Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Friday August 16 2019, @05:08PM   Printer-friendly
from the null-not- dept.

Forbes reports that a security researcher in California registered the vanity plate "NULL," partly for fun and partly in the hope that this spoofed the system into returning errors whenever his plate was seen.

Instead he received more than $12,000 in fines, as his plate became a dumping ground for erroneous data records.

Every single speeding ticket for which no valid license plate could be found was assigned to his car. The Los Angeles police department eventually scrapped the tickets but advised the man to change his plates, or the same problem would continue to occur. In response, the man has apparently said: "No, I didn't do anything wrong," insisting to his Def Con audience that, whatever happens, "I won't pay those tickets."

Also covered in the Guardian.
 


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2, Disagree) by All Your Lawn Are Belong To Us on Friday August 16 2019, @05:16PM (21 children)

    by All Your Lawn Are Belong To Us (6553) on Friday August 16 2019, @05:16PM (#881181) Journal

    "...except try to evade the system intentionally." If it was purely for fun I hope he's having fun yet. But if it was "partly in the hope that it spoofed the system," and he said that, then he has already admitted intent to obstruct justice and thus is fairly lucky he isn't charged with that as a crime. (Though IANAL and I wouldn't want to be the prosecutor for that). Mens rea means a lot and admitting you have intents is about the stupidest thing you can do, right up there with admitting you might be a little buzzed after only one beer but safe to drive after being pulled over.

    Should he have to pay the parking tickets? Obviously not. But instead I'm betting that the regulations creating license plates would allow the state to revoke that specific plate and provide him with another at their discretion. That's what should happen instead.

    --
    This sig for rent.
    • (Score: 2) by JoeMerchant on Friday August 16 2019, @05:20PM (3 children)

      by JoeMerchant (3937) on Friday August 16 2019, @05:20PM (#881187)

      This is kind of in-line with the DMCA: if you're trying to break something, that makes the activity illegal. Not that I love the DMCA or anything, but that's how it works. No matter how lame and easily broken the system is...

      So, now that we all know, the easy thing for the state(s) to do is register the NULL plate themselves, so cranksters like this can't get it.

      --
      🌻🌻 [google.com]
      • (Score: 2, Disagree) by All Your Lawn Are Belong To Us on Friday August 16 2019, @05:59PM (2 children)

        by All Your Lawn Are Belong To Us (6553) on Friday August 16 2019, @05:59PM (#881204) Journal

        It's not just the DMCA. Doing something that subverts justice has been the crime of obstruction of justice since LONG before the DMCA. And I fail to see how intentionally trying to do something that would get one out of earned violations is not a subversion of justice.

        My understanding of DMCA is that there are specific exemptions [the-parallax.com] if one's purpose is lawful, although I'm willing to be corrected about that. Such exemptions don't have to be there, although I know the DMCA is used as the equivalent of a SLAPP club sometimes also. But if I go out and announce, "Hey, I just broke the encryption of X for the Lulz and so I could help the haxxors everywhere!" then I wouldn't expect too much sympathy as a safe harbor there. So maybe it is similar.

        I'm not positive that in obstruction that knowledge of intent even matters, but announcing that one has intent makes that point moot anyway.

        --
        This sig for rent.
        • (Score: 4, Insightful) by AthanasiusKircher on Saturday August 17 2019, @02:40AM

          by AthanasiusKircher (5291) on Saturday August 17 2019, @02:40AM (#881403) Journal

          Doing something that subverts justice has been the crime of obstruction of justice since LONG before the DMCA. And I fail to see how intentionally trying to do something that would get one out of earned violations is not a subversion of justice.

          I agree with you that the DMCA has nothing to do with this, and obstruction has been around for a long time. But, I think your definition of "obstruction" is far too broad. If I know police officers tend to patrol for speeders on 3 out of 4 roads I could take home, and I take the 1 out of 4 home that I think is likely NOT to have a cop and I speed, then I am guilty of the crime of speeding. I am NOT guilty of "obstruction of justice" by exploiting a potential hole in the enforcement system. Similarly, if the state offers a number of custom license plate designs, and the one of the American flag on it seems more patriotic to me, and I think cops are less likely to pull over someone who seems patriotic (and even if that is TRUE), requesting such a license plate to potentially get out of a ticket is NOT "obstruction of justice."

