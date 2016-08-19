from the null-not-
Forbes reports that a security researcher in California registered the vanity plate "NULL," partly for fun and partly in the hope that this spoofed the system into returning errors whenever his plate was seen.
Instead he received more than $12,000 in fines, as his plate became a dumping ground for erroneous data records.
Every single speeding ticket for which no valid license plate could be found was assigned to his car. The Los Angeles police department eventually scrapped the tickets but advised the man to change his plates, or the same problem would continue to occur. In response, the man has apparently said: "No, I didn't do anything wrong," insisting to his Def Con audience that, whatever happens, "I won't pay those tickets."
(Score: 2, Disagree) by All Your Lawn Are Belong To Us on Friday August 16, @05:16PM (19 children)
"...except try to evade the system intentionally." If it was purely for fun I hope he's having fun yet. But if it was "partly in the hope that it spoofed the system," and he said that, then he has already admitted intent to obstruct justice and thus is fairly lucky he isn't charged with that as a crime. (Though IANAL and I wouldn't want to be the prosecutor for that). Mens rea means a lot and admitting you have intents is about the stupidest thing you can do, right up there with admitting you might be a little buzzed after only one beer but safe to drive after being pulled over.
Should he have to pay the parking tickets? Obviously not. But instead I'm betting that the regulations creating license plates would allow the state to revoke that specific plate and provide him with another at their discretion. That's what should happen instead.
Down with cars, up with horses! MAKE AMERICA UNGULATE AGAIN!
(Score: 2) by JoeMerchant on Friday August 16, @05:20PM (3 children)
This is kind of in-line with the DMCA: if you're trying to break something, that makes the activity illegal. Not that I love the DMCA or anything, but that's how it works. No matter how lame and easily broken the system is...
So, now that we all know, the easy thing for the state(s) to do is register the NULL plate themselves, so cranksters like this can't get it.
(Score: 2, Disagree) by All Your Lawn Are Belong To Us on Friday August 16, @05:59PM (2 children)
It's not just the DMCA. Doing something that subverts justice has been the crime of obstruction of justice since LONG before the DMCA. And I fail to see how intentionally trying to do something that would get one out of earned violations is not a subversion of justice.
My understanding of DMCA is that there are specific exemptions [the-parallax.com] if one's purpose is lawful, although I'm willing to be corrected about that. Such exemptions don't have to be there, although I know the DMCA is used as the equivalent of a SLAPP club sometimes also. But if I go out and announce, "Hey, I just broke the encryption of X for the Lulz and so I could help the haxxors everywhere!" then I wouldn't expect too much sympathy as a safe harbor there. So maybe it is similar.
I'm not positive that in obstruction that knowledge of intent even matters, but announcing that one has intent makes that point moot anyway.
Down with cars, up with horses! MAKE AMERICA UNGULATE AGAIN!
(Score: 4, Insightful) by AthanasiusKircher on Saturday August 17, @02:40AM
I agree with you that the DMCA has nothing to do with this, and obstruction has been around for a long time. But, I think your definition of "obstruction" is far too broad. If I know police officers tend to patrol for speeders on 3 out of 4 roads I could take home, and I take the 1 out of 4 home that I think is likely NOT to have a cop and I speed, then I am guilty of the crime of speeding. I am NOT guilty of "obstruction of justice" by exploiting a potential hole in the enforcement system. Similarly, if the state offers a number of custom license plate designs, and the one of the American flag on it seems more patriotic to me, and I think cops are less likely to pull over someone who seems patriotic (and even if that is TRUE), requesting such a license plate to potentially get out of a ticket is NOT "obstruction of justice."
Nor, then, is choosing one license plate set of letters out of tens of thousands or whatever that I think may be less likely to incur tickets for whatever reason, whether it's "NULL" or "LOVECOPS" or whatever.
Obstruction is a serious crime. If this guy hacked into a police database and stole records of his violations or himself changed the code that processed them, obviously he may be guilty. But he did not. If he custom-designed a license plate in an illegal fashion (i.e., manufactured his own) that had some sort of weird property that wouldn't let police scan it properly, then yes, I suppose he might be "obstructing justice" (though even that's a pretty broad reading of the term -- he'd more likely be charged with whatever crime it is to falsify plates or whatever).
