Hacker News new | past | comments | ask | show | jobs | submit login
NULL license plate not such a bright idea (iheart.com)
999 points by dublin on Aug 12, 2019 | hide | past | favorite | 467 comments

I read years ago in comp.risks about a similar story. A guy in 1979(!) requested a personalized plate "SAILING", with second choice "BOATING". He didn't want a customized plate if he couldn't get those, so for his third choice he put down "NO PLATE". Of course, he ended up with "NO PLATE". He ended up getting 2500 parking tickets, since cars with no plate had "NO PLATE" written on the ticket.

References: http://www.mekabay.com/overviews/risks/risks03_1986_06-04-19...


This reminds me about my own name. Everyone always gets it wrong (including people from where I am from). Except the Dutch. They always get it right, every single time!

There was also a meme about a person that wrote on her ID application "note the hat on the 'e'" and of course her name was Sarah Note The Hat On The E on the issued ID.

EDIT: Yes her name was not Sarah and there is no 'e' in Sarah.

I saw a car with that specific plate a year or two ago.

It seemed like it might work like humor in the TSA line.

Fine as long as you have extra time on your hands.

I wonder if it has even been towed/impounded?

> Fine as long as you have extra time on your hands.

And of course, in programmer humour, this translates to "while you're not busy with anything else, issue a fine." :)

Which, ironically, is what actually happens.

Similar thing happened to someone in DC with "NO TAGS"


I remember a different story where the guy had to fight every ticket in court

On the plus side, he could also contest legitimate tickets unless they recorded other information.

I managed to do this at my university. I had vanity plates with a design made by my local Australia shire, which had the shire emblem between two parts of the plate. The plate was something like "123ABC" but I'm guessing emblem read as an O, so their scanners saw "123OABC", which was not a plate registered with the uni.

Each day there was a 10-20% chance I would get a ticket on my windshield. I would collect them and take them to the uni security office once a fortnite to have them cancelled in bulk. I actually got pretty friendly with some of the staff there.

At least 4 of them were legitimate tickets because I parked overtime, over a line, etc, but the staff cancelled them anyway (:

It is nowhere near that easy.


Like Make, Model, Color, and VIN? The last time I got a parking ticket it certainly included those details in the citation. I can imagine being able to contest and win any citations issued to the same plate but with otherwise non-matching supporting information. But in the case where someone else has the same make, model, and color car, you might be out of luck if the VIN gets recorded as "CANNOT READ" or is left blank.

It has happened multiple times.


I wonder if the system is also vulnerable to SQL injection via vanity plates.

I think this is unlikely since plates are alphanumeric. Although I suppose if you faked an image of a plate it's possible you could cause problems for a plate scanner.

[1');DROP TABLE tickets; --]

(Damn. Way too many letters...)

There was someone who not too long ago fixed an SQL injecction to his front bumper and it managed to break the automated toll collection system.

Relevant XKCD:


A colleague used an app's "generate secure password" feature to change their ISP's web portal login - which then also became the WAN router's password - which they didn't realise.

It was about a week before the router dropped its connection and needed to re-authenticate - and that's when I was called in to investigate the loss of connectivity - which Windows 10 very unhelpfully reported as the network cable disconnected and was resetting or power-saving on the NIC so the "link active" LED on the switch was going out for about 2 secs every 10 sec. Cue a round of cable and switch swapping to no benefit. The LEDs for all other devices on the switch (running Linux and mostly internal servers) were behaving normally.

I finally backtraced to the router and a useful error message. We put two-and-two together and my colleague called up the auto-saved details in their password manager; it was long, and ALL non-alpha numeric characters - starting with a backtick, which the router would not accept. I tethered my phone to my laptop and tried to login to the Web account portal - which would NOT accept the passphrase. I tried it without the backtick "just in case" - nope.

We had to do a "lost password" reset on the portal..and wait for the email with link.

Lessons learned:

The ISP's password change page did not seem to validate input, but the login page did.

Avoid backticks in passwords.

Many, many websites will happily accept passwords of $X characters and then hash only $(X-Y) characters on registration, but try to hash all $X characters on login, so of course the hashes don’t match. And at no point do they tell you the maximum number of characters.

I once had a page that prevented pasting, but last pass's password generator still worked. So I put in a long password using that, but when I clicked to register it came up with a blank error message. Turns out they had a 16 character limit that was only enforced when you typed in the box, so I had to count the number of letters they allowed me to type and then let lastpass generate a password of that length. Infuriating.

This has happened to me on many occasions, even with bigger sites which "should know better". Tis why I'm always slightly paranoid about entering in long passwords when signing up to new sites.

Square Enix's account management on the PS4 allowed me to set a password with a space on the end, but their website strips spaces from the password field when you sign in.

Fun fact: it's actually really easy to submit a string with a space on the end when entered via a PS4 controller.

Trimming spaces is the one evil that is kind of necessary. Way to many text selection tools select trailing spaces. Firefox and Chrome both do when selecting words. Got a mail with a reset password and want to copy it over? Yeah, good chance the space is copied as well. On a few occasions even ended up in my password manager. Please, just apply password rules everywhere consistently.

> Please, just apply password rules everywhere consistently.

This would honestly fix all of it, without even needing to communicate information about how passwords are handled. Although, I think those rules should be communicated as well, so users can make good choices about password security. If spaces are removed, that lowers entropy and users may want to add additional characters or restrict spaces in their password generator.

It may not be easy. You might have dozens of different client applications with different requirements or abilities. But it is simple: Figure out your best practices and your lowest common denominator. Then apply those rules to every password every time in every context.

Alternatively, if you have clients which (for whatever reason) need a special case, create a separate hash for that special case and then use that only for that client. (Likely, this will reduce the overall security of the account, but if this is your lowest common denominator, allowing other clients to have greater security certainly doesn't hurt you.)