          Nor, then, is choosing one license plate set of letters out of tens of thousands or whatever that I think may be less likely to incur tickets for whatever reason, whether it's "NULL" or "LOVECOPS" or whatever.

          Obstruction is a serious crime. If this guy hacked into a police database and stole records of his violations or himself changed the code that processed them, obviously he may be guilty. But he did not. If he custom-designed a license plate in an illegal fashion (i.e., manufactured his own) that had some sort of weird property that wouldn't let police scan it properly, then yes, I suppose he might be "obstructing justice" (though even that's a pretty broad reading of the term -- he'd more likely be charged with whatever crime it is to falsify plates or whatever).

          But he did none of this. He requested a plate and was granted a plate by the state. It was an official license plate. Just because he chose an option that he believes is less likely to be enforced is NOT in itself "obstruction of justice." Is it moral/ethical for him to do this? I would say "no" unless he was trying to prove a point and then report said element to authorities. But he was NOT "obstructing" justice according to any definition I'm familiar with. (Caveat: IANAL.) Of course, if his license plate got him out of any tickets for violations, once the flaw was recognized, he would (and should) be liable for any unpaid fines, etc.

          If anything, what I think you're getting at is a type of evasion [wikipedia.org] of the law. For various topics in the law (taxes, contracts, etc. varying by municipality), evasion can be criminalized. That is -- situations where you apparently adhere to the law, but deliberately do something that also tries to get you out of compliance. I am not aware of any evasion laws that would apply to routine traffic violations. Otherwise, states could charge people with police radar detectors with "obstruction of justice" when they find them. But they can't. Instead, states had to pass separate statutes to criminalize possession and/or use of them.

        • (Score: 2) by AthanasiusKircher on Saturday August 17 2019, @03:01AM

          by AthanasiusKircher (5291) on Saturday August 17 2019, @03:01AM (#881409) Journal

          Also, after reading both articles linked in the summary, I see no clear intent to get out of tickets. Instead, it's a story about someone who is supposedly a "security researcher" who wanted to "test" the system and see what happened. According to TFA, he didn't know if he'd be "invisible" with this license plate, or whether the system would pop up errors, or what would happen.

          Now, maybe he's lying, and he did in fact hope to avoid fines. And he only reported about it because it turned out differently. So maybe he's lying about his intent. But at no point in TFA do I see him saying, "I did this because I wanted to get out of tickets." He's a guy who is interested in security and wanted to see what would happen. So I don't even think he satisfies your condition of admitting wrongdoing -- he just admits that he thought it was possible the system would treat his plate in a non-standard way. Perhaps it would throw up errors during processing, which would cause police to fix the system. Perhaps the errors would bring more trouble to him (which they did). He didn't know.

          IF we have proof that he DID know the database was exploitable in a way that could allow him to avoid paying fines with his NULL plate, maybe we could find him guilty of something else. But he didn't know that, and he didn't even admit that's what he was trying to do.

    • (Score: 4, Interesting) by LaminatorX on Friday August 16 2019, @05:28PM (4 children)

      by LaminatorX (14) <laminatorxNO@SPAMgmail.com> on Friday August 16 2019, @05:28PM (#881192)

      One hopes that they might also open a defect ticket with their plate-cam vendor, because there's clearly a need for a parameterized query or the like in there somewhere.

      • (Score: 2) by Gaaark on Friday August 16 2019, @06:38PM (2 children)

        by Gaaark (41) on Friday August 16 2019, @06:38PM (#881221) Journal

        YOU LIED! There is NO Tolkien!
        *cries*

        --
        --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
        • (Score: 2) by LaminatorX on Friday August 16 2019, @08:45PM (1 child)

          by LaminatorX (14) <laminatorxNO@SPAMgmail.com> on Friday August 16 2019, @08:45PM (#881269)

          You have to catch us live for that. The estate is no longer issuing licenses for music publication.

