I read years ago in comp.risks about a similar story. A guy in 1979(!) requested a personalized plate "SAILING", with second choice "BOATING". He didn't want a customized plate if he couldn't get those, so for his third choice he put down "NO PLATE". Of course, he ended up with "NO PLATE". He ended up getting 2500 parking tickets, since cars with no plate had "NO PLATE" written on the ticket.

References: http://www.mekabay.com/overviews/risks/risks03_1986_06-04-19...

https://www.snopes.com/fact-check/licensed-to-bill/

A colleague used an app's "generate secure password" feature to change their ISP's web portal login - which then also became the WAN router's password - which they didn't realise.

It was about a week before the router dropped its connection and needed to re-authenticate - and that's when I was called in to investigate the loss of connectivity - which Windows 10 very unhelpfully reported as the network cable disconnected and was resetting or power-saving on the NIC so the "link active" LED on the switch was going out for about 2 secs every 10 sec. Cue a round of cable and switch swapping to no benefit. The LEDs for all other devices on the switch (running Linux and mostly internal servers) were behaving normally.

I finally backtraced to the router and a useful error message. We put two-and-two together and my colleague called up the auto-saved details in their password manager; it was long, and ALL non-alpha numeric characters - starting with a backtick, which the router would not accept. I tethered my phone to my laptop and tried to login to the Web account portal - which would NOT accept the passphrase. I tried it without the backtick "just in case" - nope.

We had to do a "lost password" reset on the portal..and wait for the email with link.

Lessons learned:

The ISP's password change page did not seem to validate input, but the login page did.

Avoid backticks in passwords.

When I was a foolhardy college student I figured out that if the cited vehicle make on my city parking ticket didn’t match my registration, I could get appeal the ticket via a web form very easily and succeed every time.

Naturally I removed the badges from my car and put on different badges from another manufacturer. After a while they started to cite me as “other” and the trick no longer worked.

I own a rare collector car with a three-digit VIN. This has caused endless hassles at the DMV as well as the insurance office. Sometimes we find success by prepending the necessary number of zeros, before the VIN. Other instances in the same system require appending zeros after the VIN. The true VIN has a hyphen but that never makes it into the DMV's system. One time I got stuck in a particularly nasty loop where the DMV mailed over thirty notices claiming the register would expire on 01/01/0000.

Tangentially related somewhat-common bug: YAML files will interpret the literal 'no' as boolean false if it's not quoted, instead of as a string.

Many developers have wondered why, when they stuck country-specific configurations in a YAML file, that things suddenly stopped working when they expanded support for Norway.

Reminds me of the story of Ireland's worst Polish driver who never got caught: http://news.bbc.co.uk/2/hi/uk_news/northern_ireland/7899171....

I have a family member who's license plate started with "&". The DMV accepts it, plates were ordered online fine, but police systems can't handle it apparently, to my family members ultimate discomfort. I commonly joke it probably gets the individual out of automated tickers for speeding and red lights, but when an officer pulls them over we sometimes need to explain that the "&" is dropped in the system (or so we've been told) and that seems to clear up issues

I love when people double down out of principle, when the only person getting hurt is themselves.

He refuses to change it because he did nothing wrong...sure, but you are also the only one being hurt by it. Is this really the hill to die on?

There was a similar issue in California where, in the days before on-line choosing of vanity plates, you would give three choices. One guy couldn't come up with a third option so he wrote "NO PLATE" and ended up with that as his plate with similar results. Snopes has the story:

https://www.snopes.com/fact-check/licensed-to-bill/

Earlier this summer I decided that I'd found a loophole and ordered 'N0 TAG' and 'N0NE' (zeros) for my motorcycles. The license plate font doesn't distinguish between 0 and O but the computers seem to account for visually similar characters -- I could not order the same plates with Os after they'd issued.

Haven't caught anyone else's tickets so far. SunPass won't accept 'N0 TAG' being associated with my transponder tho (have not tried 'N0NE' yet).

I did get pulled over on my very first ride with 'N0 TAG' and the first words out of the cop's mouth were 'Is that tag legit?' That may or may not have been a factor in catching a warning instead of a ticket that I absolutely earned.

Related, for those who missed it the last time it was here on HN, the tales of Christopher Null, who has an unfortunate surname: https://www.wired.com/2015/11/null/ , and Jennifer Null , http://www.bbc.com/future/story/20160325-the-names-that-brea... , likewise.