But he did none of this. He requested a plate and was granted a plate by the state. It was an official license plate. Just because he chose an option that he believes is less likely to be enforced is NOT in itself "obstruction of justice." Is it moral/ethical for him to do this? I would say "no" unless he was trying to prove a point and then report said element to authorities. But he was NOT "obstructing" justice according to any definition I'm familiar with. (Caveat: IANAL.) Of course, if his license plate got him out of any tickets for violations, once the flaw was recognized, he would (and should) be liable for any unpaid fines, etc.
If anything, what I think you're getting at is a type of evasion [wikipedia.org] of the law. For various topics in the law (taxes, contracts, etc. varying by municipality), evasion can be criminalized. That is -- situations where you apparently adhere to the law, but deliberately do something that also tries to get you out of compliance. I am not aware of any evasion laws that would apply to routine traffic violations. Otherwise, states could charge people with police radar detectors with "obstruction of justice" when they find them. But they can't. Instead, states had to pass separate statutes to criminalize possession and/or use of them.
(Score: 2) by AthanasiusKircher on Saturday August 17, @03:01AM
Also, after reading both articles linked in the summary, I see no clear intent to get out of tickets. Instead, it's a story about someone who is supposedly a "security researcher" who wanted to "test" the system and see what happened. According to TFA, he didn't know if he'd be "invisible" with this license plate, or whether the system would pop up errors, or what would happen.
Now, maybe he's lying, and he did in fact hope to avoid fines. And he only reported about it because it turned out differently. So maybe he's lying about his intent. But at no point in TFA do I see him saying, "I did this because I wanted to get out of tickets." He's a guy who is interested in security and wanted to see what would happen. So I don't even think he satisfies your condition of admitting wrongdoing -- he just admits that he thought it was possible the system would treat his plate in a non-standard way. Perhaps it would throw up errors during processing, which would cause police to fix the system. Perhaps the errors would bring more trouble to him (which they did). He didn't know.
IF we have proof that he DID know the database was exploitable in a way that could allow him to avoid paying fines with his NULL plate, maybe we could find him guilty of something else. But he didn't know that, and he didn't even admit that's what he was trying to do.
(Score: 4, Interesting) by LaminatorX on Friday August 16, @05:28PM (4 children)
One hopes that they might also open a defect ticket with their plate-cam vendor, because there's clearly a need for a parameterized query or the like in there somewhere.
Banjo - Fiddle - Tolkien: The Lonely Mountain String Band. lmsb.me [lmsb.me]
(Score: 2) by Gaaark on Friday August 16, @06:38PM (2 children)
YOU LIED! There is NO Tolkien!
*cries*
--- That's not flying: that's... falling... with more luck than I have. ---
(Score: 2) by LaminatorX on Friday August 16, @08:45PM (1 child)
You have to catch us live for that. The estate is no longer issuing licenses for music publication.
Banjo - Fiddle - Tolkien: The Lonely Mountain String Band. lmsb.me [lmsb.me]
(Score: 2) by Gaaark on Friday August 16, @09:00PM
Damn...got any torrents? ;)
--- That's not flying: that's... falling... with more luck than I have. ---
(Score: 1) by NPC-131072 on Friday August 16, @07:11PM
You may already be giving them too much credit.
(Score: 4, Insightful) by Mer on Friday August 16, @07:32PM (2 children)
Boohoo, shifting the blame for a shitty system. The place that authorizes vanity plates gave him the green light but would have said no for a bunch of reasons.
The police is scrapping the tickets because they are in the wrong. There's no law against fucking with this particular ticket system, and god know unless you have a law specifically forbidding fucking with the rules people are gonna fuck with them (ie: taxes).
The correct reaction isn't "you should change your plates" (that he already paid for) but "we'll fix our system".
(Score: 2) by All Your Lawn Are Belong To Us on Friday August 16, @08:01PM (1 child)
No, the correct reaction is, "we'll take your plates away and give you different ones at no charge."
And yes. Fuck with taxes and you get your ass in trouble. You couldn't have picked a better example of rules that if you declare you're trying to break the law you draw yourself an audit. Better yet: OK, just don't pay them and then we'll see what happens down the road.