          • (Score: 2) by Gaaark on Friday August 16 2019, @09:00PM

            by Gaaark (41) on Friday August 16 2019, @09:00PM (#881277) Journal

            Damn...got any torrents? ;)

            --
            --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
      • (Score: 1) by NPC-131072 on Friday August 16 2019, @07:11PM

        by NPC-131072 (7144) on Friday August 16 2019, @07:11PM (#881231) Journal

        You may already be giving them too much credit.

        plate = (plate == NULL)? 'NULL': plate;

    • (Score: 4, Insightful) by Mer on Friday August 16 2019, @07:32PM (3 children)

      by Mer (8009) on Friday August 16 2019, @07:32PM (#881238)

      Boohoo, shifting the blame for a shitty system. The place that authorizes vanity plates gave him the green light but would have said no for a bunch of reasons.
      The police is scrapping the tickets because they are in the wrong. There's no law against fucking with this particular ticket system, and god know unless you have a law specifically forbidding fucking with the rules people are gonna fuck with them (ie: taxes).
      The correct reaction isn't "you should change your plates" (that he already paid for) but "we'll fix our system".

      --
      Shut up!, he explained.
      • (Score: 2) by All Your Lawn Are Belong To Us on Friday August 16 2019, @08:01PM (2 children)

        by All Your Lawn Are Belong To Us (6553) on Friday August 16 2019, @08:01PM (#881252) Journal

        No, the correct reaction is, "we'll take your plates away and give you different ones at no charge."

        And yes. Fuck with taxes and you get your ass in trouble. You couldn't have picked a better example of rules that if you declare you're trying to break the law you draw yourself an audit. Better yet: OK, just don't pay them and then we'll see what happens down the road.

        --
        This sig for rent.
        • (Score: 2) by Mer on Saturday August 17 2019, @10:00AM (1 child)

          by Mer (8009) on Saturday August 17 2019, @10:00AM (#881479)

          Sure, and the dutch sandwich is used by apple, google, facebook, oracle, airbnb, microsoft and yahoo because they have important business in Amsterdam. Not because they try to skirt around the law.
          You make computer systems to make life easier, system limitations are not a valid reason to make new rules. Especially not when the exploit in question isn't an advanced hack but just unsanitized inputs.

          --
          Shut up!, he explained.
          • (Score: 2) by All Your Lawn Are Belong To Us on Monday August 19 2019, @03:13PM

            by All Your Lawn Are Belong To Us (6553) on Monday August 19 2019, @03:13PM (#882155) Journal

            And if this guy had the lawyers to talk to that those companies do in handling their taxes maybe he would have found a way to do it better, or be advised not to try it. But by all means, you are welcome to play with your personal taxes based on a concept that if you think the hole is there that you can use it. I look forward to your results, and if you're wrong I don't think the IRS will be terribly sympathetic to what you thought was OK.

            And you pegged the word exactly: exploit. Try to exploit a system and don't be surprised the system does not welcome it.

            --
            This sig for rent.
    • (Score: 3, Insightful) by Arik on Friday August 16 2019, @07:41PM (3 children)

      by Arik (4543) on Friday August 16 2019, @07:41PM (#881242) Journal
      Or they could just sanitize the computer system that we the taxpayer paid for.

      The original contractor should be forced to fix it at no additional cost.

      Quit blaming the messenger.
      --
      If laughter is the best medicine, who are the best doctors?
      • (Score: 2) by All Your Lawn Are Belong To Us on Friday August 16 2019, @07:59PM (2 children)

        by All Your Lawn Are Belong To Us (6553) on Friday August 16 2019, @07:59PM (#881251) Journal

        If the messenger is intentionally trying to get away with something then yes the messenger is to blame for trying to get away with something. If the messenger was simply saying, "Yeah I'm a computer geek and a NULL license plate expresses my philosophy," then no problem. "I'm just taking advantage of the system," is dishonorable claptrap.

