kens 6 years ago

I read years ago in comp.risks about a similar story. A guy in 1979(!) requested a personalized plate "SAILING", with second choice "BOATING". He didn't want a customized plate if he couldn't get those, so for his third choice he put down "NO PLATE". Of course, he ended up with "NO PLATE". He ended up getting 2500 parking tickets, since cars with no plate had "NO PLATE" written on the ticket.

References: http://www.mekabay.com/overviews/risks/risks03_1986_06-04-19...

https://www.snopes.com/fact-check/licensed-to-bill/

  • sieabahlpark 6 years ago

    I remember a different story where the guy had to fight every ticket in court

    • 3wolf 6 years ago

      On the plus side, he could also contest legitimate tickets unless they recorded other information.

      • DecoPerson 6 years ago

        I managed to do this at my university. I had vanity plates with a design made by my local Australia shire, which had the shire emblem between two parts of the plate. The plate was something like "123ABC" but I'm guessing emblem read as an O, so their scanners saw "123OABC", which was not a plate registered with the uni.

        Each day there was a 10-20% chance I would get a ticket on my windshield. I would collect them and take them to the uni security office once a fortnite to have them cancelled in bulk. I actually got pretty friendly with some of the staff there.

        At least 4 of them were legitimate tickets because I parked overtime, over a line, etc, but the staff cancelled them anyway (:

      • juancb 6 years ago

        Like Make, Model, Color, and VIN? The last time I got a parking ticket it certainly included those details in the citation. I can imagine being able to contest and win any citations issued to the same plate but with otherwise non-matching supporting information. But in the case where someone else has the same make, model, and color car, you might be out of luck if the VIN gets recorded as "CANNOT READ" or is left blank.

    • nvplates 6 years ago

      It has happened multiple times.

      NULL, NV, XXX, MISSING, NO PLATE

      • k_sze 6 years ago

        I wonder if the system is also vulnerable to SQL injection via vanity plates.

  • m463 6 years ago

    I saw a car with that specific plate a year or two ago.

    It seemed like it might work like humor in the TSA line.

    Fine as long as you have extra time on your hands.

    I wonder if it has even been towed/impounded?

    • taneq 6 years ago

      > Fine as long as you have extra time on your hands.

      And of course, in programmer humour, this translates to "while you're not busy with anything else, issue a fine." :)

      • Piskvorrr 6 years ago

        Which, ironically, is what actually happens.

  • mikorym 6 years ago

    This reminds me about my own name. Everyone always gets it wrong (including people from where I am from). Except the Dutch. They always get it right, every single time!

    There was also a meme about a person that wrote on her ID application "note the hat on the 'e'" and of course her name was Sarah Note The Hat On The E on the issued ID.

    EDIT: Yes her name was not Sarah and there is no 'e' in Sarah.

linker3000 6 years ago

A colleague used an app's "generate secure password" feature to change their ISP's web portal login - which then also became the WAN router's password - which they didn't realise.

It was about a week before the router dropped its connection and needed to re-authenticate - and that's when I was called in to investigate the loss of connectivity - which Windows 10 very unhelpfully reported as the network cable disconnected and was resetting or power-saving on the NIC so the "link active" LED on the switch was going out for about 2 secs every 10 sec. Cue a round of cable and switch swapping to no benefit. The LEDs for all other devices on the switch (running Linux and mostly internal servers) were behaving normally.

I finally backtraced to the router and a useful error message. We put two-and-two together and my colleague called up the auto-saved details in their password manager; it was long, and ALL non-alpha numeric characters - starting with a backtick, which the router would not accept. I tethered my phone to my laptop and tried to login to the Web account portal - which would NOT accept the passphrase. I tried it without the backtick "just in case" - nope.

We had to do a "lost password" reset on the portal..and wait for the email with link.

Lessons learned:

The ISP's password change page did not seem to validate input, but the login page did.

Avoid backticks in passwords.

  • stevekemp 6 years ago

    So many home-routers are run with horrid CGI-scripts on the back-end - I'd not be amazed to learn that submitting a form-field with `blah` in it would try to run the command blah (probably via busybox).

    If you have time/patience it might be worth exploring.

    • hultner 6 years ago

      I've actually rooted an Asus router owned by a relative, this was about 5 years back so it's hopefully fixed now. Noticed some strange behavior after a mistype and tried something like `whoami` (not exactly) and got root back so tried a reverse she'll with NC which worked perfectly. Googled it afterwards and found a ton of similar flaws on other home routers. Tried to do some kind of responsible disclosure but never got a reply or saw a fix then I forgot about it.

  • kccqzy 6 years ago

    I had a backtick in one of my passwords very long ago. When I first got my iPhone I couldn't figure out how to type that backtick until I realized one needs to press and hold and apostrophe.

  • BWStearns 6 years ago

    I had something similar happen with (iirc) spectrum of the power company a couple years ago. Their customer portal let me use a complicated password to sign up, it sent me the confirmation email prompting me to log in, and refused my password for forbidden characters. But then I couldn’t reset my password because I hadn’t verified, and I couldn’t modify the account cause I couldn’t log in. I was just trapped in limbo. Customer service said they couldn’t fix it for me. I had to pay my bill by phone until I moved.

  • gruez 6 years ago

    >Avoid backticks in passwords.

    Is there even a reason to include special characters in passwords? They add 10% more security[1] but cause all sorts of issues with systems. Just use an alphanumeric password that's 10% longer, and if special characters are mandatory, use a safe character at the end like _ or -.

    [1] 6.55 bits per character (all printable ascii characters) rather than 5.95 (only alphanumeric)

    • mehrdadn 6 years ago

      > 10% more security (6.55 vs. 5.95 bits per character)

      That's not how this works. By your logic having a password consisting of 1,2,3,4 is only twice as secure as having just 1,2.

      • monocasa 6 years ago

        That's absolutely how bits of entropy work.

        • robocat 6 years ago

          However symbol frequency is also significant for entropy.

          Do you think 1 in 25 four letter passwords contain a backtick?

          If you were brute forcing an ASCII password (no whitespace), would you naively cycle from ! up to ~ for each character?

          • monocasa 6 years ago

            The context is randomly generated passwords, so dictionary attacks (or other attacks that look at the plaintext from a Huffman encoding perspective) aren't really relevant.

        • mehrdadn 6 years ago

          That's most definitely not how security works. The strength of your password is not proportional to the number of bits of entropy it has.

          • monocasa 6 years ago

            In the context of randomly generated passwords, it's absolutely ok to think about it in terms of the logarithmic relationship between 1) entropy per symbol times number of symbols and 2) strength of the password.

            He said 10% stronger (which I took to mean 10% more entropy), not 10% more time to crack.

            • mehrdadn 6 years ago

              > He said 10% stronger (which I took to mean 10% more entropy), not 10% more time to crack.

              Hence the problem?

              Yes, measuring "strength" by "bits of entropy" is technically correct (the best kind of correct...).

              It's also exponentially misleading... possibly the worst kind of misleading?

              Just look at the question: "Is there even a reason to include special characters in passwords? They add 10% more to security...". I don't know about you, but to me doesn't really portray an understanding of the fact that it takes twenty-five times longer to crack such a password for merely 8 characters, not merely 10%.

              • monocasa 6 years ago

                I mean, counting in entropy with the knowledge that the applied effects can be logarithmic is the standard way of discussing such matters. It's sort of the basis for the information theory that's underneath this type of work.

                Edit: And the point of his argument is that more symbols of a smaller corpus of symbols can be equivalent if the entropy is equivalent.

          • dredmorbius 6 years ago

            The way you're phrasing this may be misleading.

            The strength of a password / passphrase increases with the power of 2 raised to the bits of entropy.

            That's an exponential proportion, rather than a linear one. But a proportion all the same.

            Example:

            Given mixed-case alphanumeric (62 characters) and an 8-character password length, the number of combinations is:

                62^8 = 218,340,105,584,896 (keyspace -- 218 quadrillion)
                l(62^8)/l(2) = 47.6 (bits of entropy)
            

            A 10 character password (if randomly chosen from the same character set) has 10^17 possibly combinations (about 4,000x more), and 59.4 bits of entropy, 11.8 bits more. 2^11 = 2048.

      • mfoy_ 6 years ago

        According to KeePass2, the password: "12" contains 7 bits of entropy, but "1234" only contains 5 bits of entropy.

        Is that right?

        • gruez 6 years ago

          I wouldn't trust it. If you use the "Hex key - 128-bit" preset, it returns a different amount of bits every time you click it. Here are 3 samples:

              3f38ba8a6ce3aa800f007c2e431df7fd  124 bits
              9339bf587ee11b12d207df846a879cf4  129 bits
              8ca4354a9038df590fecec1f964062fd  121 bits
          • heeen2 6 years ago

            Due to missing or repeated characters from the set of the hex alphabet?

            • gruez 6 years ago

              which doesn't make sense.

              I randomly generated an 8 character alphabetical (all lower case) password "jraxxhwr". According to keepass it has 32 bits of entropy, but the entropy should be 26^8 = 37.6 bits because the search space is all 8 character letter permutations. There's no way you can reduce the search space from 37.6 bits to 32 bits unless you have an oracle that says which characters I used.

              • FabHK 6 years ago

                It does make sense, because the keepass entropy estimate presumably (like the excellent zxcvbn) tries to approximate the empirical distribution, not the theoretical uniform one.

                In theory, "68703649" and "12345678" are equally likely to be pulled from the hat, but in practice one is a much better password than the other. You can reduce the search space by trying the passwords with higher (empirical) probability first.

    • cezart 6 years ago

      Based on your numbers they add 10% entropy per character. Which compounds into an increase of 210% over a length of 12 characters. Thus you'd need the password to be at least 3 times longer with only alphanumeric characters to have the same entropy.

    • kevinmchugh 6 years ago

      Special characters in passwords were highly recommended when rainbow tables were an effective way to attack password hashes. See this old Coding Horror blogpost for an idea what it was like at the time: https://blog.codinghorror.com/rainbow-hash-cracking/

      Salted hashes have made rainbow tables less effective. Password managers have made single-use passwords more tenable.

      Not knowing how a system will store my password, I still prefer to include special characters where available. Anecdotally, I tend to see the systems that are most averse to special characters are also strict about character limits, so simply increasing password length is not possible.

      • mbuinl989 6 years ago

        Password Managers are the new goto for obtaining all passwords and web browser zero days make it very easy to lift and then use for a variety of purposes. A simple lined small note book is good, but made secure is best, yet how would you make a pwd note book secure from someone else? This even applies to devices like bank cards and other things which needs a security code of sorts.

        • foxylad 6 years ago

          Make the passwords one character longer than what is noted in the book? Only you know the character and where it is added.

          For bank cards with fixed lengths, increment/decrement the nth character, swap two characters, or do a circular shift.

          • dredmorbius 6 years ago

            Or an arbitrary number of characters. If you know the additional six alphanumeric characters added, that's another 14 million combinations to test.

            Or 2FA, or ....

        • efreak 6 years ago

          Keep your password manager offline with Keepass2 USB keyboard plugin for Keepass2Android [1], but I'm not sure how well it works. Too-fast USB keyboard input does seem to have issues (the open issue seems similar to things I've seen an AlphaSmart 2000/3000 do in USB emulation mode; PS/2 always worked fine).

          There's also this other project, which seems more generic/difficult [2]

          1: https://github.com/whs/K2AUSBKeyboard 2: https://github.com/pelya/android-keyboard-gadget

    • 05 6 years ago

      bits usually add exponential complexity, so that '10% more' security might mean a password that's a million times harder to brute force..

