A California tried to use his vanity license plate to get out of paying for parking tickets. He chose the license plate NULL in the belief that when his ticket was entered into the database, it would end up in some computer dustbin and he would not get the bill. It did not quite work out that way.
It’s the story of a security researcher known as Droogie, who presented his experience at the recent DEF CON conference in Las Vegas. Droogie decided his new vanity plate should read “NULL.”
…Droogie’s hope was that the new plate would exploit California’s DMV ticketing system in a similar manner to the classic xkcd “Bobby Tables” cartoon. With any luck, the DMV’s ticket database would see “NULL” and consign any of his tickets to the void. Unfortunately, the exact opposite happened.
First, Droogie got a parking ticket, incurred for an actual parking infraction—so much for being invisible. Then, once a particular database of outstanding tickets had associated the license plate NULL with his address, it sent him every other ticket that lacked a real plate. The total came to $12,049 worth of tickets.
…Although the initial $12,000-worth of fines were removed, the private company that administers the database didn’t fix the issue and new NULL tickets are still showing up.
Lesson: Don’t try to outsmart the DMV.
That’s pretty much exactly the same trick Odysseus used to stop the cyclops Polyphemus summoning aid when he was blinded (Odyssey, bk.9). He said his name was “nobody” (outis), and when Polyphemus shouted for help, the other cyclopes asked who was hurting him, and he could only say “nobody”, which made them all leave in puzzlement.
Maybe cyclopes run on the same software as the DMV?
“…the private company that administers the database didn’t fix the issue and new NULL tickets are still showing up.”
The problem: In band signaling.
Not thinking “how could this go wrong?”
@robertbaden:
And, really, the first question any computer security researcher should be familiar with is ‘how could this go wrong?’; that’s really the foundation for the discipline. (The foundation for any sort of security design. There’s a reason why ‘set a thief to catch a thief’ is a thing: to be able to verify a solid security system, you have to understand the ways in which such systems can be broken.)
Unfortunately, it appears he was only thinking ‘how could this go wrong in my favour’, and failed to consider that it could also go wrong in other ways.
Well there’s one thing he certainly wasn’t thinking: should I obey the law?
Mano — do you have a link to the source of that anecdote?
@Matt G #5
He wasn’t breaking any laws, or did I miss something?
@file thirteen, #7.
The system made the connection between his address and “NULL” when he got a parking ticket. Which is technically braking the law.
However, there are only a few possibilities as to why he chose a license plate with “NULL”. He could have thought it was a neat idea, and didn’t consider what a second possible outcome might be. Or he regularly gets parking tickets (or speeding tickets) and thought he would be able to avoid them by getting a novelty plate.
While I incline toward the first possibility, the second is not out of the realm of possibility. Which would mean that he knows that he breaks the traffic laws on a regular basis and is attempting to personally avoid enforcement of such laws. Which he could also avoid just by not breaking the law.
[search for [droogie null] ]
The original source of the story appears to be Mashable, with images of screenshots of the system not allowing him to renew his tabs, and the megabucks of NULL parking tickets.
I’m kinda baffled that there really is a system out there that considers the NULL value and the actual string “NULL” (ASCII characters 0x4e 0x55 0x4c 0x4c, either terminated by an ASCII null (0x00), or having a string length) as being equivalent.
As the article says, Droogie claims that during the first year, he had no tickets, and only hit a problem trying to renew the plate.
He says that he got one legit parking ticket after that, and that’s when the system associated his license plate (“NULL”) with all the cars ticketed with no plate recorded (NULL, in the system).
As pointed out elsewhere, there’s an XKCD perhaps more relevant than the one about Bobby SQL Injection, linked in the OP.
Original presentation at DEF CON:
Jenora Feuer
I worked in design verification before I retired. Where the question was “how can this system fail catastrophically?”
FFS. A string of “Null” should not be the same as a null string, you kludgemeisters!
https://stackoverflow.com/questions/4456438/how-to-pass-null-a-real-surname-to-a-soap-web-service-in-actionscript-3
Trickster Goddess @#6,
I had not noticed that I had completely omitted the link to the source! I have done so now. Thanks!
Additional points:
https://www.wired.com/story/null-license-plate-landed-one-hacker-ticket-hell/
Owlmirror, agree totally, what sort of insane program treats ‘NULL’ as a null string?
@Owlmirror, file thirteen:
A program that has to deal with the output from another badly written program that prints NULL and ‘NULL’ as the same thing.
In other words, treating ‘NULL’ as a null string was probably the response in locally written code to dealing with some old bespoke program they can’t necessarily modify that didn’t make the difference obvious in its output. It may have seemed the simplest approach at the time rather than trying to get whoever had written the first program to fix it.
(I’ve dealt with customers who tried to get a bespoke POS system modified, and were told ‘The person who wrote that isn’t here anymore, and nobody knows it… give us $10,000 and we’ll look into it.’ Not do anything, $10K before they’d even bother investigating how much effort would be required. Granted, that was how we got a customer, as we figured out a way to make the bespoke software happy from the other end…)
Just to add, I obviously have no idea what’s actually going on; I was just trying to come up with a situation where treating ‘NULL’ as a null string in an application would be the least disruptive possibility available to the programmer.
Nulls are highly problematic.
Predicate logic and almost all computer languages have only two truth values; true and false. Null introduces a third truth value. I am not a mathematician and I do understand that n-truth value systems are perfectly legitimate mathematical constructs. I am, however, very firmly convinced that they are unnecessary in data management and introduce unnecessary complexity.
The vast majority of programming languages have
if (true)… else (false)
There is no contruct for a third truth value -- “unknown” which is what null means.
SQL the ubiquitous (and deeply flawed) language for databases attempts to implement three value logic, but gets it wrong.
Is there a customer with the name “Singham” in the database? If there is we get the set of customers with the name Singham (true). If there are none we get an empty set (false).
In SQL if there are customers with a null name and no customers with the name “Singham” we still get the empty set, which is the wrong answer! The correct answer is that we do not know if there is a customer with the name Singham in the database, as the customer with the null name, may or may not have the name Singham.
In two truth value logic, what you don’t know doesn’t exist. This is much easier to understand and to work with.