        --
        This sig for rent.
        • (Score: 3, Insightful) by Arik on Friday August 16 2019, @08:08PM (1 child)

          by Arik (4543) on Friday August 16 2019, @08:08PM (#881257) Journal
          I think you're just tearing it out of context.

          If the system is broken, the only way to draw attention to that fact may be to take advantage of it.

          It sounds like this is costing him far more than it's worth, if he were trying to avoid trouble rather than bring attention to an amazingly brain dead system that's been put in a position to control the citizenry.

          --
          If laughter is the best medicine, who are the best doctors?
          • (Score: 2) by All Your Lawn Are Belong To Us on Friday August 16 2019, @10:33PM

            by All Your Lawn Are Belong To Us (6553) on Friday August 16 2019, @10:33PM (#881321) Journal

            I might well be, and that may well be the reason he isn't being charged with anything.

            The Guardian article didn't clarify much since it was about confusing identity systems in general and I do not click on Forbes articles anymore. Maybe Forbes added some depth to it and/or I'm reading into it. But even though I don't agree with speed / red light cameras and think the surveillance state is wrong that does not justify causing havoc. Screw with the system, don't be surprised the system screws with you. It strikes me that he got the right level of being messed with back at him. He tried to waste others time and instead found himself being unintentionally hassled, yet did not have to pay the fines but if he continues to act that way he'll keep getting dinged. "Doctor, it hurts when I go like that.... well, don't go like that then."

            --
            This sig for rent.
    • (Score: 2, Insightful) by khallow on Saturday August 17 2019, @04:32AM (2 children)

      by khallow (3766) Subscriber Badge on Saturday August 17 2019, @04:32AM (#881434) Journal
      What intent to obstruct justice?

      But if it was "partly in the hope that it spoofed the system," and he said that, then he has already admitted intent to obstruct justice and thus is fairly lucky he isn't charged with that as a crime.

      IF.

      But instead I'm betting that the regulations creating license plates would allow the state to revoke that specific plate and provide him with another at their discretion.

      Or they could fix their system. It's insane that this is even a thing.

      • (Score: 2) by edIII on Saturday August 17 2019, @10:22PM

        by edIII (791) on Saturday August 17 2019, @10:22PM (#881582)

        Even with intent, the guilty party for the actual obstruction are the software vendors. He was doing this in the hope that a software vendor wasn't sanitizing, or properly handling their inputs. When the user (most likely an officer) attempts to run the plate, they would be met with an input error, or some other kind of system error. This is still not the plate owner causing anything, and their possession of an approved license plate NULL is within their rights. If an officer is unable to use software because the software vendor couldn't adequately handle license plates, that's on the government and software vendor entirely.

        If the government isn't restricting a set of bare keywords from usage as a license plate, then they need to ensure they can support that data type. It's insane that they couldn't too. This would've had to be stored as a CHAR field, or VARCHAR at worst, and any proper input validation would've allowed the license plate field to be searchable for the string 'NULL'. The only thing crazier about this situation is that the record holding 'NULL' in the license plate field is found when using license_plate = NULL. That's what happened if unknown license plates are collecting against his "Null record". Implemented properly his license plate record couldn't possibly be associated with null inputs.

        This was somebody being cheeky that didn't realize they were severely underestimating the stupidity of government, or that government doesn't often react well to showing them their systems are faulty. They tend to punish the messenger.

        --
        Technically, lunchtime is at any moment. It's just a wave function.
      • (Score: 2) by All Your Lawn Are Belong To Us on Monday August 19 2019, @02:39PM

        by All Your Lawn Are Belong To Us (6553) on Monday August 19 2019, @02:39PM (#882141) Journal

        From the Wired article [wired.com]

        that Legont found below:

        In his Defcon talk, Tartaro played up the idea that he had initially hoped a NULL plate might get him out of tickets—that, once fed into the database of offenders, the violation quite literally would not compute. But he says now that pranks weren’t actually his initial focus. If anything, he was surprised that the California DMV website let him register NULL in the first place.