On a semi-related note I once had to help a coworker who couldn't log into a server using an auto-generated password listed like so:

The password is p4ssw()rd.

Turns out they didn't realize the period was part of the password.

Back in the day, I created an AOL password with CTRL-BACKSPACE in it. It worked when using the AOL software but when I tried to log into the website, it deleted the password.

Yes, this is terribly annoying, often there is a minimum length but no mention of maximum length. I see this on many, many websites...

What kind of range limits are you talking about? 30? 100?

Lots of sites have a limit of 72 characters, maybe even without the developers knowing about it. Bcrypt has a limit of 72

It's honestly a crapshoot. I've seen as low as 8 (a sibling poster says 6), but 10, 12, 15, 16, and 20 are not unusual. It's usually an even number, so you can just knock 2 characters off your password at a time (after making it an even number) until you're down to the maximum to figure it out.

Wells Fargo’s is 12 IIRC.

Lots and lots of legacy systems do this, very low limit, case insensitive, numbers and letters only. I know of a major retailer with 10 character, case insensitive, alpha numeric for All their systems. Why? Because that’s the lowest common denominator (as400).

That's how my dentist's billing website works. Except it's limited to 8 alphanumeric characters, not 10, and they were quite happy to accept my pasting a 16-character generated password into the field. Unfortunately, they don't have a password reset link; instead, the you call the receptionist and they read out your password to you over the phone. This isn't a legacy system, either. I can only imagine the backend is written in QBasic or something.

I have a 14 character WFC password, seemingly works fine.

Try changing the last two characters and see if it still lets you in. It's not that uncommon that people mix up when to filter input and when to validate it.

Tried and failed (to login). Looks like they are at least validating my entire password.

I believe that Blizzard had a limit of ~20 until recently for battle.net accounts (don't know if that's still the case).

Passwords for Blizzard accounts are also case-insensitive, as they are converted to upper case before hashing. Try it!

I first found this while working on a WoW server emulator in around 2009, but I believe it's been the case since Battle.net 1.0 was launched in 1996. In order to preserve backwards compatibility, it's never been changed.

I remember that Microsoft got stuck with a 16 character limit for a while thanks to hotmail.

"for a while"

You mean until May of 2019?


Often it's 20. Not sure why 20 is so common.

Someone somewhere probably posted a code sample with a 20 character limit...

I've seen 6 characters and 16.

Had this issue with Google a few years ago when I tried to set my password to something ludicrously long (think 5000+ characters). It would happily change my password, but I couldn't log in to anything afterwards…

For many years, Schwab ignored any characters after 8 in its password. Discovered that when I knew I flubbed one of the last characters, and it still worked.

I still can't believe a major bank got away with that for so long, apparently unharmed.

I learned this the hard way when I started using a password manager. I had the bright idea to start using 90 character passwords for all my accounts and suddenly I couldn't log into a lot of accounts.

I had something similar happen with (iirc) spectrum of the power company a couple years ago. Their customer portal let me use a complicated password to sign up, it sent me the confirmation email prompting me to log in, and refused my password for forbidden characters. But then I couldn’t reset my password because I hadn’t verified, and I couldn’t modify the account cause I couldn’t log in. I was just trapped in limbo. Customer service said they couldn’t fix it for me. I had to pay my bill by phone until I moved.

Ah yes, this reminds me of my University account. I chose a long password generated with my password manager, which of course contained a chara66 that was both allowed at set up and usage. But because I had to frequently type it in without my password manager (i.e. on a University PC), I wanted to change it. But the change dialog asked for the old password and didn't accept it, due to the forbidden character. I had to go to the support who refused to believe my story and wasn't able to change my password. It took a few weeks to get hold of a person who was allowed to change passwords.

So many home-routers are run with horrid CGI-scripts on the back-end - I'd not be amazed to learn that submitting a form-field with `blah` in it would try to run the command blah (probably via busybox).

If you have time/patience it might be worth exploring.

I've actually rooted an Asus router owned by a relative, this was about 5 years back so it's hopefully fixed now. Noticed some strange behavior after a mistype and tried something like `whoami` (not exactly) and got root back so tried a reverse she'll with NC which worked perfectly. Googled it afterwards and found a ton of similar flaws on other home routers. Tried to do some kind of responsible disclosure but never got a reply or saw a fix then I forgot about it.

>Avoid backticks in passwords.

Is there even a reason to include special characters in passwords? They add 10% more security[1] but cause all sorts of issues with systems. Just use an alphanumeric password that's 10% longer, and if special characters are mandatory, use a safe character at the end like _ or -.

[1] 6.55 bits per character (all printable ascii characters) rather than 5.95 (only alphanumeric)

Special characters in passwords were highly recommended when rainbow tables were an effective way to attack password hashes. See this old Coding Horror blogpost for an idea what it was like at the time: https://blog.codinghorror.com/rainbow-hash-cracking/

Salted hashes have made rainbow tables less effective. Password managers have made single-use passwords more tenable.

Not knowing how a system will store my password, I still prefer to include special characters where available. Anecdotally, I tend to see the systems that are most averse to special characters are also strict about character limits, so simply increasing password length is not possible.

Password Managers are the new goto for obtaining all passwords and web browser zero days make it very easy to lift and then use for a variety of purposes. A simple lined small note book is good, but made secure is best, yet how would you make a pwd note book secure from someone else? This even applies to devices like bank cards and other things which needs a security code of sorts.

Keep your password manager offline with Keepass2 USB keyboard plugin for Keepass2Android [1], but I'm not sure how well it works. Too-fast USB keyboard input does seem to have issues (the open issue seems similar to things I've seen an AlphaSmart 2000/3000 do in USB emulation mode; PS/2 always worked fine).

There's also this other project, which seems more generic/difficult [2]

1: https://github.com/whs/K2AUSBKeyboard 2: https://github.com/pelya/android-keyboard-gadget

Make the passwords one character longer than what is noted in the book? Only you know the character and where it is added.

