and wait for the email with link.
Lessons learned:
The ISP's password change page did not seem to validate input, but the login page did.
Many, many websites will happily accept passwords of $X characters and then hash only $(X-Y) characters on registration, but try to hash all $X characters on login, so of course the hashes don’t match. And at no point do they tell you the maximum number of characters.
I once had a page that prevented pasting, but last pass's password generator still worked. So I put in a long password using that, but when I clicked to register it came up with a blank error message. Turns out they had a 16 character limit that was only enforced when you typed in the box, so I had to count the number of letters they allowed me to type and then let lastpass generate a password of that length. Infuriating.
This has happened to me on many occasions, even with bigger sites which "should know better". Tis why I'm always slightly paranoid about entering in long passwords when signing up to new sites.
Square Enix's account management on the PS4 allowed me to set a password with a space on the end, but their website strips spaces from the password field when you sign in.
Fun fact: it's actually really easy to submit a string with a space on the end when entered via a PS4 controller.
Trimming spaces is the one evil that is kind of necessary. Way to many text selection tools select trailing spaces. Firefox and Chrome both do when selecting words. Got a mail with a reset password and want to copy it over? Yeah, good chance the space is copied as well. On a few occasions even ended up in my password manager. Please, just apply password rules everywhere consistently.
> Please, just apply password rules everywhere consistently.
This would honestly fix all of it, without even needing to communicate information about how passwords are handled. Although, I think those rules should be communicated as well, so users can make good choices about password security. If spaces are removed, that lowers entropy and users may want to add additional characters or restrict spaces in their password generator.
It may not be easy. You might have dozens of different client applications with different requirements or abilities. But it is simple: Figure out your best practices and your lowest common denominator. Then apply those rules to every password every time in every context.
Alternatively, if you have clients which (for whatever reason) need a special case, create a separate hash for that special case and then use that only for that client. (Likely, this will reduce the overall security of the account, but if this is your lowest common denominator, allowing other clients to have greater security certainly doesn't hurt you.)
Back in the day, I created an AOL password with CTRL-BACKSPACE in it. It worked when using the AOL software but when I tried to log into the website, it deleted the password.
It's honestly a crapshoot. I've seen as low as 8 (a sibling poster says 6), but 10, 12, 15, 16, and 20 are not unusual. It's usually an even number, so you can just knock 2 characters off your password at a time (after making it an even number) until you're down to the maximum to figure it out.
Lots and lots of legacy systems do this, very low limit, case insensitive, numbers and letters only. I know of a major retailer with 10 character, case insensitive, alpha numeric for All their systems. Why? Because that’s the lowest common denominator (as400).
That's how my dentist's billing website works. Except it's limited to 8 alphanumeric characters, not 10, and they were quite happy to accept my pasting a 16-character generated password into the field. Unfortunately, they don't have a password reset link; instead, the you call the receptionist and they read out your password to you over the phone. This isn't a legacy system, either. I can only imagine the backend is written in QBasic or something.
Try changing the last two characters and see if it still lets you in. It's not that uncommon that people mix up when to filter input and when to validate it.
Passwords for Blizzard accounts are also case-insensitive, as they are converted to upper case before hashing. Try it!
I first found this while working on a WoW server emulator in around 2009, but I believe it's been the case since Battle.net 1.0 was launched in 1996. In order to preserve backwards compatibility, it's never been changed.
Had this issue with Google a few years ago when I tried to set my password to something ludicrously long (think 5000+ characters). It would happily change my password, but I couldn't log in to anything afterwards…
For many years, Schwab ignored any characters after 8 in its password. Discovered that when I knew I flubbed one of the last characters, and it still worked.
I still can't believe a major bank got away with that for so long, apparently unharmed.
I learned this the hard way when I started using a password manager. I had the bright idea to start using 90 character passwords for all my accounts and suddenly I couldn't log into a lot of accounts.
I had something similar happen with (iirc) spectrum of the power company a couple years ago. Their customer portal let me use a complicated password to sign up, it sent me the confirmation email prompting me to log in, and refused my password for forbidden characters. But then I couldn’t reset my password because I hadn’t verified, and I couldn’t modify the account cause I couldn’t log in. I was just trapped in limbo. Customer service said they couldn’t fix it for me. I had to pay my bill by phone until I moved.
Ah yes, this reminds me of my University account. I chose a long password generated with my password manager, which of course contained a chara66 that was both allowed at set up and usage. But because I had to frequently type it in without my password manager (i.e. on a University PC), I wanted to change it. But the change dialog asked for the old password and didn't accept it, due to the forbidden character. I had to go to the support who refused to believe my story and wasn't able to change my password. It took a few weeks to get hold of a person who was allowed to change passwords.
So many home-routers are run with horrid CGI-scripts on the back-end - I'd not be amazed to learn that submitting a form-field with `blah` in it would try to run the command blah (probably via busybox).
If you have time/patience it might be worth exploring.
I've actually rooted an Asus router owned by a relative, this was about 5 years back so it's hopefully fixed now. Noticed some strange behavior after a mistype and tried something like `whoami` (not exactly) and got root back so tried a reverse she'll with NC which worked perfectly. Googled it afterwards and found a ton of similar flaws on other home routers.
Tried to do some kind of responsible disclosure but never got a reply or saw a fix then I forgot about it.
Is there even a reason to include special characters in passwords? They add 10% more security[1] but cause all sorts of issues with systems. Just use an alphanumeric password that's 10% longer, and if special characters are mandatory, use a safe character at the end like _ or -.
[1] 6.55 bits per character (all printable ascii characters) rather than 5.95 (only alphanumeric)
Special characters in passwords were highly recommended when rainbow tables were an effective way to attack password hashes. See this old Coding Horror blogpost for an idea what it was like at the time: https://blog.codinghorror.com/rainbow-hash-cracking/
Salted hashes have made rainbow tables less effective. Password managers have made single-use passwords more tenable.
Not knowing how a system will store my password, I still prefer to include special characters where available. Anecdotally, I tend to see the systems that are most averse to special characters are also strict about character limits, so simply increasing password length is not possible.
Password Managers are the new goto for obtaining all passwords and web browser zero days make it very easy to lift and then use for a variety of purposes. A simple lined small note book is good, but made secure is best, yet how would you make a pwd note book secure from someone else? This even applies to devices like bank cards and other things which needs a security code of sorts.
Keep your password manager offline with Keepass2 USB keyboard plugin for Keepass2Android [1], but I'm not sure how well it works. Too-fast USB keyboard input does seem to have issues (the open issue seems similar to things I've seen an AlphaSmart 2000/3000 do in USB emulation mode; PS/2 always worked fine).