      • gruez 6 years ago

        10% more refers to the character length for the same amount of security, so that's already baked in. eg. you can get a 128-bit entropy password with 22 alphanumeric characters, or 20 characters with all printable characters.

        calculations here: https://news.ycombinator.com/item?id=20678529

    • ValleZ 6 years ago

      Is there a special reason to forbid using native languages unless your native language is English?

    • recursive 6 years ago

      Another way to say this that wouldn't rile so many people up is "In order to achieve the same size search space, you'd have to use ~10% more alphanumeric characters than all of printable ASCII."

    • pc86 6 years ago

      If passwords are hashed should any character be prohibited at all?

      • tobyhinloopen 6 years ago

        Some do MD5($password) in a sql string.

        I don’t... but i’ve seen it

        • userbinator 6 years ago

          MD5 and all other hashes still take arbitrary bytes as input, so they wouldn't be the source of any restrictions; I suspect the majority of them are due to character set/encoding issues more than anything else.

          • gruez 6 years ago

            Presumably he's talking about code like this:

               $cursor.execute("SELECT * FROM users WHERE username = '$username' AND hash = MD5('password')")
            

            Allowing any value would allow for SQL injections, so the programmer does the lazy thing and "sanitize" the inputs ($username/$password) with a roll-your-own "sanitizing" function that throws an error if there are "evil" characters.

  • dvdkon 6 years ago

    Once upon a time, I went through my logins and tried to change them to strings with weird characters. I ended up with a password of on an internal school site and couldn't change it to anything else, since the "change password" site somehow rejected it.

  • Ambroos 6 years ago

    Similarly, my Belgian ISP (Telenet) has WiFi home gateways that are configured by their web portal, and config is pushed by the ISP.

    I figured out that they only did validation on SSIDs client-side, so managed to get around that to put emoji's in my SSID.

    Which then proceeded to soft-brick the entire thing on config push. I'd have to log in to the web portal via another connection, change the SSID there, and then reset the hardware with the reset button to get internet working again.

    • zifnab06 6 years ago

      The stereo in my 2013 GTI crashed hilariously if you tried to pair a Bluetooth device with anything in the name outisde of [a-zA-Z0-9]. I wish I'd have messed around with it some more before I sold it (it was a silly car to own for how little I drive)

  • cgriswald 6 years ago

    Many, many websites will happily accept passwords of $X characters and then hash only $(X-Y) characters on registration, but try to hash all $X characters on login, so of course the hashes don’t match. And at no point do they tell you the maximum number of characters.

    • dajonker 6 years ago

      Yes, this is terribly annoying, often there is a minimum length but no mention of maximum length. I see this on many, many websites...

      • luc4sdreyer 6 years ago

        What kind of range limits are you talking about? 30? 100?

        • jtc331 6 years ago

          Wells Fargo’s is 12 IIRC.

          • marktangotango 6 years ago

            Lots and lots of legacy systems do this, very low limit, case insensitive, numbers and letters only. I know of a major retailer with 10 character, case insensitive, alpha numeric for All their systems. Why? Because that’s the lowest common denominator (as400).

            • efreak 6 years ago

              That's how my dentist's billing website works. Except it's limited to 8 alphanumeric characters, not 10, and they were quite happy to accept my pasting a 16-character generated password into the field. Unfortunately, they don't have a password reset link; instead, the you call the receptionist and they read out your password to you over the phone. This isn't a legacy system, either. I can only imagine the backend is written in QBasic or something.

          • taftster 6 years ago

            I have a 14 character WFC password, seemingly works fine.

            • MertsA 6 years ago

              Try changing the last two characters and see if it still lets you in. It's not that uncommon that people mix up when to filter input and when to validate it.

              • taftster 6 years ago

                Tried and failed (to login). Looks like they are at least validating my entire password.

        • dgellow 6 years ago

          I believe that Blizzard had a limit of ~20 until recently for battle.net accounts (don't know if that's still the case).

          • Tecuane 6 years ago

            Passwords for Blizzard accounts are also case-insensitive, as they are converted to upper case before hashing. Try it!

            I first found this while working on a WoW server emulator in around 2009, but I believe it's been the case since Battle.net 1.0 was launched in 1996. In order to preserve backwards compatibility, it's never been changed.

        • emerongi 6 years ago

          Often it's 20. Not sure why 20 is so common.

          • michaelmior 6 years ago

            Someone somewhere probably posted a code sample with a 20 character limit...

        • daemin 6 years ago

          I've seen 6 characters and 16.

        • rypskar 6 years ago

          Lots of sites have a limit of 72 characters, maybe even without the developers knowing about it. Bcrypt has a limit of 72

        • cgriswald 6 years ago

          It's honestly a crapshoot. I've seen as low as 8 (a sibling poster says 6), but 10, 12, 15, 16, and 20 are not unusual. It's usually an even number, so you can just knock 2 characters off your password at a time (after making it an even number) until you're down to the maximum to figure it out.

    • ben-schaaf 6 years ago

      I once had a page that prevented pasting, but last pass's password generator still worked. So I put in a long password using that, but when I clicked to register it came up with a blank error message. Turns out they had a 16 character limit that was only enforced when you typed in the box, so I had to count the number of letters they allowed me to type and then let lastpass generate a password of that length. Infuriating.

      • glenneroo 6 years ago

        This has happened to me on many occasions, even with bigger sites which "should know better". Tis why I'm always slightly paranoid about entering in long passwords when signing up to new sites.

    • lutoma 6 years ago

      Had this issue with Google a few years ago when I tried to set my password to something ludicrously long (think 5000+ characters). It would happily change my password, but I couldn't log in to anything afterwards…

    • bsimpson 6 years ago

      For many years, Schwab ignored any characters after 8 in its password. Discovered that when I knew I flubbed one of the last characters, and it still worked.

      I still can't believe a major bank got away with that for so long, apparently unharmed.

    • inopinatus 6 years ago

      Square Enix's account management on the PS4 allowed me to set a password with a space on the end, but their website strips spaces from the password field when you sign in.

      Fun fact: it's actually really easy to submit a string with a space on the end when entered via a PS4 controller.

      • Faark 6 years ago

        Trimming spaces is the one evil that is kind of necessary. Way to many text selection tools select trailing spaces. Firefox and Chrome both do when selecting words. Got a mail with a reset password and want to copy it over? Yeah, good chance the space is copied as well. On a few occasions even ended up in my password manager. Please, just apply password rules everywhere consistently.

        • cgriswald 6 years ago

          > Please, just apply password rules everywhere consistently.

          This would honestly fix all of it, without even needing to communicate information about how passwords are handled. Although, I think those rules should be communicated as well, so users can make good choices about password security. If spaces are removed, that lowers entropy and users may want to add additional characters or restrict spaces in their password generator.

          It may not be easy. You might have dozens of different client applications with different requirements or abilities. But it is simple: Figure out your best practices and your lowest common denominator. Then apply those rules to every password every time in every context.

          Alternatively, if you have clients which (for whatever reason) need a special case, create a separate hash for that special case and then use that only for that client. (Likely, this will reduce the overall security of the account, but if this is your lowest common denominator, allowing other clients to have greater security certainly doesn't hurt you.)

        • MiddleEndian 6 years ago

          On a semi-related note I once had to help a coworker who couldn't log into a server using an auto-generated password listed like so:

          The password is p4ssw()rd.

          Turns out they didn't realize the period was part of the password.

      • Breza 6 years ago

        Back in the day, I created an AOL password with CTRL-BACKSPACE in it. It worked when using the AOL software but when I tried to log into the website, it deleted the password.

    • Breza 6 years ago

      I learned this the hard way when I started using a password manager. I had the bright idea to start using 90 character passwords for all my accounts and suddenly I couldn't log into a lot of accounts.

  • alibarber 6 years ago

    Oooh this reminds me, I am trying to learn a language that of course has ‘non-standard’ characters, and not even anything particularly exciting - Ä, Ö and the like. I thought it’d be cool to help memorise words (and be super secure) by changing frequently used passwords to phrases that contained these words... ...Caused me some trouble.

  • looperhacks 6 years ago

    Ah yes, this reminds me of my University account. I chose a long password generated with my password manager, which of course contained a chara66 that was both allowed at set up and usage. But because I had to frequently type it in without my password manager (i.e. on a University PC), I wanted to change it. But the change dialog asked for the old password and didn't accept it, due to the forbidden character. I had to go to the support who refused to believe my story and wasn't able to change my password. It took a few weeks to get hold of a person who was allowed to change passwords.

  • davchana 6 years ago

    The Indian version of personal retirement fund NPA website does this, I learnt a lesson. Every certain weeks you Have to change password. No big deal. I will just add an incremental number. Ok, password now is PasswordPass1. Lets login, Wrong password? Why? Error Password length exceeded.

    So, the password change page will accept any length password, will silently truncate it if longer & save it. Now on login page you have to guess the password length or reset.

  • amingilani 6 years ago

    Oh yeah, I've run into a lot of similar problems with even very well tested applications. The password reset field would accept inputs not valid at login time. I mostly ran into this when generating random passwords 100 characters in length from LastPass.

    At one point GitHub even changed reduced their max password input to a sane amount, and I couldn't log in anymore with my existing insane password length a few years ago.

    In most cases they fix the case when I report it, but my bank is terrible.

  • sings 6 years ago

    I once had the bright idea to use a backslash as a one character password for my girlfriends computer, thinking it would provide amazing convenience – a single character, just above the enter key. Turns out this doesn't work very well, even on a Mac, which you would think would have gone through fairly robust testing.

  • 13of40 6 years ago

    > avoid backticks in passwords

    I learned that lesson a different way: When I had a Windows phone my email password had a backtick, and the only way to enter it on the phone was to long-press the apostrophe, pick backtick from the three or four apostrophe variants that appeared, and pray I didn't fat-finger it and enter the wrong character. In general, there are just some second class citizen characters you should always avoid, because you never know how hard they're going to be to enter when you're on a phone or a kiosk or whatever. (Tilde, I'm looking at you, too.)

    • myfonj 6 years ago

      There are regional keyboard layouts lacking backtick completely. (I would have to use alt+96 or switch keyboard from my default (and only) Czech QWERTZ layout to type `, if I hadn't more convenient AutoHotkey shortcut in effect.)

  • skgoa 6 years ago

    I had a similar issue when my bank introduced a new banking app. The web login page has different requirements for the password than the app. I.e. on either I can set my password to something that the other will not accept.

  • lysp 6 years ago

    I went to change my password on a forum site that I had not used in a few years. My old password was really weak - think "abc123" or something similar.

    I logged in and then attempted to change my password to my new standard of 20+ character upper/lower/symbol. The problem was, they'd upgraded their forum software, and there was a bug that added password strength validation to the "old" password field.

    So I was putting in:

    Old: abc123 New: sZp10VzIoZI9g143

    And was getting the error message "error: your password must be 8+ characters long". After about 10 minutes of frustration and realising they had both client and server validation I went down a similar route as you and used forgot-password even though I knew the password.

  • BrandoElFollito 6 years ago

    This is one reason why I stick to alphabet (+case) in my passwords, when I can make them long.

    I had the exact same issues with some passwords which were accepted when creating them, then not accepted anymore when used to log in.

    This plus emails such as a@example.com or hjghgfggv@example.someweirdtld show how much sites are broken because of some philosophical ideas of developers.

_lo3k 6 years ago

When I was a foolhardy college student I figured out that if the cited vehicle make on my city parking ticket didn’t match my registration, I could get appeal the ticket via a web form very easily and succeed every time.