Down with cars, up with horses! MAKE AMERICA UNGULATE AGAIN!
(Score: 2) by Mer on Saturday August 17, @10:00AM
Sure, and the dutch sandwich is used by apple, google, facebook, oracle, airbnb, microsoft and yahoo because they have important business in Amsterdam. Not because they try to skirt around the law.
You make computer systems to make life easier, system limitations are not a valid reason to make new rules. Especially not when the exploit in question isn't an advanced hack but just unsanitized inputs.
(Score: 2) by Arik on Friday August 16, @07:41PM (3 children)
The original contractor should be forced to fix it at no additional cost.
Quit blaming the messenger.
"The *other* sort of Marxist."
(Score: 2) by All Your Lawn Are Belong To Us on Friday August 16, @07:59PM (2 children)
If the messenger is intentionally trying to get away with something then yes the messenger is to blame for trying to get away with something. If the messenger was simply saying, "Yeah I'm a computer geek and a NULL license plate expresses my philosophy," then no problem. "I'm just taking advantage of the system," is dishonorable claptrap.
Down with cars, up with horses! MAKE AMERICA UNGULATE AGAIN!
(Score: 3, Insightful) by Arik on Friday August 16, @08:08PM (1 child)
If the system is broken, the only way to draw attention to that fact may be to take advantage of it.
It sounds like this is costing him far more than it's worth, if he were trying to avoid trouble rather than bring attention to an amazingly brain dead system that's been put in a position to control the citizenry.
"The *other* sort of Marxist."
(Score: 2) by All Your Lawn Are Belong To Us on Friday August 16, @10:33PM
I might well be, and that may well be the reason he isn't being charged with anything.
The Guardian article didn't clarify much since it was about confusing identity systems in general and I do not click on Forbes articles anymore. Maybe Forbes added some depth to it and/or I'm reading into it. But even though I don't agree with speed / red light cameras and think the surveillance state is wrong that does not justify causing havoc. Screw with the system, don't be surprised the system screws with you. It strikes me that he got the right level of being messed with back at him. He tried to waste others time and instead found himself being unintentionally hassled, yet did not have to pay the fines but if he continues to act that way he'll keep getting dinged. "Doctor, it hurts when I go like that.... well, don't go like that then."
Down with cars, up with horses! MAKE AMERICA UNGULATE AGAIN!
(Score: 1) by khallow on Saturday August 17, @04:32AM (1 child)
IF.
Or they could fix their system. It's insane that this is even a thing.
(Score: 2) by edIII on Saturday August 17, @10:22PM
Even with intent, the guilty party for the actual obstruction are the software vendors. He was doing this in the hope that a software vendor wasn't sanitizing, or properly handling their inputs. When the user (most likely an officer) attempts to run the plate, they would be met with an input error, or some other kind of system error. This is still not the plate owner causing anything, and their possession of an approved license plate NULL is within their rights. If an officer is unable to use software because the software vendor couldn't adequately handle license plates, that's on the government and software vendor entirely.
If the government isn't restricting a set of bare keywords from usage as a license plate, then they need to ensure they can support that data type. It's insane that they couldn't too. This would've had to be stored as a CHAR field, or VARCHAR at worst, and any proper input validation would've allowed the license plate field to be searchable for the string 'NULL'. The only thing crazier about this situation is that the record holding 'NULL' in the license plate field is found when using license_plate = NULL. That's what happened if unknown license plates are collecting against his "Null record". Implemented properly his license plate record couldn't possibly be associated with null inputs.
This was somebody being cheeky that didn't realize they were severely underestimating the stupidity of government, or that government doesn't often react well to showing them their systems are faulty. They tend to punish the messenger.
(Score: 2) by hwertz on Saturday August 17, @07:06AM
I don't think intent matters personally -- if the system permits him to get a NULL plate, and it jacks up their systems, as far as I am concerned it is 100% their problem, not his.