There's also this other project, which seems more generic/difficult [2]
The context is randomly generated passwords, so dictionary attacks (or other attacks that look at the plaintext from a Huffman encoding perspective) aren't really relevant.
A 10 character password (if randomly chosen from the same character set) has 10^17 possibly combinations (about 4,000x more), and 59.4 bits of entropy, 11.8 bits more. 2^11 = 2048.
In the context of randomly generated passwords, it's absolutely ok to think about it in terms of the logarithmic relationship between 1) entropy per symbol times number of symbols and 2) strength of the password.
He said 10% stronger (which I took to mean 10% more entropy), not 10% more time to crack.
> He said 10% stronger (which I took to mean 10% more entropy), not 10% more time to crack.
Hence the problem?
Yes, measuring "strength" by "bits of entropy" is technically correct (the best kind of correct...).
It's also exponentially misleading... possibly the worst kind of misleading?
Just look at the question: "Is there even a reason to include special characters in passwords? They add 10% more to security...". I don't know about you, but to me doesn't really portray an understanding of the fact that it takes twenty-five times longer to crack such a password for merely 8 characters, not merely 10%.
I mean, counting in entropy with the knowledge that the applied effects can be logarithmic is the standard way of discussing such matters. It's sort of the basis for the information theory that's underneath this type of work.
Edit: And the point of his argument is that more symbols of a smaller corpus of symbols can be equivalent if the entropy is equivalent.
I randomly generated an 8 character alphabetical (all lower case) password "jraxxhwr". According to keepass it has 32 bits of entropy, but the entropy should be 26^8 = 37.6 bits because the search space is all 8 character letter permutations. There's no way you can reduce the search space from 37.6 bits to 32 bits unless you have an oracle that says which characters I used.
It does make sense, because the keepass entropy estimate presumably (like the excellent zxcvbn) tries to approximate the empirical distribution, not the theoretical uniform one.
In theory, "68703649" and "12345678" are equally likely to be pulled from the hat, but in practice one is a much better password than the other. You can reduce the search space by trying the passwords with higher (empirical) probability first.
Thanks. I've looked at the code, and it does not seem to try to estimate the empirical distribution (doesn't appear to be using dictionaries, for examples).
Then the discrepancy maybe comes from the number of glyphs within certain categories, or their repetition?
MD5 and all other hashes still take arbitrary bytes as input, so they wouldn't be the source of any restrictions; I suspect the majority of them are due to character set/encoding issues more than anything else.
$cursor.execute("SELECT * FROM users WHERE username = '$username' AND hash = MD5('password')")
Allowing any value would allow for SQL injections, so the programmer does the lazy thing and "sanitize" the inputs ($username/$password) with a roll-your-own "sanitizing" function that throws an error if there are "evil" characters.
Another way to say this that wouldn't rile so many people up is "In order to achieve the same size search space, you'd have to use ~10% more alphanumeric characters than all of printable ASCII."
10% more refers to the character length for the same amount of security, so that's already baked in. eg. you can get a 128-bit entropy password with 22 alphanumeric characters, or 20 characters with all printable characters.
Based on your numbers they add 10% entropy per character. Which compounds into an increase of 210% over a length of 12 characters. Thus you'd need the password to be at least 3 times longer with only alphanumeric characters to have the same entropy.
I went to change my password on a forum site that I had not used in a few years. My old password was really weak - think "abc123" or something similar.
I logged in and then attempted to change my password to my new standard of 20+ character upper/lower/symbol. The problem was, they'd upgraded their forum software, and there was a bug that added password strength validation to the "old" password field.
So I was putting in:
Old: abc123
New: sZp10VzIoZI9g143
And was getting the error message "error: your password must be 8+ characters long". After about 10 minutes of frustration and realising they had both client and server validation I went down a similar route as you and used forgot-password even though I knew the password.
Oh yeah, I've run into a lot of similar problems with even very well tested applications. The password reset field would accept inputs not valid at login time. I mostly ran into this when generating random passwords 100 characters in length from LastPass.
At one point GitHub even changed reduced their max password input to a sane amount, and I couldn't log in anymore with my existing insane password length a few years ago.
In most cases they fix the case when I report it, but my bank is terrible.
Similarly, my Belgian ISP (Telenet) has WiFi home gateways that are configured by their web portal, and config is pushed by the ISP.
I figured out that they only did validation on SSIDs client-side, so managed to get around that to put emoji's in my SSID.
Which then proceeded to soft-brick the entire thing on config push. I'd have to log in to the web portal via another connection, change the SSID there, and then reset the hardware with the reset button to get internet working again.
The stereo in my 2013 GTI crashed hilariously if you tried to pair a Bluetooth device with anything in the name outisde of [a-zA-Z0-9]. I wish I'd have messed around with it some more before I sold it (it was a silly car to own for how little I drive)
Oooh this reminds me, I am trying to learn a language that of course has ‘non-standard’ characters, and not even anything particularly exciting - Ä, Ö and the like. I thought it’d be cool to help memorise words (and be super secure) by changing frequently used passwords to phrases that contained these words...
...Caused me some trouble.
I learned that lesson a different way: When I had a Windows phone my email password had a backtick, and the only way to enter it on the phone was to long-press the apostrophe, pick backtick from the three or four apostrophe variants that appeared, and pray I didn't fat-finger it and enter the wrong character. In general, there are just some second class citizen characters you should always avoid, because you never know how hard they're going to be to enter when you're on a phone or a kiosk or whatever. (Tilde, I'm looking at you, too.)
There are regional keyboard layouts lacking backtick completely. (I would have to use alt+96 or switch keyboard from my default (and only) Czech QWERTZ layout to type `, if I hadn't more convenient AutoHotkey shortcut in effect.)
The Indian version of personal retirement fund NPA website does this, I learnt a lesson. Every certain weeks you Have to change password. No big deal. I will just add an incremental number. Ok, password now is PasswordPass1. Lets login, Wrong password? Why? Error Password length exceeded.
So, the password change page will accept any length password, will silently truncate it if longer & save it. Now on login page you have to guess the password length or reset.
This is one reason why I stick to alphabet (+case) in my passwords, when I can make them long.
I had the exact same issues with some passwords which were accepted when creating them, then not accepted anymore when used to log in.
This plus emails such as a@example.com or hjghgfggv@example.someweirdtld show how much sites are broken because of some philosophical ideas of developers.
I once had the bright idea to use a backslash as a one character password for my girlfriends computer, thinking it would provide amazing convenience – a single character, just above the enter key. Turns out this doesn't work very well, even on a Mac, which you would think would have gone through fairly robust testing.
Once upon a time, I went through my logins and tried to change them to strings with weird characters. I ended up with a password of on an internal school site and couldn't change it to anything else, since the "change password" site somehow rejected it.