Naturally I removed the badges from my car and put on different badges from another manufacturer. After a while they started to cite me as “other” and the trick no longer worked.

  • RcouF1uZ4gsC 6 years ago

    Relevant xkcd comic https://xkcd.com/1105/

    • Iv 6 years ago

      In the Starcraft 2 community it is called barcoding. Basically, I 1 | l are all accepted characters for a name and I think some do look actually identical on most fonts used in the game. So yeah, one person doing that you call "barcode", 2 persons doing that, you already have deniability. Be more than 10, and that's a crowd.

      • amyjess 6 years ago

        Back when I used to play Ingress, that was really common. The Enlightened in Dallas had a ton of barcode names.

        • BryantD 6 years ago

          The new client makes it much easier to distinguish the characters, but there are still plenty of barcodes in the game.

      • Retric 6 years ago

        You can reuse names in SCII, so it’s more a convention than anything else. The important bit is to have many accounts with similar names.

      • knd775 6 years ago

        There was a time where call of duty ghosts was exploitable, and people could wipe/delete the accounts of anyone whose username/gamertag they knew. Streamers and pro players had to use barcode usernames to avoid getting their accounts deleted.

      • perspective1 6 years ago

        Google's AlphaStar StarCraft bot did just this under different accounts. Along with some other fingerprinting, many of the accounts and replays were found by the SC2 community.

        • Iv 6 years ago

          To my knowledge, it played with only one account. It played exactly 50 games with every race. It was outed mainly because of two things: A very high win rate (above 80% IIRC) and the fact that as a zerg it produced units by selecting larvas directly, which no one ever does (someone explains that it uses control groups but they are hidden and dont show up in replays, I dont know how accurate it is)

      • ChainOfFools 6 years ago

        this goes back at least as far as the original Unreal Tournament, I even saw a player using it in the fairly obscure Shogo: MAD multiplayer community. Never knew why it was done back then, I assumed it was just to be cute, but it did make it troublesome to mention them in ingame chats.

    • ohazi 6 years ago

      I actually saw a car with a license plate like this last week. Some combination of I's and 1's. White Ford Mustang driving around Santa Clara.

      • tjpnz 6 years ago

        I've seen something similar in New Zealand. Probably wouldn't be fooling anyone given the size of the country and how distinctive the car was.

      • bloak 6 years ago

        In UK number plates I and 1 are the same character, as are O and 0:

        https://www.dafont.com/uk-number-plate.font?text=O0I1l

        Number plates existed for decades before ASCII was invented. Before computers, people often used mechanical typewriters which didn't have keys for 0 and 1: you typed 0 as O and 1 as l. I threw away one such typewriter recently. It was in good working condition, with its instruction manual. It had been made in a country that no longer exists. You may imagine how sad and nostalgic I felt.

    • tracker1 6 years ago

      Saw a similar one on the road in front of me with a combination of N's, M's and I think a W ... man it was impossible to get straight while moving.

  • cronix 6 years ago

    All we had to do was register our cars in each others names. When I was married, my car was registered to her and vice versa. The redlight/photoradar laws in my state required that the company operating the devices had to match the pic of the driver violating the law, to the pic of the registered owner via the license plate. If they couldn't match them, no ticket was issued as you can't prove who was driving. That's probably changed now that a lot of DMV's are doing facial scans with datapoints. They probably just scan the whole DMV DB now to find the driver. Wear a mask.

    • joezydeco 6 years ago
      • beagle3 6 years ago

        Is it true that in England, the person sitting next to the driver IS the driver?

        :)

        • eitland 6 years ago

          It is true in Norway if someone is practice driving; the grown up in the passenger seat is the driver.

          • m463 6 years ago

            I took my motorcycle driving test with my licensed driver and the examiner following in the car behind me.

        • MisterTea 6 years ago

          Only if your last name is Bucket.

          • joezydeco 6 years ago

            LOL totally got that joke. Made my day, thanks!

    • tooop 6 years ago

      Where i am from the ticket is issued to the vehicle owner, doesn't matter who was driving. On the plus side it means that you can get a photoradar ticket for driving 300km/h and not lose your licence, just pay the fine.

      P.S. If the driver must be recognized does it mean that motorcyclists are exempt from photoradar fines?

      • monocasa 6 years ago

        I thought that motorcycles already didn't really show up on the photoradar scanners. That's the way it is here, but I can totally see that being a jurisdiction by jurisdiction thing.

        • tooop 6 years ago

          Here it is easier to avoid getting a photo with motorcycle because there are places where it targets front plate. If photoradar targets back plate then you will get a ticket for a motorcycle just like any car.

        • skgoa 6 years ago

          It really depends. The newer traffic control bridges we have on our highways take a picture from both the front and back.

      • ptaipale 6 years ago

        At least here in Finland, the cameras take pictures of speeding motorcycles, but they are not used. No front license plate.

    • wirrbel 6 years ago

      Here I think you are asked to directly wire transfer the penalty amount or you can challenge the ticket, then you will be heard as a witness for who drove the car. If you refuse to tell that or don't know, the judge can order you to keep a log of all joruneys of your car that can be inspected for finding the culprit of a future offense.

    • ddingus 6 years ago

      Or use Juggolo face paint.

    • tracker1 6 years ago

      Here in AZ, they'll lookup and assume the spouse. Of course, they're also required to serve the ticket in person.

    • cameronh90 6 years ago

      In the UK we fixed this by making it a legal requirement for the owner of the car to identify the driver (obviously unless there's a valid reason you can't, such as it being stolen).

      Two MPs have actually been caught out by this law, convicted of perverting the course of justice and sent to prison:

      - https://en.wikipedia.org/wiki/Fiona_Onasanya

      - https://en.wikipedia.org/wiki/Chris_Huhne

      • badfrog 6 years ago

        > On 3 February 2012, Huhne resigned from the Cabinet when he was charged with perverting the course of justice over a 2003 speeding case. His wife at the time, Vicky Pryce, had claimed that she was driving the car, and accepted the licence penalty points on his behalf so that he could avoid being banned from driving. Huhne denied the charge until the trial began on 4 February 2013 when he changed his plea to guilty, resigned as a member of parliament, and left the Privy Council.[7][8][9] He and Pryce were sentenced at Southwark Crown Court on 11 March to eight months in prison for perverting the course of justice.

        Going to prison for lying about speeding 10 years ago seems insane. Did they punish these MPs especially heavily just to make a point?

        • dsfyu404ed 6 years ago

          He didn't get sent to prison for speeding. He got sent to prison for having the audacity to think he could pull a fast one on them and the balls to actually try.

        • mantap 6 years ago

          Generally the courts punish "crimes against justice" such as perjury very harshly as it is seen as an attack on the rule of law itself, something much more valuable than any amount of money. When I was a juror they made it clear that if we got caught talking about the case or did any independent research, we could and would be going to prison.

    • megaremote 6 years ago

      So, you were just running red lights, and you think this is a hack worth bragging about?

      • cronix 6 years ago

        Typically, like they did here, they also lower the yellow light duration when they install these devices, causing more people to "run red lights" and collect $$$ for the jurisdiction. For nothing. This was proven in my state. Accidents have also gone up in these areas because now when the light turns yellow people have been trained to know they don't have enough time to make it through traveling at a normal speed, so they gun it to make it though. If you think I purposefully speed and use this to avoid red lights, you're assuming too much. I don't feel bad one bit circumventing a rigged system.

        Edit: https://www.motorists.org/issues/red-light-cameras/yellow-li...

  • djsumdog 6 years ago

    I knew a kid in college who would get a ticket, and then look around the parking lot for another Black Nissan Maxima. Most people don't actually look at the plate number, just the make model. I think he got one ticket paid this way ... guy was kinda an asshole.

    • cgriswald 6 years ago

      Someone tried that on me on campus but I noticed. I wasn’t supposed to be parked there either and was skating by on a technicality that worked as long as no one looked too closely into it. Otherwise I’d have called security and made his life uncomfortable for awhile. As far as I’m concerned, it’s fraud.

    • distances 6 years ago

      I've had a friend do the reverse: parking in illegal spot, and borrowing a ticket from another car that already received one. Upon return some hours later, he returned the ticket to the correct windshield.

      Quite brazen, and frankly a bit of an asshole thing to do.

      • ddingus 6 years ago

        Also pure genius. The worst kind, but hey! Gotta credit where some is due.

      • lccarrasco 6 years ago

        But what did he do if the other car had already left when he returned? It's much more than a bit of an asshole thing to do.

        • distances 6 years ago

          That, or received a second ticket. It all went to the plan that time, at least.

      • slowhand09 6 years ago

        Creative... I've not done it, but it seems if I get a really good scan of a ticket, put my info on it, and use it as needed, they don't have a record of it. So I'd never get a fine.

      • petee 6 years ago

        Around my area they almost always open existing tickets to check for the time/date. In addition many parking enforcement people patrol the same area all day and remember whether or not they already ticketed that vehicle.

      • moisto 6 years ago

        I did this once, too. YMMV based on meter maids in your city;

        My own unpaid ticket from weeks ago should become an asset. protect my car from violations with cast Invisibility.

        I put the decoy on windshield, under the wiper blade, and wandered off for a bit.

        But this upset the coin gods. When I went to my car an hour later, neatly tucked above my original ticket was a fresh new one. Balls.

        Maybe using 2 old tickets will work. :)

        • read_if_gay_ 6 years ago

          I’ve seen a parked car with 3+ tickets on the windshied (didn’t count but there was a small stack of them) in Austria. Had a foreign license plate though so probably just didn’t care and wasn’t gonna pay.

  • russdill 6 years ago

    I really enjoyed my parkingservices@ email address at my university. Took them many years to catch up and take that alias away.

indianSummer 6 years ago

I own a rare collector car with a three-digit VIN. This has caused endless hassles at the DMV as well as the insurance office. Sometimes we find success by prepending the necessary number of zeros, before the VIN. Other instances in the same system require appending zeros after the VIN. The true VIN has a hyphen but that never makes it into the DMV's system. One time I got stuck in a particularly nasty loop where the DMV mailed over thirty notices claiming the register would expire on 01/01/0000.

  • technothrasher 6 years ago

    Hmm, is this just because it is so few digits? I've had plenty of classic cars that have commission numbers with between six and twelve digits instead of VINs, and haven't ever had any issue with the DMV here in MA.

  • CydeWeys 6 years ago

    What car is it?

    • vageli 6 years ago

      It must be a car manufactured before VIN standardization in 1981, at the very least.

      • libria 6 years ago

        I'll give you 999 guesses.

        • ninjinxo 6 years ago

          *998

          • DenisM 6 years ago

            900

            Numbers 0..99 are not three-digit.

            • mikeash 6 years ago

              Ah, but VINs aren’t numbers. (Never mind what the N stands for.) 000 would be perfectly valid.

              • Biganon 6 years ago

                Impossible in Switzerland at least

            • leopoldo 6 years ago

              Digits, not numbers... I guess a VIN can still be 007, or 054. Right?

  • abruzzi 6 years ago

    I had a car—a 1971 Toyota Landcruiser FJ55–that technically had a tilde(~) in the VIN. It was in the format: FJ55~123456. When I bought it, the title had the VIN as FJ550123456. I just accepted and ignored it for a while, but when I decided to sell the car, given that most of my potential buyers were out of state (and in most states, out of state purchases require a VIN inspection) I tried to get it fixed. After six months of working The motor vehicles department here, getting an inspection by state police, and everything else, I found out that their software couldn’t handle and non-alpha numeric characters. In the end they decided to change the title to FJ55123456 so it skipped the tilde but didn’t replace it with a character that didn’t exist on the vehicle.

