• This is a political forum that is non-biased/non-partisan and treats every person's position on topics equally. This debate forum is not aligned to any political party. In today's politics, many ideas are split between and even within all the political parties. Often we find ourselves agreeing on one platform but some topics break our mold. We are here to discuss them in a civil political debate. If this is your first visit to our political forums, be sure to check out the RULES. Registering for debate politics is necessary before posting. Register today to participate - it's free!

How a 'NULL' License Plate Landed One Hacker in Ticket Hell

Redress

Redress

Liberal Fascist For Life!
DP Veteran
Joined
Mar 5, 2008
Messages
112,982
Reaction score
60,535
Location
Sarasota Fla
Gender
Undisclosed
Political Leaning
Undisclosed
How a '''NULL''' License Plate Landed One Hacker in Ticket Hell | WIRED

In late 2016, Tartaro decided to get a vanity license plate. A security researcher by trade, he ticked down possibilities that related to his work: SEGFAULT, maybe, or something to do with vulnerabilities. Sifting through his options, he started typing “null pointer,” but caught himself after the first word: NULL. Funny. “The idea was I’d get VOID for my wife’s car, so our driveway would be NULL and VOID,” Tartaro says.

The joke had layers, though. As Tartaro well knew, and as he explained in a recent talk at the Defcon hacker conference, “null” is also a text string that in many programming languages signifies a value that is empty or undefined. To many computers, null is the void.

...

Then came the citations. Dozens of them, deposited in bulk to his mailbox. Parking violations, stand-stop violations, fines of $37, $60, $74, $80, from Fresno to Rancho Cucamonga. “I’ve never been to Fresno,” Tartaro says of the California city.

Nor had Tartaro gone on a statewide, parking-related crime spree. Instead, by paying that $35 ticket, it appears that a database somewhere now associated NULL with his personal information. Which means that any time a traffic cop forgot to fill in the license plate number on a citation, the fine automatically got sent to Joseph Tartaro.
Click to expand...

Dude ended up with over $12,000 worth of traffic fines as a result of his cutesy joke.
 
Redress said:
Dude ended up with over $12,000 worth of traffic fines as a result of his cutesy joke.
Click to expand...
I'm somewhat surprised this did cause such a problem and especially by the suggesting in the article that it's getting worse, even allowing for the "minimum viable product" reasoning. I've always found modern systems will implicitly handle the difference between NULL and "Null" and have only seen issues with older ones. That said, it's not something I've seen commonly tested for either.

I guess we should always spare a thought for little Bobby Tables too. :cool:
 
HonestJoe said:
I've always found modern systems will implicitly handle the difference between NULL and "Null" and have only seen issues with older ones. That said, it's not something I've seen commonly tested for either.
Click to expand...

This is the DMV we’re talking about. I wouldn’t find it at all surprising if the system was case insensitive.
 
Gaius46 said:
This is the DMV we’re talking about. I wouldn’t find it at all surprising if the system was case insensitive.
Click to expand...
It isn’t about case. Null is a special symbol meaning the field is empty and any half-decent modern system should be able to differentiate between an empty field and a field containing the word “Null”. I’m not entirely surprised it happened but surprised at the suggestion it’s an especially widespread and even growing issue.
 
HonestJoe said:
It isn’t about case. Null is a special symbol meaning the field is empty and any half-decent modern system should be able to differentiate between an empty field and a field containing the word “Null”. I’m not entirely surprised it happened but surprised at the suggestion it’s an especially widespread and even growing issue.
Click to expand...

So isn’t null normally internally represented as a 0 or maybe \0 and not as a character string?

Representing a null entity by a character string that says “null” seems dubious at best though I admit I haven’t written a line of code since since becoming a pencil pusher over a decade ago.
 
Gaius46 said:
So isn’t null normally internally represented as a 0 or maybe \0 and not as a character string?

Representing a null entity by a character string that says “null” seems dubious at best though I admit I haven’t written a line of code since since becoming a pencil pusher over a decade ago.
Click to expand...
Yes, the problem is probably around how the code handles null values from the database.
 
You must log in or register to reply here.
Back
Top Bottom