I had a similar issue when my bank introduced a new banking app. The web login page has different requirements for the password than the app. I.e. on either I can set my password to something that the other will not accept.
I had a backtick in one of my passwords very long ago. When I first got my iPhone I couldn't figure out how to type that backtick until I realized one needs to press and hold and apostrophe.
When I was a foolhardy college student I figured out that if the cited vehicle make on my city parking ticket didn’t match my registration, I could get appeal the ticket via a web form very easily and succeed every time.
Naturally I removed the badges from my car and put on different badges from another manufacturer. After a while they started to cite me as “other” and the trick no longer worked.
All we had to do was register our cars in each others names. When I was married, my car was registered to her and vice versa. The redlight/photoradar laws in my state required that the company operating the devices had to match the pic of the driver violating the law, to the pic of the registered owner via the license plate. If they couldn't match them, no ticket was issued as you can't prove who was driving. That's probably changed now that a lot of DMV's are doing facial scans with datapoints. They probably just scan the whole DMV DB now to find the driver. Wear a mask.
Where i am from the ticket is issued to the vehicle owner, doesn't matter who was driving. On the plus side it means that you can get a photoradar ticket for driving 300km/h and not lose your licence, just pay the fine.
P.S. If the driver must be recognized does it mean that motorcyclists are exempt from photoradar fines?
I thought that motorcycles already didn't really show up on the photoradar scanners. That's the way it is here, but I can totally see that being a jurisdiction by jurisdiction thing.
Here it is easier to avoid getting a photo with motorcycle because there are places where it targets front plate. If photoradar targets back plate then you will get a ticket for a motorcycle just like any car.
In the UK we fixed this by making it a legal requirement for the owner of the car to identify the driver (obviously unless there's a valid reason you can't, such as it being stolen).
Two MPs have actually been caught out by this law, convicted of perverting the course of justice and sent to prison:
> On 3 February 2012, Huhne resigned from the Cabinet when he was charged with perverting the course of justice over a 2003 speeding case. His wife at the time, Vicky Pryce, had claimed that she was driving the car, and accepted the licence penalty points on his behalf so that he could avoid being banned from driving. Huhne denied the charge until the trial began on 4 February 2013 when he changed his plea to guilty, resigned as a member of parliament, and left the Privy Council.[7][8][9] He and Pryce were sentenced at Southwark Crown Court on 11 March to eight months in prison for perverting the course of justice.
Going to prison for lying about speeding 10 years ago seems insane. Did they punish these MPs especially heavily just to make a point?
Generally the courts punish "crimes against justice" such as perjury very harshly as it is seen as an attack on the rule of law itself, something much more valuable than any amount of money. When I was a juror they made it clear that if we got caught talking about the case or did any independent research, we could and would be going to prison.
He didn't get sent to prison for speeding. He got sent to prison for having the audacity to think he could pull a fast one on them and the balls to actually try.
Here I think you are asked to directly wire transfer the penalty amount or you can challenge the ticket, then you will be heard as a witness for who drove the car. If you refuse to tell that or don't know, the judge can order you to keep a log of all joruneys of your car that can be inspected for finding the culprit of a future offense.
Typically, like they did here, they also lower the yellow light duration when they install these devices, causing more people to "run red lights" and collect $$$ for the jurisdiction. For nothing. This was proven in my state. Accidents have also gone up in these areas because now when the light turns yellow people have been trained to know they don't have enough time to make it through traveling at a normal speed, so they gun it to make it though. If you think I purposefully speed and use this to avoid red lights, you're assuming too much. I don't feel bad one bit circumventing a rigged system.
I knew a kid in college who would get a ticket, and then look around the parking lot for another Black Nissan Maxima. Most people don't actually look at the plate number, just the make model. I think he got one ticket paid this way ... guy was kinda an asshole.
I've had a friend do the reverse: parking in illegal spot, and borrowing a ticket from another car that already received one. Upon return some hours later, he returned the ticket to the correct windshield.
Quite brazen, and frankly a bit of an asshole thing to do.
I’ve seen a parked car with 3+ tickets on the windshied (didn’t count but there was a small stack of them) in Austria. Had a foreign license plate though so probably just didn’t care and wasn’t gonna pay.
Around my area they almost always open existing tickets to check for the time/date. In addition many parking enforcement people patrol the same area all day and remember whether or not they already ticketed that vehicle.
Creative... I've not done it, but it seems if I get a really good scan of a ticket, put my info on it, and use it as needed, they don't have a record of it. So I'd never get a fine.
Someone tried that on me on campus but I noticed. I wasn’t supposed to be parked there either and was skating by on a technicality that worked as long as no one looked too closely into it. Otherwise I’d have called security and made his life uncomfortable for awhile. As far as I’m concerned, it’s fraud.
In the Starcraft 2 community it is called barcoding. Basically, I 1 | l are all accepted characters for a name and I think some do look actually identical on most fonts used in the game. So yeah, one person doing that you call "barcode", 2 persons doing that, you already have deniability. Be more than 10, and that's a crowd.
There was a time where call of duty ghosts was exploitable, and people could wipe/delete the accounts of anyone whose username/gamertag they knew. Streamers and pro players had to use barcode usernames to avoid getting their accounts deleted.
Google's AlphaStar StarCraft bot did just this under different accounts. Along with some other fingerprinting, many of the accounts and replays were found by the SC2 community.
To my knowledge, it played with only one account. It played exactly 50 games with every race. It was outed mainly because of two things: A very high win rate (above 80% IIRC) and the fact that as a zerg it produced units by selecting larvas directly, which no one ever does (someone explains that it uses control groups but they are hidden and dont show up in replays, I dont know how accurate it is)
this goes back at least as far as the original Unreal Tournament, I even saw a player using it in the fairly obscure Shogo: MAD multiplayer community. Never knew why it was done back then, I assumed it was just to be cute, but it did make it troublesome to mention them in ingame chats.
Number plates existed for decades before ASCII was invented. Before computers, people often used mechanical typewriters which didn't have keys for 0 and 1: you typed 0 as O and 1 as l. I threw away one such typewriter recently. It was in good working condition, with its instruction manual. It had been made in a country that no longer exists. You may imagine how sad and nostalgic I felt.
I own a rare collector car with a three-digit VIN. This has caused endless hassles at the DMV as well as the insurance office.
Sometimes we find success by prepending the necessary number of zeros, before the VIN. Other instances in the same system require appending zeros after the VIN. The true VIN has a hyphen but that never makes it into the DMV's system. One time I got stuck in a particularly nasty loop where the DMV mailed over thirty notices claiming the register would expire on 01/01/0000.