  • checktheorder 6 years ago

    >I own a rare collector car with a three-digit VIN. This has caused endless hassles at the DMV as well as the insurance office.

    I have a similar problem with my own identity. I was born in Canada's smallest province, PEI, and now live in its largest, Ontario. Some Ontario government software seems to have problems recognizing the relatively low numbers on PEI birth certificates.

  • tracker1 6 years ago

    I used to work for ClassicCars.com ... there's a LOT of variation to VINs before 1980, they standardized in the early-mid 70's, used to know the specific year.

  • userbinator 6 years ago

    Is it possible to register it as a "custom" with a completely new (and more friendly to the systems) VIN?

hn_throwaway_99 6 years ago

Tangentially related somewhat-common bug: YAML files will interpret the literal 'no' as boolean false if it's not quoted, instead of as a string.

Many developers have wondered why, when they stuck country-specific configurations in a YAML file, that things suddenly stopped working when they expanded support for Norway.

  • strenholme 6 years ago

    I always felt Yaml is far too complicated of a format for storing hierarchical data. JSON is too simple (no comments; hard to store multi-line strings).

    HCL, the hierarchical data storage language used by Terraform, is the closest thing I’ve seen to a happy medium between JSON and Yaml.

    Another option, if the string values are not multi-line, is CommentJSON (use the Python module or write 10 lines of code that strips out comments from JSON if using another language).

    • marcosdumay 6 years ago

      Both a bare > and a sequence of 3 quotes are invalid in JSON, so it should be really simple to add multi-line strings wither Python or Perl style.

      • roryokane 6 years ago

        The Hjson format does this: https://hjson.org/. It’s just JSON plus syntax sugar such as // comments and '''multiline strings'''.

    • oever 6 years ago
          {"comment": "JSON supports comments just fine. :-)"}
  • foobiekr 6 years ago

    YAML has tons of warts like this.

    https://yaml.org/type/bool.html

    This should be used in schools as an example to illustrate how not to do things.

    • sitkack 6 years ago

      Every feature is a source of bugs. Be careful when constructing end user affordances for systems that have broad applicability and need to run over a very long time span.

    • Groxx 6 years ago

      Also as an example of "always deserialize to known types". Flexible boolean values can be convenient since it's relatively human-readable, but "deserialize into [whatever the heck you think is appropriate]" is a problem for quite a few reasons beyond confusion: https://lgtm.com/blog/swagger_snakeyaml_CVE-2017-1000207_CVE... (same techniques have been used against other kinds of serialization in many languages for many years)

  • dec0dedab0de 6 years ago

    I don't have a problem with yes/no per se , I just don't like that it also takes true/false

    • marcosdumay 6 years ago

      I don't have a problem with any of those representations, and also no problem with all of them at the same time.

      But not only the value representation keeps the types ambiguous, also there is no off-channel place to disambiguate the types, and no value-independent rules for deciding on the types. If any of those was different, there wouldn't be a problem.

    • stiGGG 6 years ago

      It’s not only that. YAML also interprets on / off as boolean.

  • danek 6 years ago

    I am one of those developers.

    Afterwards I just try to avoid yaml if I can. While it looks cleaner than json, I don’t find it especially easy to read and there is unnecessary ambiguity due to unquoted strings. And it seems to have a thing against Norway ;)

  • kalleboo 6 years ago

    I remember a story when Microsoft translated some ancient version of Internet Explorer for Mac, there was a menu where you could select TLDs (I can't remember what for) and the .no domain ended up getting translated as the word

yongjik 6 years ago

Reminds me of the story of Ireland's worst Polish driver who never got caught: http://news.bbc.co.uk/2/hi/uk_news/northern_ireland/7899171....

  • rebuilder 6 years ago

    I've also heard a similar story of a Finnish man who got a ticket in the UK, and on closer inspection found his name on the ticket listed as Mr. Ajokortti Körkort. Thats "driver's licence", first in Finnish, then Swedish, and is written at the top of the driver's license card.

    That said, I find these stories a little hard to credit, since you'd expect police officers in the EU to be fairly familiar with the standard EU driver's license layout.

    • LanceH 6 years ago

      I've been at some tournaments where a couple of the kids had the last name "Bye". They picked up a fair number of forfeits during the season.

      • p1esk 6 years ago

        Wow, that's an awesome last name for a tennis player :)

        • LanceH 6 years ago

          NASCAR -- have your name on the rear bumper.

    • diatribattical 6 years ago

      I once had a BevMo cashier in California ask me, “Massachusetts? Is that in Canada?”

      Very little faith left.

      • madcaptenor 6 years ago

        I once had a cab driver take me to MIT. Cab driver: "what is this place?" Me: "MIT" Cab driver: "what's MIT?" Me: "the Massachusetts Institute of Technology." Cab driver: "what's Massachusetts?"

        • foldr 6 years ago

          I had a cab driver in New York who was unable to take me to the Brooklyn Bridge.

          • neffy 6 years ago

            ... well it keeps getting sold.

          • et2o 6 years ago

            Possibly didn't want to take you into Brooklyn. The Manhattan side isn't really walkable.

            • foldr 6 years ago

              I was already on the Brooklyn side. But the issue was literally that he had no idea what the Brooklyn Bridge was, not the precise drop-off location. (We just wanted to look around Dumbo for a bit.)

              • et2o 6 years ago

                Wow! Hard to think of a more iconic landmark in that case.

                • madcaptenor 6 years ago

                  Someone else is probably out there complaining a cab driver wouldn't give them a ride to the Statue of Liberty.

        • james_s_tayler 6 years ago

          Not to be confused with the world class educational institution the Manukau Institute of Technology :P

          I always find it funny when I drive by that and I see the sign MIT.

          • madcaptenor 6 years ago

            I find the German language funny because "mit" just means "with". I remember search engines having trouble with this in the late nineties.

        • TMWNN 6 years ago

          I've heard that, three blocks from Caltech, many people have never heard of the university.

    • dmurray 6 years ago

      Irish driving licences didn't start to use the standard credit-card-sized EU format until a few years ago. They were paper booklets which had long since been phased out in the rest of Europe.

      • roelschroeven 6 years ago

        Here in Belgium new driving licenses are of the standard credit-card design (I don't know exactly since when), but most people still have the old folded paper design. Since the old licenses are still valid, and the new designs require renewal every 5 years which the old ones don't, there is no incentive for people to swap their old license for a new one.

    • mikeash 6 years ago

      You’d expect offices in the US to be familiar with US states and territories, but that doesn’t stop them from occasionally demanding a passport from people from New Mexico, or saying a license is fake because there’s no such state as “District of Columbia.”

      • zxcvbn4038 6 years ago

        I once had a Texas policemen unholster his pistol on me because he thought my US Passport was a fake ID and my travelers checks were some sort of scam. Then his backup arrived and explained both items to him — and the Dairy Queen cashier that had called 911 on me. Stuff like that is why you have to stay on the interstate.

        • atm0sphere 6 years ago

          can you elaborate on this story? why the hell did the cashier call 911 on you, and what state were you from?

          how long ago was this?

          • 0xffff2 6 years ago

            Based on "traveler's checks", I'm going to guess at least a couple decades ago. Cashier probably called 911 because they thought GP was trying to commit fraud with "fake money".

            • megaremote 6 years ago

              I mean, in what world can you cash travelers cheques at a dairy queen?

              • zxcvbn4038 6 years ago

                Dairy Queen was a favorite from my childhood, I had moved away from Texas years earlier so I decided to indulge while visiting. These days I’m more into Sonic - the food is better, they have a greater variety of sweet treats, and I really like their iOS app.

              • 0xffff2 6 years ago

                It's been a very long time, but my grandmother always used to give me spending money for vacations in the form of Amex traveller's checks. IIRC you could use them in essentially any situation where you could use an ordinary paper check (which was substantially more common back in those days).

        • SilasX 6 years ago

          Wait, you tried to pay with travelers checks at a Dairy Queen?

          • jacobush 6 years ago

            Yeah, do you want to get shot?

    • hansjorg 6 years ago

      > you'd expect police officers in the EU to be fairly familiar with the standard EU driver's license layout

      The common design for all the EEA countries was supposed to be implemented by the members by the start of 2013 according to Wikipedia.

      Until 2033 there will be valid licenses that were issued before the common license, so there's still a lot of different designs out there.

      • tialaramex 6 years ago

        Also, the common design, like with passports, provides numbers for the boxes, so e.g. 1 is "Name" and 2 is "First Name" and 5 is your license number with whichever authority issued the license. But it doesn't take a _very_ stupid person to write down stuff that's in the wrong box or not in a box at all when all of it seems like moon language to you.

        Probably better to have a machine scan the identity document, not least because the machine can trivially avoid freaking out over "Nick Smith, born 2000-01-04" when the wanted criminal was actually "Mick Smith, born 2000-04-01".

  • tus88 6 years ago

    They rank their Polish drivers?

ldoughty 6 years ago

I have a family member who's license plate started with "&". The DMV accepts it, plates were ordered online fine, but police systems can't handle it apparently, to my family members ultimate discomfort. I commonly joke it probably gets the individual out of automated tickers for speeding and red lights, but when an officer pulls them over we sometimes need to explain that the "&" is dropped in the system (or so we've been told) and that seems to clear up issues

  • vinay427 6 years ago

    Any word on whether the plate without the preceding '&' is in circulation? I'd be curious if your records in the police systems would be merged with the records of the owner of that plate.

    • toast0 6 years ago

      The rules for california are the special symbols (which don't include &) are non-significant. Everything but the plate itself ignores them. Washington doesn't have special symbols, but does have an optional dash, which is also not significant.

      • netsharc 6 years ago

        I guess it doesn't happen a lot, but they'd have a crazy time if they had to deal with Arabic license plates..

  • reaperducer 6 years ago

    I sometimes see California tags with a heart character in them. Does anyone know if those considered part of the number, or are they just ignored as decoration?

  • paulborza 6 years ago

    Looks like you can't have the character '&' on a personalized license plate in WA: https://fortress.wa.gov/dol/extdriveses/NoLogon/_/

  • kevin_thibedeau 6 years ago

    I had a standard 8-digit Indiana TK series truck plate which would get flagged as "unregistered" by the broken ALPR systems in other states.

  • olyjohn 6 years ago

    In Washington State, you can register period-correct plates for your car. The problem is that you can't register the actual digits that are printed on the plate. The cops and cameras can't pull up your information, and you get stopped and questioned all the time. Explaining how the plates work to the Police gets pretty tiring.

  • pedrovhb 6 years ago

    Well, in their credit, they're the ones whose system won't go down from an XSS payload on a plate.

cortesoft 6 years ago

I love when people double down out of principle, when the only person getting hurt is themselves.

He refuses to change it because he did nothing wrong...sure, but you are also the only one being hurt by it. Is this really the hill to die on?

  • xxs 6 years ago

    Die on?

    But how - he can challenge the fines in a court of law. Since it's a vanity plate, adding an extra notoriety won't hurt.

    • xeromal 6 years ago

      Court isn't cheap.

      You're paying for it with a lawyer or with your own time

      • giancarlostoro 6 years ago

        > Droogie contacted the DMV who told him to change his plate. He refused because he didn't do anything wrong. While they wiped the fines off his record, unfortunately for him, they didn't fix the problem in the system so once again, Droogie has accrued another $6,000 in tickets that he had nothing to do with. He says he won't be paying those either.