For bank cards with fixed lengths, increment/decrement the nth character, swap two characters, or do a circular shift.

Or an arbitrary number of characters. If you know the additional six alphanumeric characters added, that's another 14 million combinations to test.

Or 2FA, or ....

> 10% more security (6.55 vs. 5.95 bits per character)

That's not how this works. By your logic having a password consisting of 1,2,3,4 is only twice as secure as having just 1,2.

That's absolutely how bits of entropy work.

However symbol frequency is also significant for entropy.

Do you think 1 in 25 four letter passwords contain a backtick?

If you were brute forcing an ASCII password (no whitespace), would you naively cycle from ! up to ~ for each character?

The context is randomly generated passwords, so dictionary attacks (or other attacks that look at the plaintext from a Huffman encoding perspective) aren't really relevant.

That's most definitely not how security works. The strength of your password is not proportional to the number of bits of entropy it has.

The way you're phrasing this may be misleading.

The strength of a password / passphrase increases with the power of 2 raised to the bits of entropy.

That's an exponential proportion, rather than a linear one. But a proportion all the same.


Given mixed-case alphanumeric (62 characters) and an 8-character password length, the number of combinations is:

    62^8 = 218,340,105,584,896 (keyspace -- 218 quadrillion)
    l(62^8)/l(2) = 47.6 (bits of entropy)
A 10 character password (if randomly chosen from the same character set) has 10^17 possibly combinations (about 4,000x more), and 59.4 bits of entropy, 11.8 bits more. 2^11 = 2048.

In the context of randomly generated passwords, it's absolutely ok to think about it in terms of the logarithmic relationship between 1) entropy per symbol times number of symbols and 2) strength of the password.

He said 10% stronger (which I took to mean 10% more entropy), not 10% more time to crack.

> He said 10% stronger (which I took to mean 10% more entropy), not 10% more time to crack.

Hence the problem?

Yes, measuring "strength" by "bits of entropy" is technically correct (the best kind of correct...).

It's also exponentially misleading... possibly the worst kind of misleading?

Just look at the question: "Is there even a reason to include special characters in passwords? They add 10% more to security...". I don't know about you, but to me doesn't really portray an understanding of the fact that it takes twenty-five times longer to crack such a password for merely 8 characters, not merely 10%.

I mean, counting in entropy with the knowledge that the applied effects can be logarithmic is the standard way of discussing such matters. It's sort of the basis for the information theory that's underneath this type of work.

Edit: And the point of his argument is that more symbols of a smaller corpus of symbols can be equivalent if the entropy is equivalent.

According to KeePass2, the password: "12" contains 7 bits of entropy, but "1234" only contains 5 bits of entropy.

Is that right?

I wouldn't trust it. If you use the "Hex key - 128-bit" preset, it returns a different amount of bits every time you click it. Here are 3 samples:

    3f38ba8a6ce3aa800f007c2e431df7fd  124 bits
    9339bf587ee11b12d207df846a879cf4  129 bits
    8ca4354a9038df590fecec1f964062fd  121 bits

Due to missing or repeated characters from the set of the hex alphabet?

which doesn't make sense.

I randomly generated an 8 character alphabetical (all lower case) password "jraxxhwr". According to keepass it has 32 bits of entropy, but the entropy should be 26^8 = 37.6 bits because the search space is all 8 character letter permutations. There's no way you can reduce the search space from 37.6 bits to 32 bits unless you have an oracle that says which characters I used.

It does make sense, because the keepass entropy estimate presumably (like the excellent zxcvbn) tries to approximate the empirical distribution, not the theoretical uniform one.

In theory, "68703649" and "12345678" are equally likely to be pulled from the hat, but in practice one is a much better password than the other. You can reduce the search space by trying the passwords with higher (empirical) probability first.

> the keepass entropy estimate presumably […] tries

KeePass sources are available [0], you can see the specific algorithms it uses in [1].

[0]: https://sourceforge.net/projects/keepass/files/KeePass%202.x...

[1]: https://fossies.org/windows/misc/KeePass-2.42.1-Source.zip/K...

Thanks. I've looked at the code, and it does not seem to try to estimate the empirical distribution (doesn't appear to be using dictionaries, for examples).

Then the discrepancy maybe comes from the number of glyphs within certain categories, or their repetition?

If passwords are hashed should any character be prohibited at all?

Some do MD5($password) in a sql string.

I don’t... but i’ve seen it

MD5 and all other hashes still take arbitrary bytes as input, so they wouldn't be the source of any restrictions; I suspect the majority of them are due to character set/encoding issues more than anything else.

Presumably he's talking about code like this:

   $cursor.execute("SELECT * FROM users WHERE username = '$username' AND hash = MD5('password')")
Allowing any value would allow for SQL injections, so the programmer does the lazy thing and "sanitize" the inputs ($username/$password) with a roll-your-own "sanitizing" function that throws an error if there are "evil" characters.

Another way to say this that wouldn't rile so many people up is "In order to achieve the same size search space, you'd have to use ~10% more alphanumeric characters than all of printable ASCII."

Is there a special reason to forbid using native languages unless your native language is English?

bits usually add exponential complexity, so that '10% more' security might mean a password that's a million times harder to brute force..

10% more refers to the character length for the same amount of security, so that's already baked in. eg. you can get a 128-bit entropy password with 22 alphanumeric characters, or 20 characters with all printable characters.

calculations here: https://news.ycombinator.com/item?id=20678529

Based on your numbers they add 10% entropy per character. Which compounds into an increase of 210% over a length of 12 characters. Thus you'd need the password to be at least 3 times longer with only alphanumeric characters to have the same entropy.

no, check your math.

number of characters required for 128 bit entropy password using alphanumerics: 21.49[1]. round off to 22

number of characters required for 128 bit entropy password using all printable characters: 19.5[2]. round off to 20.