I had a car—a 1971 Toyota Landcruiser FJ55–that technically had a tilde(~) in the VIN. It was in the format: FJ55~123456. When I bought it, the title had the VIN as FJ550123456. I just accepted and ignored it for a while, but when I decided to sell the car, given that most of my potential buyers were out of state (and in most states, out of state purchases require a VIN inspection) I tried to get it fixed. After six months of working The motor vehicles department here, getting an inspection by state police, and everything else, I found out that their software couldn’t handle and non-alpha numeric characters. In the end they decided to change the title to FJ55123456 so it skipped the tilde but didn’t replace it with a character that didn’t exist on the vehicle.
>I own a rare collector car with a three-digit VIN. This has caused endless hassles at the DMV as well as the insurance office.
I have a similar problem with my own identity. I was born in Canada's smallest province, PEI, and now live in its largest, Ontario. Some Ontario government software seems to have problems recognizing the relatively low numbers on PEI birth certificates.
Hmm, is this just because it is so few digits? I've had plenty of classic cars that have commission numbers with between six and twelve digits instead of VINs, and haven't ever had any issue with the DMV here in MA.
I used to work for ClassicCars.com ... there's a LOT of variation to VINs before 1980, they standardized in the early-mid 70's, used to know the specific year.
Tangentially related somewhat-common bug: YAML files will interpret the literal 'no' as boolean false if it's not quoted, instead of as a string.
Many developers have wondered why, when they stuck country-specific configurations in a YAML file, that things suddenly stopped working when they expanded support for Norway.
I always felt Yaml is far too complicated of a format for storing hierarchical data. JSON is too simple (no comments; hard to store multi-line strings).
HCL, the hierarchical data storage language used by Terraform, is the closest thing I’ve seen to a happy medium between JSON and Yaml.
Another option, if the string values are not multi-line, is CommentJSON (use the Python module or write 10 lines of code that strips out comments from JSON if using another language).
Also as an example of "always deserialize to known types". Flexible boolean values can be convenient since it's relatively human-readable, but "deserialize into [whatever the heck you think is appropriate]" is a problem for quite a few reasons beyond confusion: https://lgtm.com/blog/swagger_snakeyaml_CVE-2017-1000207_CVE... (same techniques have been used against other kinds of serialization in many languages for many years)
Every feature is a source of bugs. Be careful when constructing end user affordances for systems that have broad applicability and need to run over a very long time span.
Afterwards I just try to avoid yaml if I can. While it looks cleaner than json, I don’t find it especially easy to read and there is unnecessary ambiguity due to unquoted strings. And it seems to have a thing against Norway ;)
I don't have a problem with any of those representations, and also no problem with all of them at the same time.
But not only the value representation keeps the types ambiguous, also there is no off-channel place to disambiguate the types, and no value-independent rules for deciding on the types. If any of those was different, there wouldn't be a problem.
I remember a story when Microsoft translated some ancient version of Internet Explorer for Mac, there was a menu where you could select TLDs (I can't remember what for) and the .no domain ended up getting translated as the word
I've also heard a similar story of a Finnish man who got a ticket in the UK, and on closer inspection found his name on the ticket listed as Mr. Ajokortti Körkort. Thats "driver's licence", first in Finnish, then Swedish, and is written at the top of the driver's license card.
That said, I find these stories a little hard to credit, since you'd expect police officers in the EU to be fairly familiar with the standard EU driver's license layout.
You’d expect offices in the US to be familiar with US states and territories, but that doesn’t stop them from occasionally demanding a passport from people from New Mexico, or saying a license is fake because there’s no such state as “District of Columbia.”
I once had a Texas policemen unholster his pistol on me because he thought my US Passport was a fake ID and my travelers checks were some sort of scam. Then his backup arrived and explained both items to him — and the Dairy Queen cashier that had called 911 on me. Stuff like that is why you have to stay on the interstate.
Based on "traveler's checks", I'm going to guess at least a couple decades ago. Cashier probably called 911 because they thought GP was trying to commit fraud with "fake money".
It's been a very long time, but my grandmother always used to give me spending money for vacations in the form of Amex traveller's checks. IIRC you could use them in essentially any situation where you could use an ordinary paper check (which was substantially more common back in those days).
Dairy Queen was a favorite from my childhood, I had moved away from Texas years earlier so I decided to indulge while visiting. These days I’m more into Sonic - the food is better, they have a greater variety of sweet treats, and I really like their iOS app.
Also, the common design, like with passports, provides numbers for the boxes, so e.g. 1 is "Name" and 2 is "First Name" and 5 is your license number with whichever authority issued the license. But it doesn't take a _very_ stupid person to write down stuff that's in the wrong box or not in a box at all when all of it seems like moon language to you.
Probably better to have a machine scan the identity document, not least because the machine can trivially avoid freaking out over "Nick Smith, born 2000-01-04" when the wanted criminal was actually "Mick Smith, born 2000-04-01".
I once had a cab driver take me to MIT.
Cab driver: "what is this place?"
Me: "MIT"
Cab driver: "what's MIT?"
Me: "the Massachusetts Institute of Technology."
Cab driver: "what's Massachusetts?"
I was already on the Brooklyn side. But the issue was literally that he had no idea what the Brooklyn Bridge was, not the precise drop-off location. (We just wanted to look around Dumbo for a bit.)
Irish driving licences didn't start to use the standard credit-card-sized EU format until a few years ago. They were paper booklets which had long since been phased out in the rest of Europe.
Here in Belgium new driving licenses are of the standard credit-card design (I don't know exactly since when), but most people still have the old folded paper design. Since the old licenses are still valid, and the new designs require renewal every 5 years which the old ones don't, there is no incentive for people to swap their old license for a new one.
I have a family member who's license plate started with "&". The DMV accepts it, plates were ordered online fine, but police systems can't handle it apparently, to my family members ultimate discomfort. I commonly joke it probably gets the individual out of automated tickers for speeding and red lights, but when an officer pulls them over we sometimes need to explain that the "&" is dropped in the system (or so we've been told) and that seems to clear up issues
In Washington State, you can register period-correct plates for your car. The problem is that you can't register the actual digits that are printed on the plate. The cops and cameras can't pull up your information, and you get stopped and questioned all the time. Explaining how the plates work to the Police gets pretty tiring.
Any word on whether the plate without the preceding '&' is in circulation? I'd be curious if your records in the police systems would be merged with the records of the owner of that plate.
The rules for california are the special symbols (which don't include &) are non-significant. Everything but the plate itself ignores them. Washington doesn't have special symbols, but does have an optional dash, which is also not significant.
I sometimes see California tags with a heart character in them. Does anyone know if those considered part of the number, or are they just ignored as decoration?
The DMV made a mistake, they know it, and they aren't fixing it. In this case, the problem is relatively inconsequential but it is an institutional failure. The DMV is a government agency which is, at least in theory, somewhat indirectly accountable to the people. Which means that if they're treating one particular citizen unfairly, one option that citizen has is publicly shaming them. (Another option is to file a lawsuit. That's more work, though.)