        Except he just contacted the DMV. No lawyers necessary.

        • jedberg 6 years ago

          Knowing the California DMV, that contact probably took at least two hours.

          • dawnerd 6 years ago

            Number of years ago I was frustrated because they never sent me my renewed card and it turned out they never updated my address even though I did the paperwork. Took it to twitter and tagged @CA_DMV and they responded pretty quickly and took care of it. Got my new card pretty much next day.

        • rtkwe 6 years ago

          Really I'm surprised they didn't just add NULL to the list of banned words and ban/refuse to renew the tag which seems eminently within their powers.

          • c22 6 years ago

            Perhaps they did and the renewal system just assumed that banned word was missing and silently skipped it.

        • kelnos 6 years ago

          ... and then the second half of the parent's sentence (which you conveniently ignored) applies: he's paying with his own time.

          I dunno about you, but I value my time way too highly to voluntarily use it to spend time on the phone with the DMV every month or three.

          • xeromal 6 years ago

            Yeah, we're on Hackernews so I assume most people on here make at least 50+ an hour. The CA DMV will cost $200+ at least.

      • vageli 6 years ago

        > Court isn't cheap.

        > You're paying for it with a lawyer or with your own time

        At some point surely you can countersue for harassment?

        • kelnos 6 years ago

          For the first time or two, maybe. But you'll be paying for it with hours, possibly tens of hours, of your own free time. And the US legal system is a fickle beast; what seems to you like a slam dunk might not actually be so certain.

          After the second or third time, the judge will ask, "why didn't you just change your license plate to something else and avoid all this hassle?" And when you answer, "I've grown fond of the plate, and want the DMV to fix its systems", the judge will sigh, and rule against you for wasting his/her time instead of just changing your license plate.

          • vageli 6 years ago

            What do you mean "after the second or third time"?

            Are you suggesting that if this person were to sue for the repeated harassment and presumably prevail (with some kind of damages attached) that the behavior would persist?

    • foepys 6 years ago

      I can image something more fun to do with my free time than sitting in court every few weeks...

    • exfed 6 years ago

      On top of that, if anything, forcing the government to fix it's bad code (insert snarky ambiguity between software code and legal code) can't be a bad thing. I'd buy the guy a beer.

      • cortesoft 6 years ago

        Except they won't fix it, and he will have to keep filing protests

      • jspash 6 years ago

        The problem is it's a "a privately operated citation processing center" that's causing the problem. They might even be instructed to hand-enter a NULL for these cases.

        I'm don't really see an incentive for the govt agency to do anything about it. It's no skin off their nose. They'll just keep sending the tickets.

        • samthecoy 6 years ago

          At some point, can you not file some kind of harassment lawsuit? Is it legal to continue to send someone bills for which they aren't liable?

        • Grollicus 6 years ago

          Don't you have some kind of illegal prosecution laws? In my home country people could go to jail for that.

        • saalweachter 6 years ago

          That's assuming it's an error in their code.

          For all you know, they have a list of too-clever license plates (null, no plate, etc), and they purposefully divvy up the no plate tickets among them.

        • xxs 6 years ago

          "hand-enter a NULL for these cases" <-- should be a reserved word then.

        • cr0sh 6 years ago

          > "a privately operated citation processing center"

          In a way, this is the real bug - one that affects more areas of local government than most people know or understand.

          Our local governments are constantly seeking - and usually getting - private companies to do what should be public. The potential (and actual) repercussions to the system are serious.

          For instance, how do such arrangement affect FOIA requests? What about other forms of transparency? Are we really getting our money's worth as taxpayers? Is the money actually being used properly or are costs being inflated?

          It's a form of government privatization "by a thousand cuts" - we already know of the problems inherent in the system of privatizing out and contracting of private prisons; plus the loop they cause because of recidivism rates, because a repeat "customer" is better for the bottom line than one reformed for society. Which may be better for the private company, but has huge costs to society itself.

          I wouldn't doubt that similar issues are happening with the privatization of other parts of our local government. It is sickening to me, personally.

      • kelnos 6 years ago

        I'm pretty sure the government will continue to just waste money processing his appeals instead of making an effort to fix the system.

        So in reality, this guy is indirectly wasting taxpayer money. Sure, the government is wrong in not fixing it, but knowing that the government won't fix it, but continuing to behave this way, is his fault.

    • cortesoft 6 years ago

      Figure of speech... I just mean he is making a stand for something not that important but causes him (and only him, really) inconvenience

      • shawnz 6 years ago

        Maybe this particular bug inconveniences only him, but it exposed an improper practice that in general could have affected others too.

      • xxs 6 years ago

        I know what "die on" is - it's just inappropriate in the context: nothing bad has actually happened to him.

        • esoterica 6 years ago

          You obviously still don’t know what the phrase “choosing to die on a hill” means.

          • xxs 6 years ago

            Yeah, just b/c he is stubborn enough and doesn't wish to give up his vanity plate instead of folding. Pretty much nothing that hard/uphill battle has happened to him.

            • alanbernstein 6 years ago

              There are two options: die on the hill, or retreat. He is not retreating. Therefore he has chosen to die on the hill.

              • shawnz 6 years ago

                Those would be the options if there was an attack against him, but there's not any attack against him. Wrongly addressed tickets are hardly even a minor inconvenience. I think that's what the parent is saying.

                • lolc 6 years ago

                  > Wrongly addressed tickets are hardly even a minor inconvenience.

                  Now I wonder what you would consider a minor inconvenience. "Oh yeah that time they suspended my licence that was a minor inconvenience for me."

                  Wrongly addressed tickets are a real hassle. I'd assume that if you don't contest them in time, you have to pay them. And if you don't pay them, they will suspend your licence. (I don't really know. But I assume that's what would happen.)

                  • perl4ever 6 years ago

                    You can be arrested for driving on a suspended license, and it can be either a misdemeanor or a felony.

                • kelnos 6 years ago

                  It's a figure of speech; when used colloquially in this manner, it has nothing to do with any kind of attack.

                  It just means "argue a point on principle when you know you aren't going to affect change".

                  • shawnz 6 years ago

                    It's a figure of speech which means to argue on a point of principle without regard to the cost when you know you aren't going to affect change. It absolutely doesn't make sense in the context where there's no attack. Otherwise how does the dying come into play in the analogy?

    • macspoofing 6 years ago

      >he can challenge the fines in a court of law.

      If he sees spending time and effort expunging his record every few weeks as worth the trade-off for the 'extra notoriety', then power to him. I wouldn't do that.

      • xxs 6 years ago

        I'd presume - the court decision may force the agency to fix their code.

    • cannonedhamster 6 years ago

      He can challenge the fines but still has to pay court costs most likely.

  • ars 6 years ago

    But it does actually work! He can never get any tickets. If he does he'll just claim it was a false one.

    • Topgamer7 6 years ago

      Exactly! All he has to do is collect all the notices and deal with them every few months. Not to say there aren't other implications that might be more troublesome :P

      • SilasX 6 years ago

        “It made my tickets free (if my time is worth nothing)!”

    • umvi 6 years ago

      Yeah he ends up paying all those tickets with his time though. And time is more valuable than money for a lot of people...

      • dsfyu404ed 6 years ago

        After the second go round or so he'll have a form letter. After the 4th or 5th time the DMV people will recognize it when it arrives. If it goes on long enough eventually all the employees will be aware of this edge case and he can probably appeal legitimate tickets.

  • juancb 6 years ago

    Sure he did nothing wrong because it backfired like one of Wile E. Coyote's schemes but the article makes it clear he was hoping to confuse automatic ticketing systems. He was trying to get out of tickets. Sure he didn't break the letter of the law but he tried to break the spirit of the law and it bit him. Some might call that karma, I think he needs a better hobby than standing in line at the DMV which is ultimately what he has taken up. I wonder how long he'll keep going.

    • kosievdmerwe 6 years ago

      AKA he was attempting to commit fraud or rather obstruct justice. I don't particularly feel sorry for him.

  • ryandrake 6 years ago

    It reminds me of the guy who owns nissan.com, who probably blew his life savings on lawyers defending himself from Nissan Motors lawyers for decades.

    • asdfman123 6 years ago

      I wonder how much you could sell that to them for if you were really good at negotiating. Maybe as much as $100k?

      • mcbits 6 years ago

        Multiply that by a thousand or more if they had already accrued $10 million in "damages" by 1999 as they claimed. Apparently it would be extremely valuable to them.

    • fortran77 6 years ago

      Nissan treated that man very badly. I never owned a Nissan car, and never would because of this.

      His family name was Nissan, and he registered the domain when Nissan still called itself "Datsun" in the U.S.A.

  • jopsen 6 years ago

    Yeah, pick your battles.

    Sure, it would be nice if the systems where patched. But maybe he should just get a job at the DMVs IT department instead :)

    In the end I would probably rather pay the fines than fix this bug, it's probably a lot of horrible systems barely held together..

    • outworlder 6 years ago

      > But maybe he should just get a job at the DMVs IT department instead :)

      Ew.

  • elihu 6 years ago

    The DMV made a mistake, they know it, and they aren't fixing it. In this case, the problem is relatively inconsequential but it is an institutional failure. The DMV is a government agency which is, at least in theory, somewhat indirectly accountable to the people. Which means that if they're treating one particular citizen unfairly, one option that citizen has is publicly shaming them. (Another option is to file a lawsuit. That's more work, though.)

    As I see it, this person is performing a public service by not budging on this. It's nowhere near on the same level as Rosa Parks not going to the back of the bus, but sometimes we need people to not simply go with the flow because it's the easiest thing to do.

    • crazygringo 6 years ago

      But they're only performing a public service if it gets fixed -- which there's no indication in the article is happening.

      And frankly, why would it? Different government agencies likely have zero reason to cooperate on it. Especially if, say, the DMV is responsible for the error, but the courts are the ones dealing with the cost.

      So unless this guy has a reason to think it will get fixed because of him... he's just wasting his time, no?

    • kelnos 6 years ago

      Considering that the DMV in most places already has a lot of shame heaped on it, I doubt this extra spoonful meaningfully moves the needle.

      This guy is really just wasting his own time for no actual benefit to anyone. If he genuinely enjoys it, then sure, I guess each to their own, but if not...

dhosek 6 years ago

There was a similar issue in California where, in the days before on-line choosing of vanity plates, you would give three choices. One guy couldn't come up with a third option so he wrote "NO PLATE" and ended up with that as his plate with similar results. Snopes has the story:

https://www.snopes.com/fact-check/licensed-to-bill/

tbyehl 6 years ago

Earlier this summer I decided that I'd found a loophole and ordered 'N0 TAG' and 'N0NE' (zeros) for my motorcycles. The license plate font doesn't distinguish between 0 and O but the computers seem to account for visually similar characters -- I could not order the same plates with Os after they'd issued.

Haven't caught anyone else's tickets so far. SunPass won't accept 'N0 TAG' being associated with my transponder tho (have not tried 'N0NE' yet).

I did get pulled over on my very first ride with 'N0 TAG' and the first words out of the cop's mouth were 'Is that tag legit?' That may or may not have been a factor in catching a warning instead of a ticket that I absolutely earned.

  • datenwolf 6 years ago

    > The license plate font doesn't distinguish between 0 and O

    When the German license plates were redesigned in the mid 1990-ies, also a different font was incorporated, which was engineered explicitly to thwart similar-shape attacks: https://en.wikipedia.org/wiki/FE-Schrift

EliRivers 6 years ago

Related, for those who missed it the last time it was here on HN, the tales of Christopher Null, who has an unfortunate surname: https://www.wired.com/2015/11/null/ , and Jennifer Null , http://www.bbc.com/future/story/20160325-the-names-that-brea... , likewise.