I once had a product owner for a student/university web app who complained that for a particular user, their lastname was displayed as 'None'.

This was a Python project and the product owner apparently already had learned 'None' equals NULL.

I dug into the file which we used to import the users from and discovered the user's lastname actually was 'None'.

Years ago (in the late 90's or early aughts) when ordering vanity plates online became a thing, I got approved for the plate "127.0.0.1". This was a California or NC plate- can't remember as I lived in both states. I checked the mailbox excitedly every day like Ralphie from A Chrismas Story for my uber cool plate. When I finally did get something from the DMV, it was too small to be a license plate and was simply a note that said "Sorry, your requested plate conflicts with a motorcycle plate, so we have to deny your request." Huge bummer, but I guess 127.0.0.1 becomes 127001 in their systems.

Could someone devise a SQL injection attack using a custom-made license plate? I'm imagining someone printing up

  x'; DROP TABLE drivers; --

This is funny. I wonder what would happen if you could put a 'NOT ' in front of your plate number... would everyone but you get a ticket?

I presume this is already on thread but Irish police conducted a manhunt for serial traffic offender "Prawo Jazdy" - till they realised that was "Driving License" in Polish

https://www.telegraph.co.uk/news/worldnews/europe/ireland/47...

I recently saw a car with a license plate of B8B88BB8 (or something to that effect) that I am almost certain the owner chose to make it hard to read and transcribe correctly by either humans or computer vision systems.

I was honestly kind of impressed.

"Droogie contacted the DMV who told him to change his plate. He refused because he didn't do anything wrong. While they wiped the fines off his record, unfortunately for him, they didn't fix the problem in the system so once again, Droogie has accrued another $6,000 in tickets"

So wait, after he knew this was the outcome from using this plate he just decided 'nope, the DMV will definitely rectify this error'? Maybe he has a much higher tolerance for dealing with the DMV than I do, but surely there are far more productive ways to spend your time than constantly battling against invalid tickets. Additionally, I would be concerned about not being able to waive some of these tickets at some point and actually having to pay them,6k isn't exactly an insignificant amount and could also really impact insurance rates.

This post has way too much traction to flag now but I wish we didn’t have sites like this that take a bit of admittedly interesting content from elsewhere and repost it with an infinite scroll of spammy ads.

Seems to be a clever technique here too, ending the article with what seems like a non-ending, so the user will keep scrolling.

If I remembered where the original content was I’d post it, or had a desktop/laptop browser to search with right now, I’d post a link, but I don’t. I just remember having read a much better article about this in the past.

Stan, are you in here?

My buddy Stan registered for null@verizon.com back in the early 2000s so you could link sms to email delivery. Wound up with so. many. text messages. Reminders to take medicine, personal convos, sports results, everything.

Was great fun to read while waiting for class.

Similarly I used to wonder how awful it would have been to own example.com ... until I found out it was an IANA special-use domain.

But someone still owns test.com, and I can't imagine what that mail server goes through.

Source article: https://mashable.com/article/dmv-vanity-license-plate-def-co...

Similarly don't get 'none', 'no plate', or 'na' :-)

It would be cool if you could do punctuation so you cloud get "'; drop table;" alas little Bobby Droptables will likely never get that plate. :-)

I did see a plate "I<heart>0X45" which was a cute nerd joke, I expect that would be more difficult to get these days.

I recently bought a *.ninja domain name and started using it for my personal email address. Probably 20% of the time, when I try to sign up for a service it gets rejected by web forms that have been hardcoded to check for traditional top-level domains.

If I recall correctly, this comes up a lot with null.com too with respect to emails, etc. I think there was even an HN post about all the null@null.com emails collected by someone.

Let's talk about one specific thing from the article:

>Things started to go awry when he first registered the tags. He tried typing in his license plate but the DMV website wouldn't accept it.

Let's talk about the fact that the DMV website wouldn't accept it. Do you think this is all right behavior on the part of the DMV website?

It's really interesting because if you're coding up the DMV web site, it makes sense to disallow NULL just as a preventative measure, like not allowing '-- in a query (to prevent SQL injection attacks.)

I would generally think that on the whole you should accept -- as a substring in a password. But is it wrong programming if you don't allow that substring?