As I see it, this person is performing a public service by not budging on this. It's nowhere near on the same level as Rosa Parks not going to the back of the bus, but sometimes we need people to not simply go with the flow because it's the easiest thing to do.
Considering that the DMV in most places already has a lot of shame heaped on it, I doubt this extra spoonful meaningfully moves the needle.
This guy is really just wasting his own time for no actual benefit to anyone. If he genuinely enjoys it, then sure, I guess each to their own, but if not...
But they're only performing a public service if it gets fixed -- which there's no indication in the article is happening.
And frankly, why would it? Different government agencies likely have zero reason to cooperate on it. Especially if, say, the DMV is responsible for the error, but the courts are the ones dealing with the cost.
So unless this guy has a reason to think it will get fixed because of him... he's just wasting his time, no?
Sure he did nothing wrong because it backfired like one of Wile E. Coyote's schemes but the article makes it clear he was hoping to confuse automatic ticketing systems. He was trying to get out of tickets. Sure he didn't break the letter of the law but he tried to break the spirit of the law and it bit him. Some might call that karma, I think he needs a better hobby than standing in line at the DMV which is ultimately what he has taken up. I wonder how long he'll keep going.
After the second go round or so he'll have a form letter. After the 4th or 5th time the DMV people will recognize it when it arrives. If it goes on long enough eventually all the employees will be aware of this edge case and he can probably appeal legitimate tickets.
Exactly! All he has to do is collect all the notices and deal with them every few months. Not to say there aren't other implications that might be more troublesome :P
Multiply that by a thousand or more if they had already accrued $10 million in "damages" by 1999 as they claimed. Apparently it would be extremely valuable to them.
On top of that, if anything, forcing the government to fix it's bad code (insert snarky ambiguity between software code and legal code) can't be a bad thing. I'd buy the guy a beer.
I'm pretty sure the government will continue to just waste money processing his appeals instead of making an effort to fix the system.
So in reality, this guy is indirectly wasting taxpayer money. Sure, the government is wrong in not fixing it, but knowing that the government won't fix it, but continuing to behave this way, is his fault.
The problem is it's a "a privately operated citation processing center" that's causing the problem. They might even be instructed to hand-enter a NULL for these cases.
I'm don't really see an incentive for the govt agency to do anything about it. It's no skin off their nose. They'll just keep sending the tickets.
> "a privately operated citation processing center"
In a way, this is the real bug - one that affects more areas of local government than most people know or understand.
Our local governments are constantly seeking - and usually getting - private companies to do what should be public. The potential (and actual) repercussions to the system are serious.
For instance, how do such arrangement affect FOIA requests? What about other forms of transparency? Are we really getting our money's worth as taxpayers? Is the money actually being used properly or are costs being inflated?
It's a form of government privatization "by a thousand cuts" - we already know of the problems inherent in the system of privatizing out and contracting of private prisons; plus the loop they cause because of recidivism rates, because a repeat "customer" is better for the bottom line than one reformed for society. Which may be better for the private company, but has huge costs to society itself.
I wouldn't doubt that similar issues are happening with the privatization of other parts of our local government. It is sickening to me, personally.
Yeah, just b/c he is stubborn enough and doesn't wish to give up his vanity plate instead of folding. Pretty much nothing that hard/uphill battle has happened to him.
Those would be the options if there was an attack against him, but there's not any attack against him. Wrongly addressed tickets are hardly even a minor inconvenience. I think that's what the parent is saying.
It's a figure of speech which means to argue on a point of principle without regard to the cost when you know you aren't going to affect change. It absolutely doesn't make sense in the context where there's no attack. Otherwise how does the dying come into play in the analogy?
> Wrongly addressed tickets are hardly even a minor inconvenience.
Now I wonder what you would consider a minor inconvenience. "Oh yeah that time they suspended my licence that was a minor inconvenience for me."
Wrongly addressed tickets are a real hassle. I'd assume that if you don't contest them in time, you have to pay them. And if you don't pay them, they will suspend your licence. (I don't really know. But I assume that's what would happen.)
If he sees spending time and effort expunging his record every few weeks as worth the trade-off for the 'extra notoriety', then power to him. I wouldn't do that.
> Droogie contacted the DMV who told him to change his plate. He refused because he didn't do anything wrong. While they wiped the fines off his record, unfortunately for him, they didn't fix the problem in the system so once again, Droogie has accrued another $6,000 in tickets that he had nothing to do with. He says he won't be paying those either.
Except he just contacted the DMV. No lawyers necessary.
Number of years ago I was frustrated because they never sent me my renewed card and it turned out they never updated my address even though I did the paperwork. Took it to twitter and tagged @CA_DMV and they responded pretty quickly and took care of it. Got my new card pretty much next day.
For the first time or two, maybe. But you'll be paying for it with hours, possibly tens of hours, of your own free time. And the US legal system is a fickle beast; what seems to you like a slam dunk might not actually be so certain.
After the second or third time, the judge will ask, "why didn't you just change your license plate to something else and avoid all this hassle?" And when you answer, "I've grown fond of the plate, and want the DMV to fix its systems", the judge will sigh, and rule against you for wasting his/her time instead of just changing your license plate.
What do you mean "after the second or third time"?
Are you suggesting that if this person were to sue for the repeated harassment and presumably prevail (with some kind of damages attached) that the behavior would persist?
There was a similar issue in California where, in the days before on-line choosing of vanity plates, you would give three choices. One guy couldn't come up with a third option so he wrote "NO PLATE" and ended up with that as his plate with similar results. Snopes has the story:
Earlier this summer I decided that I'd found a loophole and ordered 'N0 TAG' and 'N0NE' (zeros) for my motorcycles. The license plate font doesn't distinguish between 0 and O but the computers seem to account for visually similar characters -- I could not order the same plates with Os after they'd issued.
Haven't caught anyone else's tickets so far. SunPass won't accept 'N0 TAG' being associated with my transponder tho (have not tried 'N0NE' yet).
I did get pulled over on my very first ride with 'N0 TAG' and the first words out of the cop's mouth were 'Is that tag legit?' That may or may not have been a factor in catching a warning instead of a ticket that I absolutely earned.
> The license plate font doesn't distinguish between 0 and O
When the German license plates were redesigned in the mid 1990-ies, also a different font was incorporated, which was engineered explicitly to thwart similar-shape attacks: https://en.wikipedia.org/wiki/FE-Schrift
It seems meaningful to me that the wired website works (sort of; the left margin is 1/3 of my screen) with JavaScript disabled, and outline doesn't work at all.