(Score: 4, Insightful) by LaminatorX on Friday August 16, @05:16PM (2 children)
Banjo - Fiddle - Tolkien: The Lonely Mountain String Band. lmsb.me [lmsb.me]
(Score: 0) by Anonymous Coward on Friday August 16, @07:56PM (1 child)
And people questioned me when I named the record table NIGGERS.
(Score: 2) by coolgopher on Saturday August 17, @02:57AM
Offensive and clever. Well played, sir troll!
(Score: 4, Funny) by krishnoid on Friday August 16, @05:20PM
I think we could use both a short version and a more nuanced white nerd version of items three and onward from this video [youtube.com]. I mean, he didn't do anything wrong, but ...
(Score: 0) by Anonymous Coward on Friday August 16, @05:23PM
I blame windows.
(Score: 2) by stretch611 on Friday August 16, @06:37PM (1 child)
He can now park wherever he wants. Until they find a way to determine which ones are legit, he has an excuse to avoid all tickets.
Of course, most tickets have a form field for make, model, and year of a car...
He probably should not be allowed to get the ones that accurately describe his card thrown out. (even with the initial 12,000)
M.R.W.A. - Make Racism Wrong Again
(Score: 2) by krishnoid on Friday August 16, @08:07PM
Don't forget VIN, if viewable through the window.
(Score: 4, Insightful) by Spamalope on Friday August 16, @07:09PM
The problem is their system, so they make the problem the responsibility of the victim.
And getting a 'Null' plate as political protest is not 'trying to get away with something' it's protesting the pervasive surveillance and taxation.
(Score: 2) by Phoenix666 on Friday August 16, @07:44PM (1 child)
Funnier would be
'); drop database dmv;
Washington DC delenda est.
(Score: 2) by LaminatorX on Friday August 16, @08:50PM
Too long, even for a CA plate, as is "ROLLBACK: sadly.
"END GO" otoh...
Banjo - Fiddle - Tolkien: The Lonely Mountain String Band. lmsb.me [lmsb.me]
(Score: 1) by jurov on Friday August 16, @08:07PM (1 child)
Not long ago, the mentality in the IT industry was the same: "crashes are blamed on operator by default", as exemplified by UNIX gets() call.
(explanation: gets() reads a line into a buffer, with no checks whatsoever, if the input is longer than buffer it blithely overwrites memory past the buffer. Today it is still found in *all* operating systems, just marked deprecated.)
(Score: 3, Informative) by jb on Saturday August 17, @07:14AM
gets(3) is specified by the C standard (every one, all the way back to C89) -- not by POSIX or its predecessors -- so it hardly seems fair to blame Unix...
(Score: 4, Informative) by legont on Friday August 16, @08:24PM (1 child)
Here is a better summary of what have happened https://www.wired.com/story/null-license-plate-landed-one-hacker-ticket-hell/?verso=true [wired.com]
First of all, the first ticket he got he paid figuring it is easier to pay than to fight one's innocence. That's what all the lawyers usually prescribe as well. This decision unleashed the hell as the system now associated his admitting of a guilt with NULL.
Second, mentioned in the article, most of the software nowadays (and I am pushed over there at the office) is built on the principle of The ‘minimum viable product’ concept. The errors here are by design.
Third, possibly recognizing it, DMV is enforcing at least some of the tickets he got. They probably recognize that he "deserved" it and likely violate the rules all the time.
Technosphere is building it's strength.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 4, Informative) by coolgopher on Saturday August 17, @03:00AM
Clearly he should've used DEVNULL if he wanted to avoid paying fines ;)
(Or if there are any Windows users reading SN, plain ol' NUL)
(Score: -1, Troll) by Anonymous Coward on Friday August 16, @11:44PM (1 child)
Another name for "a security researcher" is "a bank robber" and/or "this is windows calling". Apparently "a security researcher" didn't figure out that a "NULL" license plate would get him identified as every car breaking laws with a missing license plate. I wonder if he changed his name to John Doe too.
(Score: 2) by MostCynical on Saturday August 17, @12:26AM
Isn't John Doe dead?
tau = 300. Greek circles must have been weird.
(Score: 0) by Anonymous Coward on Saturday August 17, @12:32AM (1 child)
77nu
(Score: 1, Funny) by Anonymous Coward on Saturday August 17, @02:44AM
OU812