22/20 = 110%

[1] https://www.wolframalpha.com/input/?i=solve+log_2(62%5Ex)%3D... (under "real solution", click on "approximate form")

[2] https://www.wolframalpha.com/input/?i=solve+log_2(94%5Ex)%3D...

There are about 138k printable characters, not 62.

I went to change my password on a forum site that I had not used in a few years. My old password was really weak - think "abc123" or something similar.

I logged in and then attempted to change my password to my new standard of 20+ character upper/lower/symbol. The problem was, they'd upgraded their forum software, and there was a bug that added password strength validation to the "old" password field.

So I was putting in:

Old: abc123 New: sZp10VzIoZI9g143

And was getting the error message "error: your password must be 8+ characters long". After about 10 minutes of frustration and realising they had both client and server validation I went down a similar route as you and used forgot-password even though I knew the password.

Oh yeah, I've run into a lot of similar problems with even very well tested applications. The password reset field would accept inputs not valid at login time. I mostly ran into this when generating random passwords 100 characters in length from LastPass.

At one point GitHub even changed reduced their max password input to a sane amount, and I couldn't log in anymore with my existing insane password length a few years ago.

In most cases they fix the case when I report it, but my bank is terrible.

Similarly, my Belgian ISP (Telenet) has WiFi home gateways that are configured by their web portal, and config is pushed by the ISP.

I figured out that they only did validation on SSIDs client-side, so managed to get around that to put emoji's in my SSID.

Which then proceeded to soft-brick the entire thing on config push. I'd have to log in to the web portal via another connection, change the SSID there, and then reset the hardware with the reset button to get internet working again.

The stereo in my 2013 GTI crashed hilariously if you tried to pair a Bluetooth device with anything in the name outisde of [a-zA-Z0-9]. I wish I'd have messed around with it some more before I sold it (it was a silly car to own for how little I drive)

Oooh this reminds me, I am trying to learn a language that of course has ‘non-standard’ characters, and not even anything particularly exciting - Ä, Ö and the like. I thought it’d be cool to help memorise words (and be super secure) by changing frequently used passwords to phrases that contained these words... ...Caused me some trouble.

> avoid backticks in passwords

I learned that lesson a different way: When I had a Windows phone my email password had a backtick, and the only way to enter it on the phone was to long-press the apostrophe, pick backtick from the three or four apostrophe variants that appeared, and pray I didn't fat-finger it and enter the wrong character. In general, there are just some second class citizen characters you should always avoid, because you never know how hard they're going to be to enter when you're on a phone or a kiosk or whatever. (Tilde, I'm looking at you, too.)

There are regional keyboard layouts lacking backtick completely. (I would have to use alt+96 or switch keyboard from my default (and only) Czech QWERTZ layout to type `, if I hadn't more convenient AutoHotkey shortcut in effect.)

The Indian version of personal retirement fund NPA website does this, I learnt a lesson. Every certain weeks you Have to change password. No big deal. I will just add an incremental number. Ok, password now is PasswordPass1. Lets login, Wrong password? Why? Error Password length exceeded.

So, the password change page will accept any length password, will silently truncate it if longer & save it. Now on login page you have to guess the password length or reset.

This is one reason why I stick to alphabet (+case) in my passwords, when I can make them long.

I had the exact same issues with some passwords which were accepted when creating them, then not accepted anymore when used to log in.

This plus emails such as a@example.com or hjghgfggv@example.someweirdtld show how much sites are broken because of some philosophical ideas of developers.

I once had the bright idea to use a backslash as a one character password for my girlfriends computer, thinking it would provide amazing convenience – a single character, just above the enter key. Turns out this doesn't work very well, even on a Mac, which you would think would have gone through fairly robust testing.

Once upon a time, I went through my logins and tried to change them to strings with weird characters. I ended up with a password of on an internal school site and couldn't change it to anything else, since the "change password" site somehow rejected it.

I had a similar issue when my bank introduced a new banking app. The web login page has different requirements for the password than the app. I.e. on either I can set my password to something that the other will not accept.

I had a backtick in one of my passwords very long ago. When I first got my iPhone I couldn't figure out how to type that backtick until I realized one needs to press and hold and apostrophe.

When I was a foolhardy college student I figured out that if the cited vehicle make on my city parking ticket didn’t match my registration, I could get appeal the ticket via a web form very easily and succeed every time.

Naturally I removed the badges from my car and put on different badges from another manufacturer. After a while they started to cite me as “other” and the trick no longer worked.

All we had to do was register our cars in each others names. When I was married, my car was registered to her and vice versa. The redlight/photoradar laws in my state required that the company operating the devices had to match the pic of the driver violating the law, to the pic of the registered owner via the license plate. If they couldn't match them, no ticket was issued as you can't prove who was driving. That's probably changed now that a lot of DMV's are doing facial scans with datapoints. They probably just scan the whole DMV DB now to find the driver. Wear a mask.

Where i am from the ticket is issued to the vehicle owner, doesn't matter who was driving. On the plus side it means that you can get a photoradar ticket for driving 300km/h and not lose your licence, just pay the fine.

P.S. If the driver must be recognized does it mean that motorcyclists are exempt from photoradar fines?

I thought that motorcycles already didn't really show up on the photoradar scanners. That's the way it is here, but I can totally see that being a jurisdiction by jurisdiction thing.

Here it is easier to avoid getting a photo with motorcycle because there are places where it targets front plate. If photoradar targets back plate then you will get a ticket for a motorcycle just like any car.

It really depends. The newer traffic control bridges we have on our highways take a picture from both the front and back.

At least here in Finland, the cameras take pictures of speeding motorcycles, but they are not used. No front license plate.

In the UK we fixed this by making it a legal requirement for the owner of the car to identify the driver (obviously unless there's a valid reason you can't, such as it being stolen).