Years ago (in the late 90's or early aughts) when ordering vanity plates online became a thing, I got approved for the plate "127.0.0.1". This was a California or NC plate- can't remember as I lived in both states. I checked the mailbox excitedly every day like Ralphie from A Chrismas Story for my uber cool plate. When I finally did get something from the DMV, it was too small to be a license plate and was simply a note that said "Sorry, your requested plate conflicts with a motorcycle plate, so we have to deny your request." Huge bummer, but I guess 127.0.0.1 becomes 127001 in their systems.
I have DBA registered in my local county. The DBA name is:
' or 1=1; drop table sys.systable; -- Computer Services
I had a lot of fun at Bank of America when I signed up for my business bank account shortly after registering the name. Not quite a license plate but similarly themed
It always makes me so happy to see a "little Bobby tables we call him" reference when data inputs are discussed!!!
I will assume that we are all aware of the Exploits of a Mom, but just in case we have anyone reading this that doesn't already appreciate XKCD: https://www.xkcd.com/327/
Another picture (which I can't seem to find now) purportedly showed how one of the screens over the highway was displaying just an error message after triggering this exploit.
I doubt that. Normal people do not tend to use the word NULL at all.
What this usually is is the result of systems that talk to systems that talk to systems that talk to systems, all in different legacy formats never written to be interchange formats. One system has true SQL NULLs, the next system down the chain only accepts strings for that field, NULL gets written as the most sensible string, and then from that point on all downstream systems can't tell the difference between the original system having had an SQL NULL or having had the string NULL.
And I still expect my story is more accurate, with theirs being a reasonable expectation of what you'd get when some techie tells their manager what happened, who tells their manager, who tells the reporter.
To be clear, I'm not denying that what you say is literally true, just that by the time I'm done filtering that particular fact through my personal belief network and personal experiences, I still end up saying that my story is more likely. It's true enough that they put a "NULL" in, it's just that the way the private firm does that is most likely that the field agents leave it blank, some software somewhere puts a NULL in some database, and the report that comes out for the enforcing authority has NULL in it. For a reporter, it's not a false statement, it's just not all the technical details.
With this story, the responsibility ends up distributed in a very plausible manner I've seen many times over; HN readers could fill in a dozens of similar stories no problem. It's a problem characteristic of these sorts of systems and the way they tend to communicate with each other.
People use the word NULL and in all caps as well, in particular in bureaucratic processes like those you would encounter at the DMV.
NULL & VOID, etc.
It is entirely reasonable that the system would not accept an empty string for the plate so the process folks worked around that by instructing all employees to write NULL if they couldn't read the plate.
Many people who are not programmers per se come into contact with databases that use SQL enough that they might absorb a few random concepts or names for things.
So, some bureaucrat might in fact know "NULL" because they type a command into a database every Tuesday to run a report.
Actually, I think it's doubtful the folks at the private processing facility are actually writing 'NULL', but my guess is the DB field is just not set (i.e. left as NULL), and then when the info is read out somewhere it's just printed as the string literal value.
As my other comment points out, this is probably systems talking to systems talking to systems talking to systems to the nth degree. So even if the first system did in fact distinguish the NULL case from the string case, it only takes one system in the chain to be incapable of representing the difference to permanently and unrecoverably wreck it for all downstream systems.
What are the odds at least one system silently filters out apostrophes as invalid characters in license plate fields? Pretty good. These systems are often unattended, unmonitored processes often maintained by people who either can't fix errors upstream, or don't even want to, so these conversions are often written extremely permissively, trying to get through the data with whatever heuristics are necessary for the process to just Keep Working.
A colleague’s name is “True.” When we ran some reports to generate a check in list for an event - it was converted to either “TRUE” or “1” depending on the script.
I was amused.
Even without sql doing odd things certain strings will just cause problems.
Depends on how you define "special." I've seen hearts on California tags, and I think some glyphs on Virginia tags, but I might not be remembering that correctly.
That's just part of the design. They are ignored when you type it in, etc. and you can't have ABC<heart>123 and ABC123 simultaneously existing because they're the same to the DMV.
I presume this is already on thread but Irish police conducted a manhunt for serial traffic offender "Prawo Jazdy" - till they realised that was "Driving License" in Polish
I recently saw a car with a license plate of B8B88BB8 (or something to that effect) that I am almost certain the owner chose to make it hard to read and transcribe correctly by either humans or computer vision systems.
I read that someone tried to register a license plate with a random sequence of Os and zeros (e.g. "OO0O00"). Unfortunately, it worked too well because the person doing data entry at the DMV ordered him a plate with all Os. :)
It doesn't take much to break some of those though.
I have a custom plate that is two common words, on a California 60s vintage plate (black plate with yellow lettering) and most parking garages that check and print your plate on the ticket always butcher it. Instead of (replaced for privacy) "FOO BAR" it will say "8A2M31W" or some garbage.
I'm surprised more places don't do what Nintendo did with course ids in Super Mario Maker 2. They intentionally removed some characters that are visually similar to avoid confusion when writing out codes.
base32? "an alphabet of A–Z, followed by 2–7. 0 and 1 are skipped due to their similarity with the letters O and I (thus "2" actually has a decimal value of 26)."
https://en.wikipedia.org/wiki/Base32
"Droogie contacted the DMV who told him to change his plate. He refused because he didn't do anything wrong. While they wiped the fines off his record, unfortunately for him, they didn't fix the problem in the system so once again, Droogie has accrued another $6,000 in tickets"
So wait, after he knew this was the outcome from using this plate he just decided 'nope, the DMV will definitely rectify this error'? Maybe he has a much higher tolerance for dealing with the DMV than I do, but surely there are far more productive ways to spend your time than constantly battling against invalid tickets. Additionally, I would be concerned about not being able to waive some of these tickets at some point and actually having to pay them,6k isn't exactly an insignificant amount and could also really impact insurance rates.
Its a matter of principle though. Droogie hasn't done anything wrong, and is receiving fines due to errors made by the DMV.
You're right that when faced with a choice between acting on principle vs acting pragmatically/for one's own benefit/convenience/need, people often don't have the luxury of (or patience for) choosing the former. But it's nice to see when someone does.
That's arguable, actually. The article states, but doesn't provide evidence, that Droogie "hoped it might confuse automatic license plate readers or the DMV's ticketing system".
If this was done in an attempt to evade enforcement of existing laws, then sorry: that's a crime, folks. You aren't allowed to pen test live systems!
Intent is absolutely relevant in criminal law. The phrase "with the intent of" or "for the purposes of" appears everywhere in the field. Go browse through the quoted text of the CFAA here and see what you can find: https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
I'm not interested in getting involved in a philosophical discussion about whether anarchic hacking "should" be a crime. I'm saying that given the text of that article, an enterprising prosecutor could probably get a conviction for one.