  • MaxBarraclough 6 years ago

    Much-needed Outline.com of the wired.com article: https://outline.com/WMzjYK

    • efreak 6 years ago

      It seems meaningful to me that the wired website works (sort of; the left margin is 1/3 of my screen) with JavaScript disabled, and outline doesn't work at all.

      • MaxBarraclough 6 years ago

        If there were a better alternative I'd gladly use it.

the-dude 6 years ago

I once had a product owner for a student/university web app who complained that for a particular user, their lastname was displayed as 'None'.

This was a Python project and the product owner apparently already had learned 'None' equals NULL.

I dug into the file which we used to import the users from and discovered the user's lastname actually was 'None'.

  • jgtrosh 6 years ago

    Maybe it could be added to the list of falsehoods programmers believe about names: https://shinesolutions.com/2018/01/08/falsehoods-programmers...

    • Izkata 6 years ago

      Now, was it a case of number 20 and they were required to enter something, or was it actually legally None?

      https://www.houseofnames.com/none-family-crest

      • the-dude 6 years ago

        Maybe the case. However, this was an international student org and the student was from Africa.

        We assumed it was correct and did not dig to the bottom.

        Whatever the truth was, I could close the ticket.

    • wcoenen 6 years ago

      I think this example falls under falsehood 31, where None would be considered a "bad word" that can't appear in names.

      • jgtrosh 6 years ago

        That describes making some "bad" values illegal, where I believe the problem here was that they didn't expect the value.

  • jmchuster 6 years ago

    There was a manager i worked with whose last name was "Null". She complained that every few months her account would get wiped from the HR system.

_nickwhite 6 years ago

Years ago (in the late 90's or early aughts) when ordering vanity plates online became a thing, I got approved for the plate "127.0.0.1". This was a California or NC plate- can't remember as I lived in both states. I checked the mailbox excitedly every day like Ralphie from A Chrismas Story for my uber cool plate. When I finally did get something from the DMV, it was too small to be a license plate and was simply a note that said "Sorry, your requested plate conflicts with a motorcycle plate, so we have to deny your request." Huge bummer, but I guess 127.0.0.1 becomes 127001 in their systems.

hammock 6 years ago

Could someone devise a SQL injection attack using a custom-made license plate? I'm imagining someone printing up

  x'; DROP TABLE drivers; --

on a plate, and driving up and down the highway past automated license-plate readers.

  • growt 6 years ago

    Ah little Bobby drivers ...

    • HenryBemis 6 years ago

      It always makes me so happy to see a "little Bobby tables we call him" reference when data inputs are discussed!!!

      I will assume that we are all aware of the Exploits of a Mom, but just in case we have anyone reading this that doesn't already appreciate XKCD: https://www.xkcd.com/327/

  • tapland 6 years ago

    With how these systems seem to be written, absolutely.

    • close04 6 years ago

      https://hackaday.com/2014/04/04/sql-injection-fools-speed-tr...

      Another picture (which I can't seem to find now) purportedly showed how one of the screens over the highway was displaying just an error message after triggering this exploit.

      • tapland 6 years ago

        Automated its unlikely. I would guess they have a list of allowed characters to OCR to (right? Please!?)

        But if entered manually by someone?

  • inetknght 6 years ago

    I have DBA registered in my local county. The DBA name is:

        ' or 1=1; drop table sys.systable; -- Computer Services
    

    I had a lot of fun at Bank of America when I signed up for my business bank account shortly after registering the name. Not quite a license plate but similarly themed

sparrish 6 years ago

This is funny. I wonder what would happen if you could put a 'NOT ' in front of your plate number... would everyone but you get a ticket?

  • dhosek 6 years ago

    Nah, because it's not unsanitized SQL at fault, but people writing a literal NULL in the license plate field when there isn't one.

    • baybal2 6 years ago

      I wonder, what will "DROP *;" license plate do?

      • desas 6 years ago

        Nah, because it's not unsanitized SQL at fault, but people writing a literal NULL in the license plate field when there isn't one.

      • delinka 6 years ago

        Nothing because it's not unsanitized SQL at fault.

      • SamuelAdams 6 years ago

        Most states do not allow special characters in the plate text.

        • reaperducer 6 years ago

          Depends on how you define "special." I've seen hearts on California tags, and I think some glyphs on Virginia tags, but I might not be remembering that correctly.

          • scarejunba 6 years ago

            That's just part of the design. They are ignored when you type it in, etc. and you can't have ABC<heart>123 and ABC123 simultaneously existing because they're the same to the DMV.

      • Scoundreller 6 years ago

        Probably can’t do special characters, but maybe ASCII (0x23) will let you get around it.

        • entropicdrifter 6 years ago

          0x3b so your plate is just ";" in some systems, maybe?

      • rhacker 6 years ago

        Should be

            "; DROP *;
        

        Lic. plates are entered into thousands of systems, so yeah it can have an effect somewhere.

    • hn_throwaway_99 6 years ago

      Actually, I think it's doubtful the folks at the private processing facility are actually writing 'NULL', but my guess is the DB field is just not set (i.e. left as NULL), and then when the info is read out somewhere it's just printed as the string literal value.

      • knd775 6 years ago

        Wouldn't their license plate be in quotes, though? 'NULL' != NULL

        • jerf 6 years ago

          As my other comment points out, this is probably systems talking to systems talking to systems talking to systems to the nth degree. So even if the first system did in fact distinguish the NULL case from the string case, it only takes one system in the chain to be incapable of representing the difference to permanently and unrecoverably wreck it for all downstream systems.

          What are the odds at least one system silently filters out apostrophes as invalid characters in license plate fields? Pretty good. These systems are often unattended, unmonitored processes often maintained by people who either can't fix errors upstream, or don't even want to, so these conversions are often written extremely permissively, trying to get through the data with whatever heuristics are necessary for the process to just Keep Working.

          • knd775 6 years ago

            That makes perfect sense, and seems like those most likely explanation. Thanks.

      • adrianN 6 years ago

        I'd guess that there is a CSV step involved.

    • jerf 6 years ago

      I doubt that. Normal people do not tend to use the word NULL at all.

      What this usually is is the result of systems that talk to systems that talk to systems that talk to systems, all in different legacy formats never written to be interchange formats. One system has true SQL NULLs, the next system down the chain only accepts strings for that field, NULL gets written as the most sensible string, and then from that point on all downstream systems can't tell the difference between the original system having had an SQL NULL or having had the string NULL.

      • slips 6 years ago

        Did you read the article? It literally says people at a private citation outfit put NULL in the license plate field when there is no number available.

        • jerf 6 years ago

          And I still expect my story is more accurate, with theirs being a reasonable expectation of what you'd get when some techie tells their manager what happened, who tells their manager, who tells the reporter.

          To be clear, I'm not denying that what you say is literally true, just that by the time I'm done filtering that particular fact through my personal belief network and personal experiences, I still end up saying that my story is more likely. It's true enough that they put a "NULL" in, it's just that the way the private firm does that is most likely that the field agents leave it blank, some software somewhere puts a NULL in some database, and the report that comes out for the enforcing authority has NULL in it. For a reporter, it's not a false statement, it's just not all the technical details.

          With this story, the responsibility ends up distributed in a very plausible manner I've seen many times over; HN readers could fill in a dozens of similar stories no problem. It's a problem characteristic of these sorts of systems and the way they tend to communicate with each other.

          • crumpets 6 years ago

            People use the word NULL and in all caps as well, in particular in bureaucratic processes like those you would encounter at the DMV.

            NULL & VOID, etc.

            It is entirely reasonable that the system would not accept an empty string for the plate so the process folks worked around that by instructing all employees to write NULL if they couldn't read the plate.

            • perl4ever 6 years ago

              Many people who are not programmers per se come into contact with databases that use SQL enough that they might absorb a few random concepts or names for things.

              So, some bureaucrat might in fact know "NULL" because they type a command into a database every Tuesday to run a report.

        • vinceguidry 6 years ago

          As per HN guidelines, please don't ask or insinuate that someone's not read the article, instead just quote the relevant part.

      • OrgNet 6 years ago

        Maybe NULL is the default value if you don't enter anything

    • mikehollinger 6 years ago

      A colleague’s name is “True.” When we ran some reports to generate a check in list for an event - it was converted to either “TRUE” or “1” depending on the script.

      I was amused.

      Even without sql doing odd things certain strings will just cause problems.

harryh 6 years ago

I recently saw a car with a license plate of B8B88BB8 (or something to that effect) that I am almost certain the owner chose to make it hard to read and transcribe correctly by either humans or computer vision systems.

I was honestly kind of impressed.

  • cj 6 years ago

    This thought had come to me a few years ago and I've always wanted to try it. Never got around to it, though.

    - 1Iil

    - B8

    - 0Oo

    Examples:

    - i1lIil1I

    - 8BBil8I1

    • entropicdrifter 6 years ago

      Most states don't use lowercase, but otherwise a solid plan

  • rtkwe 6 years ago

    I'm surprised more places don't do what Nintendo did with course ids in Super Mario Maker 2. They intentionally removed some characters that are visually similar to avoid confusion when writing out codes.

    • retzkek 6 years ago

      base32? "an alphabet of A–Z, followed by 2–7. 0 and 1 are skipped due to their similarity with the letters O and I (thus "2" actually has a decimal value of 26)." https://en.wikipedia.org/wiki/Base32

      • rtkwe 6 years ago

        No they removed Z, I, & O from A-Z+0-9. They removed Z because it looks similar to 2 in some cases too I bet.

  • silencio 6 years ago

    It doesn't take much to break some of those though.

    I have a custom plate that is two common words, on a California 60s vintage plate (black plate with yellow lettering) and most parking garages that check and print your plate on the ticket always butcher it. Instead of (replaced for privacy) "FOO BAR" it will say "8A2M31W" or some garbage.

  • cpeterso 6 years ago

    I read that someone tried to register a license plate with a random sequence of Os and zeros (e.g. "OO0O00"). Unfortunately, it worked too well because the person doing data entry at the DMV ordered him a plate with all Os. :)

    • throwaway3627 6 years ago

      Or all 1's, L's and I's with a license plate frame that "accidentally" covers up the differentiating marks. >:)

      PS: Reminds me, I should get one of those LPR T-shirts with license plates all over it.

zrobotics 6 years ago

"Droogie contacted the DMV who told him to change his plate. He refused because he didn't do anything wrong. While they wiped the fines off his record, unfortunately for him, they didn't fix the problem in the system so once again, Droogie has accrued another $6,000 in tickets"

So wait, after he knew this was the outcome from using this plate he just decided 'nope, the DMV will definitely rectify this error'? Maybe he has a much higher tolerance for dealing with the DMV than I do, but surely there are far more productive ways to spend your time than constantly battling against invalid tickets. Additionally, I would be concerned about not being able to waive some of these tickets at some point and actually having to pay them,6k isn't exactly an insignificant amount and could also really impact insurance rates.

  • Operyl 6 years ago

    If it got to that point, I’m sure some tech savvy lawyer would have fun with these cases.

  • lucideer 6 years ago

    Its a matter of principle though. Droogie hasn't done anything wrong, and is receiving fines due to errors made by the DMV.

    You're right that when faced with a choice between acting on principle vs acting pragmatically/for one's own benefit/convenience/need, people often don't have the luxury of (or patience for) choosing the former. But it's nice to see when someone does.