Two MPs have actually been caught out by this law, convicted of perverting the course of justice and sent to prison:

- https://en.wikipedia.org/wiki/Fiona_Onasanya

- https://en.wikipedia.org/wiki/Chris_Huhne

> On 3 February 2012, Huhne resigned from the Cabinet when he was charged with perverting the course of justice over a 2003 speeding case. His wife at the time, Vicky Pryce, had claimed that she was driving the car, and accepted the licence penalty points on his behalf so that he could avoid being banned from driving. Huhne denied the charge until the trial began on 4 February 2013 when he changed his plea to guilty, resigned as a member of parliament, and left the Privy Council.[7][8][9] He and Pryce were sentenced at Southwark Crown Court on 11 March to eight months in prison for perverting the course of justice.

Going to prison for lying about speeding 10 years ago seems insane. Did they punish these MPs especially heavily just to make a point?

Generally the courts punish "crimes against justice" such as perjury very harshly as it is seen as an attack on the rule of law itself, something much more valuable than any amount of money. When I was a juror they made it clear that if we got caught talking about the case or did any independent research, we could and would be going to prison.

He didn't get sent to prison for speeding. He got sent to prison for having the audacity to think he could pull a fast one on them and the balls to actually try.

Is it true that in England, the person sitting next to the driver IS the driver?


Only if your last name is Bucket.

LOL totally got that joke. Made my day, thanks!

It is true in Norway if someone is practice driving; the grown up in the passenger seat is the driver.

I took my motorcycle driving test with my licensed driver and the examiner following in the car behind me.

Or just don't speed.

Here I think you are asked to directly wire transfer the penalty amount or you can challenge the ticket, then you will be heard as a witness for who drove the car. If you refuse to tell that or don't know, the judge can order you to keep a log of all joruneys of your car that can be inspected for finding the culprit of a future offense.

Here in AZ, they'll lookup and assume the spouse. Of course, they're also required to serve the ticket in person.

Or use Juggolo face paint.

So, you were just running red lights, and you think this is a hack worth bragging about?

Typically, like they did here, they also lower the yellow light duration when they install these devices, causing more people to "run red lights" and collect $$$ for the jurisdiction. For nothing. This was proven in my state. Accidents have also gone up in these areas because now when the light turns yellow people have been trained to know they don't have enough time to make it through traveling at a normal speed, so they gun it to make it though. If you think I purposefully speed and use this to avoid red lights, you're assuming too much. I don't feel bad one bit circumventing a rigged system.

Edit: https://www.motorists.org/issues/red-light-cameras/yellow-li...

It is, that’s a great hack

I knew a kid in college who would get a ticket, and then look around the parking lot for another Black Nissan Maxima. Most people don't actually look at the plate number, just the make model. I think he got one ticket paid this way ... guy was kinda an asshole.

I've had a friend do the reverse: parking in illegal spot, and borrowing a ticket from another car that already received one. Upon return some hours later, he returned the ticket to the correct windshield.

Quite brazen, and frankly a bit of an asshole thing to do.

I did this once, too. YMMV based on meter maids in your city;

My own unpaid ticket from weeks ago should become an asset. protect my car from violations with cast Invisibility.

I put the decoy on windshield, under the wiper blade, and wandered off for a bit.

But this upset the coin gods. When I went to my car an hour later, neatly tucked above my original ticket was a fresh new one. Balls.

Maybe using 2 old tickets will work. :)

I’ve seen a parked car with 3+ tickets on the windshied (didn’t count but there was a small stack of them) in Austria. Had a foreign license plate though so probably just didn’t care and wasn’t gonna pay.

Around my area they almost always open existing tickets to check for the time/date. In addition many parking enforcement people patrol the same area all day and remember whether or not they already ticketed that vehicle.

But what did he do if the other car had already left when he returned? It's much more than a bit of an asshole thing to do.

That, or received a second ticket. It all went to the plan that time, at least.

Also pure genius. The worst kind, but hey! Gotta credit where some is due.

Creative... I've not done it, but it seems if I get a really good scan of a ticket, put my info on it, and use it as needed, they don't have a record of it. So I'd never get a fine.

Someone tried that on me on campus but I noticed. I wasn’t supposed to be parked there either and was skating by on a technicality that worked as long as no one looked too closely into it. Otherwise I’d have called security and made his life uncomfortable for awhile. As far as I’m concerned, it’s fraud.

I really enjoyed my parkingservices@ email address at my university. Took them many years to catch up and take that alias away.

Relevant xkcd comic https://xkcd.com/1105/

In the Starcraft 2 community it is called barcoding. Basically, I 1 | l are all accepted characters for a name and I think some do look actually identical on most fonts used in the game. So yeah, one person doing that you call "barcode", 2 persons doing that, you already have deniability. Be more than 10, and that's a crowd.

There was a time where call of duty ghosts was exploitable, and people could wipe/delete the accounts of anyone whose username/gamertag they knew. Streamers and pro players had to use barcode usernames to avoid getting their accounts deleted.

Google's AlphaStar StarCraft bot did just this under different accounts. Along with some other fingerprinting, many of the accounts and replays were found by the SC2 community.

To my knowledge, it played with only one account. It played exactly 50 games with every race. It was outed mainly because of two things: A very high win rate (above 80% IIRC) and the fact that as a zerg it produced units by selecting larvas directly, which no one ever does (someone explains that it uses control groups but they are hidden and dont show up in replays, I dont know how accurate it is)

Back when I used to play Ingress, that was really common. The Enlightened in Dallas had a ton of barcode names.

The new client makes it much easier to distinguish the characters, but there are still plenty of barcodes in the game.

You can reuse names in SCII, so it’s more a convention than anything else. The important bit is to have many accounts with similar names.

this goes back at least as far as the original Unreal Tournament, I even saw a player using it in the fairly obscure Shogo: MAD multiplayer community. Never knew why it was done back then, I assumed it was just to be cute, but it did make it troublesome to mention them in ingame chats.