Don't fuck with other people's systems. Even (and especially) when they're running shit code.
TBH it's a very silly principle to fight for: "I DEMAND YOU HAVE NO BUGS!" And the DMV could just as well argue "Sorry, the bug is that we never should have accepted your NULL plate application in the first place, so we'll send you a non-vanity plate".
I agree with the outcome of your premise to some degree. But he did do nothing against their stated policies regarding vanity plates. They issued him the palte. I am of the opinion that if they have a flaw in their code, it is on them to fix it, not the 'customer' to change their situation after the fact...
He's not demanding they have no bugs, he's merely refusing to provide a workaround for their bugs at his own expense and inconvenience (sure refusing to may actually involve other greater expense and inconvenience but that's beside the point).
The suggestion in the latter half of your comment is notable in that that's not what they said or offered. They don't even seem to have offered any recompense, which could at least be seen as a reasonable middleground (though still a compromise for Droogie who is denied his vanity plate post facto)
This post has way too much traction to flag now but I wish we didn’t have sites like this that take a bit of admittedly interesting content from elsewhere and repost it with an infinite scroll of spammy ads.
Seems to be a clever technique here too, ending the article with what seems like a non-ending, so the user will keep scrolling.
If I remembered where the original content was I’d post it, or had a desktop/laptop browser to search with right now, I’d post a link, but I don’t. I just remember having read a much better article about this in the past.
My buddy Stan registered for null@verizon.com back in the early 2000s so you could link sms to email delivery. Wound up with so. many. text messages. Reminders to take medicine, personal convos, sports results, everything.
I recently bought a *.ninja domain name and started using it for my personal email address. Probably 20% of the time, when I try to sign up for a service it gets rejected by web forms that have been hardcoded to check for traditional top-level domains.
Oh you think that's bad? My email address ends in that most exotic of domains, .net
I find websites that won't accept it because they think it's an invalid address all the time. I have no idea what logic they're using, would love to find out.
If I recall correctly, this comes up a lot with null.com too with respect to emails, etc. I think there was even an HN post about all the null@null.com emails collected by someone.
Let's talk about one specific thing from the article:
>Things started to go awry when he first registered the tags. He tried typing in his license plate but the DMV website wouldn't accept it.
Let's talk about the fact that the DMV website wouldn't accept it. Do you think this is all right behavior on the part of the DMV website?
It's really interesting because if you're coding up the DMV web site, it makes sense to disallow NULL just as a preventative measure, like not allowing '-- in a query (to prevent SQL injection attacks.)
I would generally think that on the whole you should accept -- as a substring in a password. But is it wrong programming if you don't allow that substring?
Disallowing it could cause someone's chosen password to fail, so they have to change it for you to accept the password they want, but if you know for sure that you use sql as part of processing passwords you might well decide that it is acceptable to make people have to try a new password before you'll accept theirs, in case you are not confident that you are escaping everything correctly.
So from my end it seems okay to do something like disallow NULL.
If you consider the choice of the programmer on DMV's web site, what do you think about their choice to reject this input, even though in fact it turned out to be legitimate? Is it acceptable programming practice?
I don't believe this is acceptable. By any modern sane best practice, the word NULL in a string from a web form (where your input is basically by definition a string) is a string like any other
Blocking -- in a string does not prevent SQL injection attacks. Using proper parameterised queries does. This might sound mildly hostile but "you are not confident that you are escaping everything correctly" - when this is a well defined and solved problem - means you should not be building this application as you're too incompetent to. For the millions of taxpayer money wasted on this kind of thing, it is absurd.
Blacklisting keywords used in XSS is also completely futile, pointless, useless, and does nothing but piss off users that can no longer use anything containing the word log or window or whatever.
That's a bit curious though. If the code relies on a magic value, you'd think it's in order to skip trying to get data it doesn't have, like the address of the unidentifiable cars.
Even if NULL then does have this address attached, why does it take the branch where it looks for the data?
I suppose it would be in a relational DB, perhaps there's a join that drops missing entries, but if they aren't missing they show up?
The code doesn't rely on a magic value, the humans have decided that an empty value will be typed, by hand, into their terminals as the characters "NULL".
The problem is that the employees with access to the system are required to enter a 'valid' value. But in some cases there is no value. So the 'valid' value they've come up with is the string "NULL" - they can't use "~~NULL~~" because ~ isn't allowed on a license plate. So because A) anyone can request a valid value on a plate, and B) nonce values must also be "valid" within the system, the tax payer is capable of ordering a nonce value on a plate.
They're likely different organizations. The one that entered 'NULL' license plates was a "privately operated citation processing center" so they presumably weren't in charge of looking up the addresses for each license plate. If they were it would be rather pointless to save the 'NULL' value in the first place.
I bricked my profile page on Zomato, There is(was) a feature where you can choose a custom URL for your profile page, I chose something which already was a valid URL for them. Now when i click on "my profile", it goes to "https://www.zomato.com/genjs" . I can't edit anything in my profile now.
Danny White, a resident of Washington, DC, had a similar problem: his vanity license plate read "NO TAGS", which happens to be what police there put down in the license plate slot for missing plates.
The same issue is seen on social networks that identify users by their usernames: - before it was suspended, twitter.com/null had just 2 tweets, but over 70K followers: http://archive.is/Dt6af.
I have a friend who told me his story enrolling in his university. He's a German national who grew up in Spain. I'm going to call him Andres Schmidt, as the actual name is not relevant.
In Spain, people normally have two surnames, one from the mother and one from the father (no, it doesn't exponentially grow with generations :D). He had issues enrolling in uni, as the system required two surnames so he ended up with "Andres Schmidt Schmidt". He had issues down the road as well, having to explain himself every time he needed to register for something. I think the student id was also a hash which included the name and he hadn't been consistent with his "full" name in all systems.
The interesting question this article poses is whether there's a system in place for the government to revoke vanity plates it's already approved. Can they force him to change the plate?
Ontario Canada has an anesthesiologist with a “FENTANYL” license plate.
Was funny in 1995, not so much now.
So he went to the DMV and asked them to change it, and they wanted to charge him to do that.
He’s like, no, i’m not paying.
Eventually he writes a letter to his politician saying “please revoke my license plate” and eventually he gets a letter saying they got a complaint (ie: his) and the DMV wants to revoke his plate.
But he had to wait 30 days For the appeal clock to run out, just in case he wanted to appeal his own complaint.
Kinda funny, but kinda sad that someone paid $400k+ per year by the government wasted thousands more because he didn’t want to pay the $100 plate change fee.
Yes, of course they can revoke vanity plates. For example, the story (2002-2004) of the Washington software engineer who spent a couple of years fighting to keep his "GOTMILF" license plate and ended up having it canceled.