Disallowing it could cause someone's chosen password to fail, so they have to change it for you to accept the password they want, but if you know for sure that you use sql as part of processing passwords you might well decide that it is acceptable to make people have to try a new password before you'll accept theirs, in case you are not confident that you are escaping everything correctly.

So from my end it seems okay to do something like disallow NULL.

If you consider the choice of the programmer on DMV's web site, what do you think about their choice to reject this input, even though in fact it turned out to be legitimate? Is it acceptable programming practice?

Bobby Tables started school in 2007, so he'd be around 17 today, seems about right.

That's a bit curious though. If the code relies on a magic value, you'd think it's in order to skip trying to get data it doesn't have, like the address of the unidentifiable cars.

Even if NULL then does have this address attached, why does it take the branch where it looks for the data?

I suppose it would be in a relational DB, perhaps there's a join that drops missing entries, but if they aren't missing they show up?

I bricked my profile page on Zomato, There is(was) a feature where you can choose a custom URL for your profile page, I chose something which already was a valid URL for them. Now when i click on "my profile", it goes to "https://www.zomato.com/genjs" . I can't edit anything in my profile now.

Seems like a brilliant idea to me, hopefully it forces them to fix their shitty software. I would chip in to crowdfund this guy's battle for sure.

Danny White, a resident of Washington, DC, had a similar problem: his vanity license plate read "NO TAGS", which happens to be what police there put down in the license plate slot for missing plates.

https://www.google.com/search?client=firefox-b-d&q=danny+whi...

This kind of thing makes me question how tightly we couple (or fail to couple) the "code of Law" to the "code of Computers".

The same issue is seen on social networks that identify users by their usernames: - before it was suspended, twitter.com/null had just 2 tweets, but over 70K followers: http://archive.is/Dt6af.

I have a friend who told me his story enrolling in his university. He's a German national who grew up in Spain. I'm going to call him Andres Schmidt, as the actual name is not relevant.

In Spain, people normally have two surnames, one from the mother and one from the father (no, it doesn't exponentially grow with generations :D). He had issues enrolling in uni, as the system required two surnames so he ended up with "Andres Schmidt Schmidt". He had issues down the road as well, having to explain himself every time he needed to register for something. I think the student id was also a hash which included the name and he hadn't been consistent with his "full" name in all systems.

See also, the person who had the personalized license plate "NO PLATE" (and similar).

https://www.snopes.com/fact-check/licensed-to-bill/

Moral of the story: Test at your own risk!

At least his story brings to light the poor quality of software the DMV is using.

I'm curious about the other, unintended consequences of naming things null in other web applications; maybe its time to explore ...

The interesting question this article poses is whether there's a system in place for the government to revoke vanity plates it's already approved. Can they force him to change the plate?

I never understand how these sorts of bugs happen - is the database something like:

    plate VARCHAR(8) NOT NULL DEFAULT "NULL"

    plate VARCHAR(8) NULL DEFAULT NULL

The only thing I can think of is the software (or it's database driver) handles everything in strings; so None() and Some("NULL") both get converted to "NULL"?

It would seem to me that issuing frivolous citations to a man who has not actually broken the law is a violation of the general prohibition against unreasonable fines and punishment.

For those interested, you can find the slides for the presentation here: https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20pre...

This article is garbage and a lot of the discussion here revolves around the spin and emphasis on facetious scenarios I mentioned in the presentation

I don't know how being able to put any random word in the plate can even work. Always found it funny in movies and thought it was a joke.

Do any states allow emojis on plates. I saw a red heart recently. ButI don't know if that was the license number or the background.

I’ve seen several combinations of B’s and 8’s - like “8B88B8”. Wonder how effective they are at confusing plate readers.

> He refused because he didn't do anything wrong.

Cool the DMV fixed it. Just try that with so called "identity theft"

Reminds me of myself: when gmail came out I got my name@gmail

The name is my 6 letter last name.

I've received thousands of emails from random people. There are so many letter.name or number.name similar addresses that I'm constantly getting very personal emails of other people (deaths, marriages, invoices, business reports, etc)

Reminds me of a recent groceries delivery to my home. I had ordered online the day before and had some trouble filling in the form but managed to validate it anyway.

The delivery man called to tell me my address was incorrect. When I asked him what was wrong, he told me it said 'Null Null Null Null'.