I actually saw a car with a license plate like this last week. Some combination of I's and 1's. White Ford Mustang driving around Santa Clara.

In UK number plates I and 1 are the same character, as are O and 0:


Number plates existed for decades before ASCII was invented. Before computers, people often used mechanical typewriters which didn't have keys for 0 and 1: you typed 0 as O and 1 as l. I threw away one such typewriter recently. It was in good working condition, with its instruction manual. It had been made in a country that no longer exists. You may imagine how sad and nostalgic I felt.

I've seen something similar in New Zealand. Probably wouldn't be fooling anyone given the size of the country and how distinctive the car was.

Saw a similar one on the road in front of me with a combination of N's, M's and I think a W ... man it was impossible to get straight while moving.

Bobby tables we call him

Nope, that one is different.


I own a rare collector car with a three-digit VIN. This has caused endless hassles at the DMV as well as the insurance office. Sometimes we find success by prepending the necessary number of zeros, before the VIN. Other instances in the same system require appending zeros after the VIN. The true VIN has a hyphen but that never makes it into the DMV's system. One time I got stuck in a particularly nasty loop where the DMV mailed over thirty notices claiming the register would expire on 01/01/0000.

I had a car—a 1971 Toyota Landcruiser FJ55–that technically had a tilde(~) in the VIN. It was in the format: FJ55~123456. When I bought it, the title had the VIN as FJ550123456. I just accepted and ignored it for a while, but when I decided to sell the car, given that most of my potential buyers were out of state (and in most states, out of state purchases require a VIN inspection) I tried to get it fixed. After six months of working The motor vehicles department here, getting an inspection by state police, and everything else, I found out that their software couldn’t handle and non-alpha numeric characters. In the end they decided to change the title to FJ55123456 so it skipped the tilde but didn’t replace it with a character that didn’t exist on the vehicle.

>I own a rare collector car with a three-digit VIN. This has caused endless hassles at the DMV as well as the insurance office.

I have a similar problem with my own identity. I was born in Canada's smallest province, PEI, and now live in its largest, Ontario. Some Ontario government software seems to have problems recognizing the relatively low numbers on PEI birth certificates.

Which numbers?

Hmm, is this just because it is so few digits? I've had plenty of classic cars that have commission numbers with between six and twelve digits instead of VINs, and haven't ever had any issue with the DMV here in MA.

I used to work for ClassicCars.com ... there's a LOT of variation to VINs before 1980, they standardized in the early-mid 70's, used to know the specific year.

Is it possible to register it as a "custom" with a completely new (and more friendly to the systems) VIN?

What car is it?

It must be a car manufactured before VIN standardization in 1981, at the very least.

I'll give you 999 guesses.



Numbers 0..99 are not three-digit.

Ah, but VINs aren’t numbers. (Never mind what the N stands for.) 000 would be perfectly valid.

Impossible in Switzerland at least

Digits, not numbers... I guess a VIN can still be 007, or 054. Right?


Tangentially related somewhat-common bug: YAML files will interpret the literal 'no' as boolean false if it's not quoted, instead of as a string.

Many developers have wondered why, when they stuck country-specific configurations in a YAML file, that things suddenly stopped working when they expanded support for Norway.

I always felt Yaml is far too complicated of a format for storing hierarchical data. JSON is too simple (no comments; hard to store multi-line strings).

HCL, the hierarchical data storage language used by Terraform, is the closest thing I’ve seen to a happy medium between JSON and Yaml.

Another option, if the string values are not multi-line, is CommentJSON (use the Python module or write 10 lines of code that strips out comments from JSON if using another language).

Both a bare > and a sequence of 3 quotes are invalid in JSON, so it should be really simple to add multi-line strings wither Python or Perl style.

The Hjson format does this: https://hjson.org/. It’s just JSON plus syntax sugar such as // comments and '''multiline strings'''.

    {"comment": "JSON supports comments just fine. :-)"}

YAML has tons of warts like this.


This should be used in schools as an example to illustrate how not to do things.

Also as an example of "always deserialize to known types". Flexible boolean values can be convenient since it's relatively human-readable, but "deserialize into [whatever the heck you think is appropriate]" is a problem for quite a few reasons beyond confusion: https://lgtm.com/blog/swagger_snakeyaml_CVE-2017-1000207_CVE... (same techniques have been used against other kinds of serialization in many languages for many years)

Every feature is a source of bugs. Be careful when constructing end user affordances for systems that have broad applicability and need to run over a very long time span.

I am one of those developers.

Afterwards I just try to avoid yaml if I can. While it looks cleaner than json, I don’t find it especially easy to read and there is unnecessary ambiguity due to unquoted strings. And it seems to have a thing against Norway ;)

I don't have a problem with yes/no per se , I just don't like that it also takes true/false

It’s not only that. YAML also interprets on / off as boolean.

I don't have a problem with any of those representations, and also no problem with all of them at the same time.

But not only the value representation keeps the types ambiguous, also there is no off-channel place to disambiguate the types, and no value-independent rules for deciding on the types. If any of those was different, there wouldn't be a problem.

I remember a story when Microsoft translated some ancient version of Internet Explorer for Mac, there was a menu where you could select TLDs (I can't remember what for) and the .no domain ended up getting translated as the word

Reminds me of the story of Ireland's worst Polish driver who never got caught: http://news.bbc.co.uk/2/hi/uk_news/northern_ireland/7899171....

I've also heard a similar story of a Finnish man who got a ticket in the UK, and on closer inspection found his name on the ticket listed as Mr. Ajokortti Körkort. Thats "driver's licence", first in Finnish, then Swedish, and is written at the top of the driver's license card.

That said, I find these stories a little hard to credit, since you'd expect police officers in the EU to be fairly familiar with the standard EU driver's license layout.