    • hn_throwaway_99 6 years ago

      TBH it's a very silly principle to fight for: "I DEMAND YOU HAVE NO BUGS!" And the DMV could just as well argue "Sorry, the bug is that we never should have accepted your NULL plate application in the first place, so we'll send you a non-vanity plate".

      • sloum 6 years ago

        I agree with the outcome of your premise to some degree. But he did do nothing against their stated policies regarding vanity plates. They issued him the palte. I am of the opinion that if they have a flaw in their code, it is on them to fix it, not the 'customer' to change their situation after the fact...

      • lucideer 6 years ago

        He's not demanding they have no bugs, he's merely refusing to provide a workaround for their bugs at his own expense and inconvenience (sure refusing to may actually involve other greater expense and inconvenience but that's beside the point).

        The suggestion in the latter half of your comment is notable in that that's not what they said or offered. They don't even seem to have offered any recompense, which could at least be seen as a reasonable middleground (though still a compromise for Droogie who is denied his vanity plate post facto)

    • ajross 6 years ago

      > Droogie hasn't done anything wrong

      That's arguable, actually. The article states, but doesn't provide evidence, that Droogie "hoped it might confuse automatic license plate readers or the DMV's ticketing system".

      If this was done in an attempt to evade enforcement of existing laws, then sorry: that's a crime, folks. You aren't allowed to pen test live systems!

      • sloum 6 years ago

        Why would that be a crime? Intent is irrelevant. The crime is that the DMV is running shit code that is wrongly accusing people of crimes.

        • ajross 6 years ago

          Intent is absolutely relevant in criminal law. The phrase "with the intent of" or "for the purposes of" appears everywhere in the field. Go browse through the quoted text of the CFAA here and see what you can find: https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

          I'm not interested in getting involved in a philosophical discussion about whether anarchic hacking "should" be a crime. I'm saying that given the text of that article, an enterprising prosecutor could probably get a conviction for one.

          Don't fuck with other people's systems. Even (and especially) when they're running shit code.

      • mijoharas 6 years ago

        Is the punishment for that crime loads of unrelated parking tickets?

        That's a weird legal system going on over there.

      • lucideer 6 years ago

        Fair, it could be argued. As you said in a deeper comment though, it would take an enterprising prosecutor (though they're hardly scarce) .

        Within reason though, he hasn't technically done anything to warrant tickets.

natch 6 years ago

This post has way too much traction to flag now but I wish we didn’t have sites like this that take a bit of admittedly interesting content from elsewhere and repost it with an infinite scroll of spammy ads.

Seems to be a clever technique here too, ending the article with what seems like a non-ending, so the user will keep scrolling.

If I remembered where the original content was I’d post it, or had a desktop/laptop browser to search with right now, I’d post a link, but I don’t. I just remember having read a much better article about this in the past.

DJBunnies 6 years ago

Stan, are you in here?

My buddy Stan registered for null@verizon.com back in the early 2000s so you could link sms to email delivery. Wound up with so. many. text messages. Reminders to take medicine, personal convos, sports results, everything.

Was great fun to read while waiting for class.

dpcan 6 years ago

Similarly I used to wonder how awful it would have been to own example.com ... until I found out it was an IANA special-use domain.

But someone still owns test.com, and I can't imagine what that mail server goes through.

  • pugworthy 6 years ago

    Not unlike whoever gets all the email at foo@bar.com

ChuckMcM 6 years ago

Similarly don't get 'none', 'no plate', or 'na' :-)

It would be cool if you could do punctuation so you cloud get "'; drop table;" alas little Bobby Droptables will likely never get that plate. :-)

I did see a plate "I<heart>0X45" which was a cute nerd joke, I expect that would be more difficult to get these days.

_bxg1 6 years ago

I recently bought a *.ninja domain name and started using it for my personal email address. Probably 20% of the time, when I try to sign up for a service it gets rejected by web forms that have been hardcoded to check for traditional top-level domains.

  • repolfx 6 years ago

    Oh you think that's bad? My email address ends in that most exotic of domains, .net

    I find websites that won't accept it because they think it's an invalid address all the time. I have no idea what logic they're using, would love to find out.

    • im3w1l 6 years ago

      Interesting. I have a country topdomain email and never had problems.

27182818284 6 years ago

If I recall correctly, this comes up a lot with null.com too with respect to emails, etc. I think there was even an HN post about all the null@null.com emails collected by someone.

logicallee 6 years ago

Let's talk about one specific thing from the article:

>Things started to go awry when he first registered the tags. He tried typing in his license plate but the DMV website wouldn't accept it.

Let's talk about the fact that the DMV website wouldn't accept it. Do you think this is all right behavior on the part of the DMV website?

It's really interesting because if you're coding up the DMV web site, it makes sense to disallow NULL just as a preventative measure, like not allowing '-- in a query (to prevent SQL injection attacks.)

I would generally think that on the whole you should accept -- as a substring in a password. But is it wrong programming if you don't allow that substring?

Disallowing it could cause someone's chosen password to fail, so they have to change it for you to accept the password they want, but if you know for sure that you use sql as part of processing passwords you might well decide that it is acceptable to make people have to try a new password before you'll accept theirs, in case you are not confident that you are escaping everything correctly.

So from my end it seems okay to do something like disallow NULL.

If you consider the choice of the programmer on DMV's web site, what do you think about their choice to reject this input, even though in fact it turned out to be legitimate? Is it acceptable programming practice?

  • dylz 6 years ago

    I don't believe this is acceptable. By any modern sane best practice, the word NULL in a string from a web form (where your input is basically by definition a string) is a string like any other

    Blocking -- in a string does not prevent SQL injection attacks. Using proper parameterised queries does. This might sound mildly hostile but "you are not confident that you are escaping everything correctly" - when this is a well defined and solved problem - means you should not be building this application as you're too incompetent to. For the millions of taxpayer money wasted on this kind of thing, it is absurd.

    Blacklisting keywords used in XSS is also completely futile, pointless, useless, and does nothing but piss off users that can no longer use anything containing the word log or window or whatever.

antisemiotic 6 years ago

Bobby Tables started school in 2007, so he'd be around 17 today, seems about right.

lordnacho 6 years ago

That's a bit curious though. If the code relies on a magic value, you'd think it's in order to skip trying to get data it doesn't have, like the address of the unidentifiable cars.

Even if NULL then does have this address attached, why does it take the branch where it looks for the data?

I suppose it would be in a relational DB, perhaps there's a join that drops missing entries, but if they aren't missing they show up?

  • delinka 6 years ago

    The code doesn't rely on a magic value, the humans have decided that an empty value will be typed, by hand, into their terminals as the characters "NULL".

    The problem is that the employees with access to the system are required to enter a 'valid' value. But in some cases there is no value. So the 'valid' value they've come up with is the string "NULL" - they can't use "~~NULL~~" because ~ isn't allowed on a license plate. So because A) anyone can request a valid value on a plate, and B) nonce values must also be "valid" within the system, the tax payer is capable of ordering a nonce value on a plate.

    • rory096 6 years ago

      >the humans have decided that an empty value will be typed, by hand, into their terminals as the characters "NULL"

      Almost certainly because of software constraints, like the form not allowing the plate number field to be blank.

      • delinka 6 years ago

        Yeah, I addressed that:

        >employees with access to the system are required to enter a 'valid' value.

        • rory096 6 years ago

          ... did you edit that second line in after the fact, or am I losing it?

          • delinka 6 years ago

            I did not edit that in. Sorry.

  • vinay427 6 years ago

    They're likely different organizations. The one that entered 'NULL' license plates was a "privately operated citation processing center" so they presumably weren't in charge of looking up the addresses for each license plate. If they were it would be rather pointless to save the 'NULL' value in the first place.

mkagenius 6 years ago

I bricked my profile page on Zomato, There is(was) a feature where you can choose a custom URL for your profile page, I chose something which already was a valid URL for them. Now when i click on "my profile", it goes to "https://www.zomato.com/genjs" . I can't edit anything in my profile now.

SteveNuts 6 years ago

Seems like a brilliant idea to me, hopefully it forces them to fix their shitty software. I would chip in to crowdfund this guy's battle for sure.

exfed 6 years ago

This kind of thing makes me question how tightly we couple (or fail to couple) the "code of Law" to the "code of Computers".

muglug 6 years ago

The same issue is seen on social networks that identify users by their usernames: - before it was suspended, twitter.com/null had just 2 tweets, but over 70K followers: http://archive.is/Dt6af.

dulvac 6 years ago

I have a friend who told me his story enrolling in his university. He's a German national who grew up in Spain. I'm going to call him Andres Schmidt, as the actual name is not relevant.

In Spain, people normally have two surnames, one from the mother and one from the father (no, it doesn't exponentially grow with generations :D). He had issues enrolling in uni, as the system required two surnames so he ended up with "Andres Schmidt Schmidt". He had issues down the road as well, having to explain himself every time he needed to register for something. I think the student id was also a hash which included the name and he hadn't been consistent with his "full" name in all systems.

atsushin 6 years ago

Moral of the story: Test at your own risk!

At least his story brings to light the poor quality of software the DMV is using.

I'm curious about the other, unintended consequences of naming things null in other web applications; maybe its time to explore ...

Causality1 6 years ago

The interesting question this article poses is whether there's a system in place for the government to revoke vanity plates it's already approved. Can they force him to change the plate?

  • moftz 6 years ago

    They just wouldn't let him renew his vehicle registration unless he changes his vanity plate or goes back to the a random number.

  • Scoundreller 6 years ago

    Ontario Canada has an anesthesiologist with a “FENTANYL” license plate.

    Was funny in 1995, not so much now.

    So he went to the DMV and asked them to change it, and they wanted to charge him to do that.

    He’s like, no, i’m not paying.

    Eventually he writes a letter to his politician saying “please revoke my license plate” and eventually he gets a letter saying they got a complaint (ie: his) and the DMV wants to revoke his plate.

    But he had to wait 30 days For the appeal clock to run out, just in case he wanted to appeal his own complaint.

    Kinda funny, but kinda sad that someone paid $400k+ per year by the government wasted thousands more because he didn’t want to pay the $100 plate change fee.

    * some details/numbers estimated from memory.

  • tbyehl 6 years ago

    My state has legislation about denying / revoking vanity plates and 'It inconveniences our computers' is not a valid reason.

ancarda 6 years ago

I never understand how these sorts of bugs happen - is the database something like:

    plate VARCHAR(8) NOT NULL DEFAULT "NULL"

Or rather the type is actually Option<String>:

    plate VARCHAR(8) NULL DEFAULT NULL

In which case, how is it the software can't tell the difference between Some("NULL") and None()?

The only thing I can think of is the software (or it's database driver) handles everything in strings; so None() and Some("NULL") both get converted to "NULL"?

  • mdorazio 6 years ago

    Based on the description in the article, it's a separate system that is actually entering "NULL" in the license plate string field, probably for things like red light camera violations. Chances are it's a human doing this according to a procedure or the system is setup to require entry of some text in the field, so they have to enter something and opted for "NULL" if the actual plate is unreadable / unreliable / not present. This is unfortunately how a lot of things in the real world work, especially on legacy systems.

  • ceejayoz 6 years ago

    There's a good chance it's some text file in CSV or fixed-width format being shipped around.