I've got AFK plates... makes it super easy to remember :-P

A couple of cars in my city have plates like "0O00OO" or "BB88B8B"

One guy that I've seen driving near my place has two cars both with variations of "11ll11l" Both the same make and model and color.

I really dont think this will help him much.

This wouldn't be a problem if people wrote programs in languages that have proper type systems that can correctly classify failure.

I'm thinking of types such as Maybe/Option or Either.

I hate it for example when a C/C++ function has to return a -1 in case of failure.

The Wired article is better https://www.wired.com/story/null-license-plate-landed-one-ha...

undefined

Actually, it was brilliant because it pointed out how flawed the system is, that it can be passively broken or circumvented. This could be used to invalidate all citations that were issued from agencies using that software.

Well that's what happen when you use a special value that's actually not that special and is part of the valid values domain.

If they had to use a string (and I doubt they had to), they could at least have used the empty string.

LOL! Can we have a new subcategory on HN for comic relief stuff like this! :)

undefined

I rather think that it did work. Or, at least, if he continues being successful having tickets for "NULL" dropped. Because any tickets he actually gets will be to "NULL".

>Apparently, when they didn't have the right data for a vehicle, a privately operated citation processing center used the word NULL in the license plate field for many tickets.

>used the word NULL

Oh god, I feel faint.

I would think a cease and desist, followed by a lawsuit, would clear things up very fast.

BTW, California has a problem with issuing both plates with 0 (zero) and O (letter) in them. They both look the same.

I have named my phone "Null Pointer Excpetion" whenever I connect my phone to friend's Bluetooth they immediately scream- "oh look! null pointer excpetion!"

Is this actually possible? Aren't strings at least surrounded by quotation marks ('NULL') while NULL isn't?

I once saw a parked BMW and the plates were the current day of the week and date. I am still scratching my head over that one.

update Table set LicensePlate = 'NOPLATES' where LicensePlate = 'NULL';

The case for stronger type systems for layman programmers in an easily understood parable.

Great idea. Any cop writing you up and any traffic cam will suffer segmentation fault.

That’s the closest way yet that I’ve seen Little Bobby Tables come to life :D

Confusing the value NULL for a non-null string-sequence which says “NULL” shows the clear sign of a system where no data can be assumed to hold any integrity.

These bugs and categories of errors should simply not be possible in sane languages or frameworks.

Sounds like it worked. He can now accrue tickets without penalty.

There’s a lot of interesting options. How about NaN NaN?

I like my new vanity license plate:

DROP DATABASE;

Stories like these and the bobby droptables xkcd are the reason I ended up with this plate, https://i.imgur.com/O7KEFrn.jpg It gets a lot of compliments and attention even if most people don't know what "null" is

Should use nullptr :P

Hahahaha best thing I've read all day.

It sounds like a bright idea to me.

NULL strikes again, this time IRL!

Ah yes, we call him Bobby Nulls.

undefined

Guess I should FOIA the DMV to find out what my state's default value is.

So this guy doesn't have to pay parking tickets anymore right?

Change the fucking plate you muppet.

Should have gone with NaN

Play stupid games, win stupid prizes.

This reminds me of the bit that mentions that St. Peter has a list of questions he asks people at the Pearly gates. Among them he asks, “Did you have a vanity plate?”

This is clearly an entirely fake anecdote. Show me a pic and change my mind.

There are ways to properly sanitize inputs these days so NULL becomes "NULL" (string), BUT also tons of systems moved into JSON format assuming its safe. It is not. JSON is not binary safe and there are tons of unicode chars that will break JSON. I was once overseeing system that people would bring down all the time by registering usernames that the app could not properly sanitize and they in return were breaking JSON format to the halt of the whole system. I should not admit but using same chars I myself broke few youtube channels when comments and votes were working in JSON format themselves without properly removing unsafe char codes. Good times.

This isn't even a coding error, NULL is apparently valid license plate, and for some reason there is a private processing center typing it in to the government system.

First of all they are accidentally committing fraud (libel?) against this guy. But more importantly, why is there a private processing center? Don't the officers type this in as they fill out the ticket? or even just scan the plates? If there aren't plates on the vehicle it should be towed or booted. What is the point of recording tickets with no plates? Is the processing center paid per ticket recorded?

Shout out to all the Python programmers from the other frontpage thread who are responsible for bugs like this with their crappy scripting languages.