You’d expect offices in the US to be familiar with US states and territories, but that doesn’t stop them from occasionally demanding a passport from people from New Mexico, or saying a license is fake because there’s no such state as “District of Columbia.”

I once had a Texas policemen unholster his pistol on me because he thought my US Passport was a fake ID and my travelers checks were some sort of scam. Then his backup arrived and explained both items to him — and the Dairy Queen cashier that had called 911 on me. Stuff like that is why you have to stay on the interstate.

can you elaborate on this story? why the hell did the cashier call 911 on you, and what state were you from?

how long ago was this?

Based on "traveler's checks", I'm going to guess at least a couple decades ago. Cashier probably called 911 because they thought GP was trying to commit fraud with "fake money".

I mean, in what world can you cash travelers cheques at a dairy queen?

It's been a very long time, but my grandmother always used to give me spending money for vacations in the form of Amex traveller's checks. IIRC you could use them in essentially any situation where you could use an ordinary paper check (which was substantially more common back in those days).

Dairy Queen was a favorite from my childhood, I had moved away from Texas years earlier so I decided to indulge while visiting. These days I’m more into Sonic - the food is better, they have a greater variety of sweet treats, and I really like their iOS app.

Wait, you tried to pay with travelers checks at a Dairy Queen?

Yeah, do you want to get shot?

I've been at some tournaments where a couple of the kids had the last name "Bye". They picked up a fair number of forfeits during the season.

Wow, that's an awesome last name for a tennis player :)

NASCAR -- have your name on the rear bumper.

> you'd expect police officers in the EU to be fairly familiar with the standard EU driver's license layout

The common design for all the EEA countries was supposed to be implemented by the members by the start of 2013 according to Wikipedia.

Until 2033 there will be valid licenses that were issued before the common license, so there's still a lot of different designs out there.

Also, the common design, like with passports, provides numbers for the boxes, so e.g. 1 is "Name" and 2 is "First Name" and 5 is your license number with whichever authority issued the license. But it doesn't take a _very_ stupid person to write down stuff that's in the wrong box or not in a box at all when all of it seems like moon language to you.

Probably better to have a machine scan the identity document, not least because the machine can trivially avoid freaking out over "Nick Smith, born 2000-01-04" when the wanted criminal was actually "Mick Smith, born 2000-04-01".

I once had a BevMo cashier in California ask me, “Massachusetts? Is that in Canada?”

Very little faith left.

I once had a cab driver take me to MIT. Cab driver: "what is this place?" Me: "MIT" Cab driver: "what's MIT?" Me: "the Massachusetts Institute of Technology." Cab driver: "what's Massachusetts?"

I've heard that, three blocks from Caltech, many people have never heard of the university.

I had a cab driver in New York who was unable to take me to the Brooklyn Bridge.

... well it keeps getting sold.

Possibly didn't want to take you into Brooklyn. The Manhattan side isn't really walkable.

I was already on the Brooklyn side. But the issue was literally that he had no idea what the Brooklyn Bridge was, not the precise drop-off location. (We just wanted to look around Dumbo for a bit.)

Wow! Hard to think of a more iconic landmark in that case.

Someone else is probably out there complaining a cab driver wouldn't give them a ride to the Statue of Liberty.

Not to be confused with the world class educational institution the Manukau Institute of Technology :P

I always find it funny when I drive by that and I see the sign MIT.

Move over plebs, some people study at the Royal MIT: https://www.rmit.edu.au/

I find the German language funny because "mit" just means "with". I remember search engines having trouble with this in the late nineties.

Irish driving licences didn't start to use the standard credit-card-sized EU format until a few years ago. They were paper booklets which had long since been phased out in the rest of Europe.

Here in Belgium new driving licenses are of the standard credit-card design (I don't know exactly since when), but most people still have the old folded paper design. Since the old licenses are still valid, and the new designs require renewal every 5 years which the old ones don't, there is no incentive for people to swap their old license for a new one.


They rank their Polish drivers?

I have a family member who's license plate started with "&". The DMV accepts it, plates were ordered online fine, but police systems can't handle it apparently, to my family members ultimate discomfort. I commonly joke it probably gets the individual out of automated tickers for speeding and red lights, but when an officer pulls them over we sometimes need to explain that the "&" is dropped in the system (or so we've been told) and that seems to clear up issues

In Washington State, you can register period-correct plates for your car. The problem is that you can't register the actual digits that are printed on the plate. The cops and cameras can't pull up your information, and you get stopped and questioned all the time. Explaining how the plates work to the Police gets pretty tiring.

Any word on whether the plate without the preceding '&' is in circulation? I'd be curious if your records in the police systems would be merged with the records of the owner of that plate.

The rules for california are the special symbols (which don't include &) are non-significant. Everything but the plate itself ignores them. Washington doesn't have special symbols, but does have an optional dash, which is also not significant.

I guess it doesn't happen a lot, but they'd have a crazy time if they had to deal with Arabic license plates..

I sometimes see California tags with a heart character in them. Does anyone know if those considered part of the number, or are they just ignored as decoration?

They're a special vanity style plate in CA. They probably just are ignored/not entered when searching. https://www.dmv.ca.gov/portal/dmv/detail/online/elp/elp

I recall the heart and plus symbols are being ignored in the system.

I had a standard 8-digit Indiana TK series truck plate which would get flagged as "unregistered" by the broken ALPR systems in other states.

Looks like you can't have the character '&' on a personalized license plate in WA: https://fortress.wa.gov/dol/extdriveses/NoLogon/_/

That link redirects to the DOL homepage.

Thanks for letting me know. Here's the proper link: https://fortress.wa.gov/dol/extdriveses/NoLogon?Link=Persona...

Just out of curiosity, how do you think you missed the rest of the URL?

I have a suspicion that the trend towards browsers being 'helpful' with the URL field is contributing to mistakes like these.

Would this be an example of a bug that could have been detected with contract-style testing?