      JOHN,DOE,NULL,08-12-1983
      JANE,DOE,FX9-80Z,01-23-1960
tathougies 6 years ago

It would seem to me that issuing frivolous citations to a man who has not actually broken the law is a violation of the general prohibition against unreasonable fines and punishment.

rafaelvasco 6 years ago

I don't know how being able to put any random word in the plate can even work. Always found it funny in movies and thought it was a joke.

peter303 6 years ago

Do any states allow emojis on plates. I saw a red heart recently. ButI don't know if that was the license number or the background.

raviolo 6 years ago

I’ve seen several combinations of B’s and 8’s - like “8B88B8”. Wonder how effective they are at confusing plate readers.

  • 2_listerine_pls 6 years ago

    It would be the same as having a single 8, but I guess it's not a problem or plate readers wouldn't be in use.

TomMckenny 6 years ago

> He refused because he didn't do anything wrong.

Cool the DMV fixed it. Just try that with so called "identity theft"

4ntonius8lock 6 years ago

Reminds me of myself: when gmail came out I got my name@gmail

The name is my 6 letter last name.

I've received thousands of emails from random people. There are so many letter.name or number.name similar addresses that I'm constantly getting very personal emails of other people (deaths, marriages, invoices, business reports, etc)

jle17 6 years ago

Reminds me of a recent groceries delivery to my home. I had ordered online the day before and had some trouble filling in the form but managed to validate it anyway.

The delivery man called to tell me my address was incorrect. When I asked him what was wrong, he told me it said 'Null Null Null Null'.

senectus1 6 years ago

I've got AFK plates... makes it super easy to remember :-P

A couple of cars in my city have plates like "0O00OO" or "BB88B8B"

One guy that I've seen driving near my place has two cars both with variations of "11ll11l" Both the same make and model and color.

I really dont think this will help him much.

urbanslug 6 years ago

This wouldn't be a problem if people wrote programs in languages that have proper type systems that can correctly classify failure.

I'm thinking of types such as Maybe/Option or Either.

I hate it for example when a C/C++ function has to return a -1 in case of failure.

vallismortis 6 years ago

Actually, it was brilliant because it pointed out how flawed the system is, that it can be passively broken or circumvented. This could be used to invalidate all citations that were issued from agencies using that software.

lgeorget 6 years ago

Well that's what happen when you use a special value that's actually not that special and is part of the valid values domain.

If they had to use a string (and I doubt they had to), they could at least have used the empty string.

djyaz1200 6 years ago

LOL! Can we have a new subcategory on HN for comic relief stuff like this! :)

mirimir 6 years ago

I rather think that it did work. Or, at least, if he continues being successful having tickets for "NULL" dropped. Because any tickets he actually gets will be to "NULL".

oarabbus_ 6 years ago

>Apparently, when they didn't have the right data for a vehicle, a privately operated citation processing center used the word NULL in the license plate field for many tickets.

>used the word NULL

Oh god, I feel faint.

gwbas1c 6 years ago

I would think a cease and desist, followed by a lawsuit, would clear things up very fast.

BTW, California has a problem with issuing both plates with 0 (zero) and O (letter) in them. They both look the same.

gauravphoenix 6 years ago

I have named my phone "Null Pointer Excpetion" whenever I connect my phone to friend's Bluetooth they immediately scream- "oh look! null pointer excpetion!"

mherrmann 6 years ago

Is this actually possible? Aren't strings at least surrounded by quotation marks ('NULL') while NULL isn't?

  • vinay427 6 years ago

    The 'NULL' string was being entered by the private company:

    > Apparently, when they didn't have the right data for a vehicle, a privately operated citation processing center used the word NULL in the license plate field for many tickets.

  • tempestn 6 years ago

    It's not a database sanitization issue. The problem is that for cars that don't have a plate or the plate wasn't entered for whatever reason, in some cases people were entering "NULL" (the string). That then ended up matching his plate.

foobarbecue 6 years ago

I once saw a parked BMW and the plates were the current day of the week and date. I am still scratching my head over that one.

sharadov 6 years ago

update Table set LicensePlate = 'NOPLATES' where LicensePlate = 'NULL';

kev009 6 years ago

The case for stronger type systems for layman programmers in an easily understood parable.

tempodox 6 years ago

Great idea. Any cop writing you up and any traffic cam will suffer segmentation fault.

codeisawesome 6 years ago

That’s the closest way yet that I’ve seen Little Bobby Tables come to life :D

josteink 6 years ago

Confusing the value NULL for a non-null string-sequence which says “NULL” shows the clear sign of a system where no data can be assumed to hold any integrity.

These bugs and categories of errors should simply not be possible in sane languages or frameworks.

  • rtkwe 6 years ago

    That's not what's happening at all please reread.

    > Apparently, when they didn't have the right data for a vehicle, a privately operated citation processing center used the word NULL in the license plate field for many tickets. Since that just happens to be Droogie's license plate, he got all of them.

    So it's 'confusing' the string NULL used incorrectly (kind of, it's fine under the assumption that no one will have the license plate NULL but that assumption is wrong) with the string NULL.

yummypaint 6 years ago

Sounds like it worked. He can now accrue tickets without penalty.

Scoundreller 6 years ago

There’s a lot of interesting options. How about NaN NaN?

  • strictfp 6 years ago

    Or "[object Object]"

    • in_hindsight 6 years ago

      Can you have brackets in license plate?

  • vinay427 6 years ago

    This isn't an issue with the program lacking a valid input. The 'NULL' was hardcoded as a default value by a private processing company. (See the third paragraph in the article.)

throwaway3627 6 years ago

I like my new vanity license plate:

DROP DATABASE;

leonsmith 6 years ago

Stories like these and the bobby droptables xkcd are the reason I ended up with this plate, https://i.imgur.com/O7KEFrn.jpg It gets a lot of compliments and attention even if most people don't know what "null" is

RickJWagner 6 years ago

Hahahaha best thing I've read all day.

jeffdavis 6 years ago

It sounds like a bright idea to me.

visarga 6 years ago

NULL strikes again, this time IRL!

  • dkarl 6 years ago

    This time?

mieseratte 6 years ago

Guess I should FOIA the DMV to find out what my state's default value is.

  • astura 6 years ago

    These tickets were issued by a privately operated citation processing center.

    • mieseratte 6 years ago

      My state doesn't allow for private companies to automatically mail you a ticket but requires an officer pull you over and cite you.

      • entropicdrifter 6 years ago

        In any state private companies' tickets don't count since they aren't issued by an officer of the court. You can just straight up ignore red light camera tickets.

        • mieseratte 6 years ago

          > You can just straight up ignore red light camera tickets.

          How does that work? They send you a ticket you're under no obligation to pay or otherwise respond to? What's the incentive?

patrioticaction 6 years ago

So this guy doesn't have to pay parking tickets anymore right?

ryanseys 6 years ago

Play stupid games, win stupid prizes.

willis936 6 years ago

This reminds me of the bit that mentions that St. Peter has a list of questions he asks people at the Pearly gates. Among them he asks, “Did you have a vanity plate?”

joering2 6 years ago

There are ways to properly sanitize inputs these days so NULL becomes "NULL" (string), BUT also tons of systems moved into JSON format assuming its safe. It is not. JSON is not binary safe and there are tons of unicode chars that will break JSON. I was once overseeing system that people would bring down all the time by registering usernames that the app could not properly sanitize and they in return were breaking JSON format to the halt of the whole system. I should not admit but using same chars I myself broke few youtube channels when comments and votes were working in JSON format themselves without properly removing unsafe char codes. Good times.

  • heavenlyblue 6 years ago

    No, it’s not the JSON format that is broken - it’s the parser you use for JSON that is broken.

    • joering2 6 years ago

      Well not me. More like large vast of websites used to or still have. The assumption was all I need is JSON and it will properly format data during exchange.

      • heavenlyblue 6 years ago

        Then you would be surprised it also doesn’t handle big integers well in JavaScript, too!

dec0dedab0de 6 years ago

This isn't even a coding error, NULL is apparently valid license plate, and for some reason there is a private processing center typing it in to the government system.

First of all they are accidentally committing fraud (libel?) against this guy. But more importantly, why is there a private processing center? Don't the officers type this in as they fill out the ticket? or even just scan the plates? If there aren't plates on the vehicle it should be towed or booted. What is the point of recording tickets with no plates? Is the processing center paid per ticket recorded?

  • delinka 6 years ago

    Brand new cars don't yet have plates. Granted, most states now have dealer-printed labels with an identifier on them, but still, new cars don't immediately have plates when they roll off the lot.

    • reaperducer 6 years ago

      When I lived in West Virginia, recently sold cars did not have temporary tags. It was very common to see hand-scrawled signs "TAF" in the back windows. TAF stood for "Tags Applied For."

      I'm not sure if that's still happening.

  • dtech 6 years ago

    It's not fraud or libel, it's an unavoidable problem with in-band signalling [1].

    I assume the government entry system doesn't have an explicit way to set the data as missing, so they work around it like this.

    [1] https://en.wikipedia.org/wiki/In-band_signaling

    • voldacar 6 years ago

      Guess they should have used the Maybe monad!

  • pavon 6 years ago

    > This isn't even a coding error, NULL is apparently valid license plate, and for some reason there is a private processing center typing it in to the government system.

    I would take that with a grain of salt. The linked article on a talk-radio site, and was likely intended as a wacky news bite that the hosts breeze through and then make jokes about. I figured the exact technical details of what is causing the problem was lost in translation. More likely that they were leaving the plate blank, and then the backend software was confusing null database fields with the string "NULL".

tsss 6 years ago

Shout out to all the Python programmers from the other frontpage thread who are responsible for bugs like this with their crappy scripting languages.

  • thomasjudge 6 years ago

    If you want to throw darts at someone, I think database systems with three-valued logic would be a better target. This criticism (not for these reasons) has been leveled...

  • SEJeff 6 years ago

    Crappy code can be written in any language, see all of the CVEs in C code, even when written by experts.

    As surprising as it may be, bad code is often written by bad programmers. It doesn't matter what language you use if you write bad code.

    • tsss 6 years ago

      But scripting languages make it especially easy to do so. That doesn't mean people who use them are bad programmers. They just chose a bad tool.

      • SEJeff 6 years ago

        And php makes it easier than python, but it isn't a scripting language. Your original point is still invalid.

        Alternatively, some amazing tooling has been written in these "terrible" scripting languages. Instagram was sold for a billion dollars and was a glorified Python Django webapp ontop of a Postgres database.

        I got in a similar debate with a coworker recently over some go code he wrote. He told me that go code didn't need full unit tests because the compiler checked for bugs. Amusingly, he swapped the order of two int arguments in a pull request literally an hour after our discussion. I pointed out how a unit test would have prevented the production regression he caused, and then he started writing tests for his changes. So yet again, scripting languages have nothing to do with "good" or "bad" code. It is all about good vs bad developers.

  • heavenlyblue 6 years ago

    Well - Python doesn’t use NULL, to be clear.

    • 52-6F-62 6 years ago

      In the other notorious scripting language JavaScript it's also spelled

          null
      

      Which makes for a bit of funny because

          NULL is not defined
  • vinay427 6 years ago

    Ignoring the lack of 'NULL' in Python for a moment, this wasn't even an issue with the code lacking an invalid input. If you read the article, you might have realized that.

  • jrockway 6 years ago

    I think if you want to blame scripting languages, you need a license plate that says "None" or "undefined".

    What happened in this case was that people used the literal value "NULL" to mean "I don't know". They could have used the word "LOLCAT" and the effect would have been the same. Overuse of in-band signalling is a general design flaw not specific to any programming language. (Remember when people would whistle a 2600Hz tone to make free phone calls? Same thing as this.)