I never understand how these sorts of bugs happen - is the database something like:
plate VARCHAR(8) NOT NULL DEFAULT "NULL"
Or rather the type is actually Option<String>:
plate VARCHAR(8) NULL DEFAULT NULL
In which case, how is it the software can't tell the difference between Some("NULL") and None()?
The only thing I can think of is the software (or it's database driver) handles everything in strings; so None() and Some("NULL") both get converted to "NULL"?
Based on the description in the article, it's a separate system that is actually entering "NULL" in the license plate string field, probably for things like red light camera violations. Chances are it's a human doing this according to a procedure or the system is setup to require entry of some text in the field, so they have to enter something and opted for "NULL" if the actual plate is unreadable / unreliable / not present. This is unfortunately how a lot of things in the real world work, especially on legacy systems.
It would seem to me that issuing frivolous citations to a man who has not actually broken the law is a violation of the general prohibition against unreasonable fines and punishment.
Reminds me of myself: when gmail came out I got my name@gmail
The name is my 6 letter last name.
I've received thousands of emails from random people. There are so many letter.name or number.name similar addresses that I'm constantly getting very personal emails of other people (deaths, marriages, invoices, business reports, etc)
Reminds me of a recent groceries delivery to my home. I had ordered online the day before and had some trouble filling in the form but managed to validate it anyway.
The delivery man called to tell me my address was incorrect. When I asked him what was wrong, he told me it said 'Null Null Null Null'.
Actually, it was brilliant because it pointed out how flawed the system is, that it can be passively broken or circumvented. This could be used to invalidate all citations that were issued from agencies using that software.
I rather think that it did work. Or, at least, if he continues being successful having tickets for "NULL" dropped. Because any tickets he actually gets will be to "NULL".
>Apparently, when they didn't have the right data for a vehicle, a privately operated citation processing center used the word NULL in the license plate field for many tickets.
I have named my phone "Null Pointer Excpetion" whenever I connect my phone to friend's Bluetooth they immediately scream- "oh look! null pointer excpetion!"
It's not a database sanitization issue. The problem is that for cars that don't have a plate or the plate wasn't entered for whatever reason, in some cases people were entering "NULL" (the string). That then ended up matching his plate.
The 'NULL' string was being entered by the private company:
> Apparently, when they didn't have the right data for a vehicle, a privately operated citation processing center used the word NULL in the license plate field for many tickets.
Confusing the value NULL for a non-null string-sequence which says “NULL” shows the clear sign of a system where no data can be assumed to hold any integrity.
These bugs and categories of errors should simply not be possible in sane languages or frameworks.
> Apparently, when they didn't have the right data for a vehicle, a privately operated citation processing center used the word NULL in the license plate field for many tickets. Since that just happens to be Droogie's license plate, he got all of them.
So it's 'confusing' the string NULL used incorrectly (kind of, it's fine under the assumption that no one will have the license plate NULL but that assumption is wrong) with the string NULL.
This isn't an issue with the program lacking a valid input. The 'NULL' was hardcoded as a default value by a private processing company. (See the third paragraph in the article.)
Stories like these and the bobby droptables xkcd are the reason I ended up with this plate, https://i.imgur.com/O7KEFrn.jpg It gets a lot of compliments and attention even if most people don't know what "null" is
In any state private companies' tickets don't count since they aren't issued by an officer of the court. You can just straight up ignore red light camera tickets.
This reminds me of the bit that mentions that St. Peter has a list of questions he asks people at the Pearly gates. Among them he asks, “Did you have a vanity plate?”
There are ways to properly sanitize inputs these days so NULL becomes "NULL" (string), BUT also tons of systems moved into JSON format assuming its safe. It is not. JSON is not binary safe and there are tons of unicode chars that will break JSON. I was once overseeing system that people would bring down all the time by registering usernames that the app could not properly sanitize and they in return were breaking JSON format to the halt of the whole system. I should not admit but using same chars I myself broke few youtube channels when comments and votes were working in JSON format themselves without properly removing unsafe char codes. Good times.
Well not me. More like large vast of websites used to or still have. The assumption was all I need is JSON and it will properly format data during exchange.
This isn't even a coding error, NULL is apparently valid license plate, and for some reason there is a private processing center typing it in to the government system.
First of all they are accidentally committing fraud (libel?) against this guy. But more importantly, why is there a private processing center? Don't the officers type this in as they fill out the ticket? or even just scan the plates? If there aren't plates on the vehicle it should be towed or booted. What is the point of recording tickets with no plates? Is the processing center paid per ticket recorded?
> This isn't even a coding error, NULL is apparently valid license plate, and for some reason there is a private processing center typing it in to the government system.
I would take that with a grain of salt. The linked article on a talk-radio site, and was likely intended as a wacky news bite that the hosts breeze through and then make jokes about. I figured the exact technical details of what is causing the problem was lost in translation. More likely that they were leaving the plate blank, and then the backend software was confusing null database fields with the string "NULL".
Brand new cars don't yet have plates. Granted, most states now have dealer-printed labels with an identifier on them, but still, new cars don't immediately have plates when they roll off the lot.
When I lived in West Virginia, recently sold cars did not have temporary tags. It was very common to see hand-scrawled signs "TAF" in the back windows. TAF stood for "Tags Applied For."
And php makes it easier than python, but it isn't a scripting language. Your original point is still invalid.
Alternatively, some amazing tooling has been written in these "terrible" scripting languages. Instagram was sold for a billion dollars and was a glorified Python Django webapp ontop of a Postgres database.
I got in a similar debate with a coworker recently over some go code he wrote. He told me that go code didn't need full unit tests because the compiler checked for bugs. Amusingly, he swapped the order of two int arguments in a pull request literally an hour after our discussion. I pointed out how a unit test would have prevented the production regression he caused, and then he started writing tests for his changes. So yet again, scripting languages have nothing to do with "good" or "bad" code. It is all about good vs bad developers.
I think if you want to blame scripting languages, you need a license plate that says "None" or "undefined".
What happened in this case was that people used the literal value "NULL" to mean "I don't know". They could have used the word "LOLCAT" and the effect would have been the same. Overuse of in-band signalling is a general design flaw not specific to any programming language. (Remember when people would whistle a 2600Hz tone to make free phone calls? Same thing as this.)
If you want to throw darts at someone, I think database systems with three-valued logic would be a better target. This criticism (not for these reasons) has been leveled...
Ignoring the lack of 'NULL' in Python for a moment, this wasn't even an issue with the code lacking an invalid input. If you read the article, you might have realized that.
References: http://www.mekabay.com/overviews/risks/risks03_1986_06-04-19...
https://www.snopes.com/fact-check/licensed-to-bill/