        A safe way to interpret that was he was telling the truth the first time and now trying to walk that back. Yes, he could just be correcting a mistaken impression, but let's look at what he specifically said...
        From the Mashable article that Wired quotes, which is a little more equivocating and yet damning at the same time

        Droogie registered a vanity California license plate consisting solely of the word "NULL" — which in programming is a term for no specific value — for fun. And, he admitted to laughs, on the off chance it would confuse automatic license plate readers and the DMV's ticketing system.

        "I was like, ‘I'm the shit,'" he joked to the crowd. "'I’m gonna be invisible.' Instead, I got all the tickets."

        If he did it with the intent to conceal his identity from the system in order to not get tickets that's intentionally trying to impede justice, "off chance" or not. His statement in the above quote may be a joke, about on par with joking that one has a bomb in one's luggage at the airport. It can be read seriously. And if nobody asked him to test the system in this way and he wasn't invited to then it's equivalent to when someone tries penetration testing on a system they haven't been invited to, one may assume it's got bad intent and think nothing more of it. Is it clever? Yes. Is it right? Slightly less right than trying to walk into a Wal-Mart with a rifle a week after a mass shooting at a Wal-Mart. In fact, the cases might be parallel in that if it was something done to "test the system" it occurred in a stupid way where the penalty is pretty understandable.

        I still think this is poetic justice. He screwed with the system, he got hassled, and if he's smart he'll figure out what he can do on his own to not be hassled instead of trying to play the victim.

        Should the system be fixed? Yes. Should the guy be held responsible for the fines that aren't his? No. Should he change his plate, even if the system is fixed? Yes. Does this person deserve a medal for finding it? Not the way Snowden should, no.

        --
        This sig for rent.
    • (Score: 2) by hwertz on Saturday August 17 2019, @07:06AM

      by hwertz (8141) on Saturday August 17 2019, @07:06AM (#881457)

      I don't think intent matters personally -- if the system permits him to get a NULL plate, and it jacks up their systems, as far as I am concerned it is 100% their problem, not his.

  • (Score: 4, Insightful) by LaminatorX on Friday August 16 2019, @05:16PM (3 children)

    by LaminatorX (14) <laminatorxNO@SPAMgmail.com> on Friday August 16 2019, @05:16PM (#881183)
    Everyone wants to be Bobby Tables [xkcd.com] until it's time to be Bobby Tables.
    • (Score: 0) by Anonymous Coward on Friday August 16 2019, @07:56PM (1 child)

      by Anonymous Coward on Friday August 16 2019, @07:56PM (#881248)

      And people questioned me when I named the record table NIGGERS.

      • (Score: 2) by coolgopher on Saturday August 17 2019, @02:57AM

        by coolgopher (1157) on Saturday August 17 2019, @02:57AM (#881407)

        Offensive and clever. Well played, sir troll!

    • (Score: 2) by Bot on Monday August 19 2019, @09:11AM

      by Bot (3902) on Monday August 19 2019, @09:11AM (#882042) Journal

      > hopes to render all his tickets invalid
      > All invalid tickets get charged to his account.

      Good subject for comics.

      --
      Account abandoned.
  • (Score: 4, Funny) by krishnoid on Friday August 16 2019, @05:20PM

    by krishnoid (1156) on Friday August 16 2019, @05:20PM (#881186)

    I think we could use both a short version and a more nuanced white nerd version of items three and onward from this video [youtube.com]. I mean, he didn't do anything wrong, but ...

  • (Score: 0) by Anonymous Coward on Friday August 16 2019, @05:23PM

    by Anonymous Coward on Friday August 16 2019, @05:23PM (#881190)

    I blame windows.

  • (Score: 2) by stretch611 on Friday August 16 2019, @06:37PM (1 child)

    by stretch611 (6199) on Friday August 16 2019, @06:37PM (#881220)

    He can now park wherever he wants. Until they find a way to determine which ones are legit, he has an excuse to avoid all tickets.

    Of course, most tickets have a form field for make, model, and year of a car...
    He probably should not be allowed to get the ones that accurately describe his card thrown out. (even with the initial 12,000)

    --
    Now with 5 covid vaccine shots/boosters altering my DNA :P
    • (Score: 2) by krishnoid on Friday August 16 2019, @08:07PM

      by krishnoid (1156) on Friday August 16 2019, @08:07PM (#881256)

      Don't forget VIN, if viewable through the window.

  • (Score: 4, Insightful) by Spamalope on Friday August 16 2019, @07:09PM

    by Spamalope (5233) on Friday August 16 2019, @07:09PM (#881230) Homepage

    The problem is their system, so they make the problem the responsibility of the victim.
    And getting a 'Null' plate as political protest is not 'trying to get away with something' it's protesting the pervasive surveillance and taxation.

  • (Score: 2) by Phoenix666 on Friday August 16 2019, @07:44PM (1 child)

    by Phoenix666 (552) on Friday August 16 2019, @07:44PM (#881244) Journal

    Funnier would be

      '); drop database dmv;

    --
    Washington DC delenda est.
  • (Score: 1) by jurov on Friday August 16 2019, @08:07PM (1 child)

    by jurov (6250) on Friday August 16 2019, @08:07PM (#881254)

    Not long ago, the mentality in the IT industry was the same: "crashes are blamed on operator by default", as exemplified by UNIX gets() call.

    (explanation: gets() reads a line into a buffer, with no checks whatsoever, if the input is longer than buffer it blithely overwrites memory past the buffer. Today it is still found in *all* operating systems, just marked deprecated.)

    • (Score: 3, Informative) by jb on Saturday August 17 2019, @07:14AM

      by jb (338) on Saturday August 17 2019, @07:14AM (#881460)

      ...as exemplified by UNIX gets() call.

      gets(3) is specified by the C standard (every one, all the way back to C89) -- not by POSIX or its predecessors -- so it hardly seems fair to blame Unix...

  • (Score: 4, Informative) by legont on Friday August 16 2019, @08:24PM (1 child)

    by legont (4179) on Friday August 16 2019, @08:24PM (#881260)

    Here is a better summary of what have happened https://www.wired.com/story/null-license-plate-landed-one-hacker-ticket-hell/?verso=true [wired.com]

    First of all, the first ticket he got he paid figuring it is easier to pay than to fight one's innocence. That's what all the lawyers usually prescribe as well. This decision unleashed the hell as the system now associated his admitting of a guilt with NULL.

    Second, mentioned in the article, most of the software nowadays (and I am pushed over there at the office) is built on the principle of The ‘minimum viable product’ concept. The errors here are by design.

    Third, possibly recognizing it, DMV is enforcing at least some of the tickets he got. They probably recognize that he "deserved" it and likely violate the rules all the time.

    Technosphere is building it's strength.

    --
    "Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
    • (Score: 4, Informative) by coolgopher on Saturday August 17 2019, @03:00AM

      by coolgopher (1157) on Saturday August 17 2019, @03:00AM (#881408)

      Clearly he should've used DEVNULL if he wanted to avoid paying fines ;)

      (Or if there are any Windows users reading SN, plain ol' NUL)

  • (Score: -1, Troll) by Anonymous Coward on Friday August 16 2019, @11:44PM (1 child)

    by Anonymous Coward on Friday August 16 2019, @11:44PM (#881345)

    Another name for "a security researcher" is "a bank robber" and/or "this is windows calling". Apparently "a security researcher" didn't figure out that a "NULL" license plate would get him identified as every car breaking laws with a missing license plate. I wonder if he changed his name to John Doe too.

    • (Score: 2) by MostCynical on Saturday August 17 2019, @12:26AM

      by MostCynical (2589) on Saturday August 17 2019, @12:26AM (#881363) Journal

      Isn't John Doe dead?

      --
      "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
  • (Score: 0) by Anonymous Coward on Saturday August 17 2019, @12:32AM (1 child)

    by Anonymous Coward on Saturday August 17 2019, @12:32AM (#881367)

    77nu

    • (Score: 1, Funny) by Anonymous Coward on Saturday August 17 2019, @02:44AM

      by Anonymous Coward on Saturday August 17 2019, @02:44AM (#881404)

      OU812

(1)