Well, in their credit, they're the ones whose system won't go down from an XSS payload on a plate.

I love when people double down out of principle, when the only person getting hurt is themselves.

He refuses to change it because he did nothing wrong...sure, but you are also the only one being hurt by it. Is this really the hill to die on?

The DMV made a mistake, they know it, and they aren't fixing it. In this case, the problem is relatively inconsequential but it is an institutional failure. The DMV is a government agency which is, at least in theory, somewhat indirectly accountable to the people. Which means that if they're treating one particular citizen unfairly, one option that citizen has is publicly shaming them. (Another option is to file a lawsuit. That's more work, though.)

As I see it, this person is performing a public service by not budging on this. It's nowhere near on the same level as Rosa Parks not going to the back of the bus, but sometimes we need people to not simply go with the flow because it's the easiest thing to do.

Considering that the DMV in most places already has a lot of shame heaped on it, I doubt this extra spoonful meaningfully moves the needle.

This guy is really just wasting his own time for no actual benefit to anyone. If he genuinely enjoys it, then sure, I guess each to their own, but if not...

But they're only performing a public service if it gets fixed -- which there's no indication in the article is happening.

And frankly, why would it? Different government agencies likely have zero reason to cooperate on it. Especially if, say, the DMV is responsible for the error, but the courts are the ones dealing with the cost.

So unless this guy has a reason to think it will get fixed because of him... he's just wasting his time, no?

Sure he did nothing wrong because it backfired like one of Wile E. Coyote's schemes but the article makes it clear he was hoping to confuse automatic ticketing systems. He was trying to get out of tickets. Sure he didn't break the letter of the law but he tried to break the spirit of the law and it bit him. Some might call that karma, I think he needs a better hobby than standing in line at the DMV which is ultimately what he has taken up. I wonder how long he'll keep going.

AKA he was attempting to commit fraud or rather obstruct justice. I don't particularly feel sorry for him.

But it does actually work! He can never get any tickets. If he does he'll just claim it was a false one.

Yeah he ends up paying all those tickets with his time though. And time is more valuable than money for a lot of people...

After the second go round or so he'll have a form letter. After the 4th or 5th time the DMV people will recognize it when it arrives. If it goes on long enough eventually all the employees will be aware of this edge case and he can probably appeal legitimate tickets.

Exactly! All he has to do is collect all the notices and deal with them every few months. Not to say there aren't other implications that might be more troublesome :P

“It made my tickets free (if my time is worth nothing)!”

It reminds me of the guy who owns nissan.com, who probably blew his life savings on lawyers defending himself from Nissan Motors lawyers for decades.

Nissan treated that man very badly. I never owned a Nissan car, and never would because of this.

His family name was Nissan, and he registered the domain when Nissan still called itself "Datsun" in the U.S.A.

I wonder how much you could sell that to them for if you were really good at negotiating. Maybe as much as $100k?

Multiply that by a thousand or more if they had already accrued $10 million in "damages" by 1999 as they claimed. Apparently it would be extremely valuable to them.

Die on?

But how - he can challenge the fines in a court of law. Since it's a vanity plate, adding an extra notoriety won't hurt.

On top of that, if anything, forcing the government to fix it's bad code (insert snarky ambiguity between software code and legal code) can't be a bad thing. I'd buy the guy a beer.

I'm pretty sure the government will continue to just waste money processing his appeals instead of making an effort to fix the system.

So in reality, this guy is indirectly wasting taxpayer money. Sure, the government is wrong in not fixing it, but knowing that the government won't fix it, but continuing to behave this way, is his fault.

The problem is it's a "a privately operated citation processing center" that's causing the problem. They might even be instructed to hand-enter a NULL for these cases.

I'm don't really see an incentive for the govt agency to do anything about it. It's no skin off their nose. They'll just keep sending the tickets.

> "a privately operated citation processing center"

In a way, this is the real bug - one that affects more areas of local government than most people know or understand.

Our local governments are constantly seeking - and usually getting - private companies to do what should be public. The potential (and actual) repercussions to the system are serious.

For instance, how do such arrangement affect FOIA requests? What about other forms of transparency? Are we really getting our money's worth as taxpayers? Is the money actually being used properly or are costs being inflated?

It's a form of government privatization "by a thousand cuts" - we already know of the problems inherent in the system of privatizing out and contracting of private prisons; plus the loop they cause because of recidivism rates, because a repeat "customer" is better for the bottom line than one reformed for society. Which may be better for the private company, but has huge costs to society itself.

I wouldn't doubt that similar issues are happening with the privatization of other parts of our local government. It is sickening to me, personally.

At some point, can you not file some kind of harassment lawsuit? Is it legal to continue to send someone bills for which they aren't liable?

Don't you have some kind of illegal prosecution laws? In my home country people could go to jail for that.

That's assuming it's an error in their code.

For all you know, they have a list of too-clever license plates (null, no plate, etc), and they purposefully divvy up the no plate tickets among them.

"hand-enter a NULL for these cases" <-- should be a reserved word then.

Except they won't fix it, and he will have to keep filing protests

Figure of speech... I just mean he is making a stand for something not that important but causes him (and only him, really) inconvenience

Maybe this particular bug inconveniences only him, but it exposed an improper practice that in general could have affected others too.

I know what "die on" is - it's just inappropriate in the context: nothing bad has actually happened to him.

You obviously still don’t know what the phrase “choosing to die on a hill” means.

Yeah, just b/c he is stubborn enough and doesn't wish to give up his vanity plate instead of folding. Pretty much nothing that hard/uphill battle has happened to him.

There are two options: die on the hill, or retreat. He is not retreating. Therefore he has chosen to die on the hill.

Those would be the options if there was an attack against him, but there's not any attack against him. Wrongly addressed tickets are hardly even a minor inconvenience. I think that's what the parent is saying.

It's a figure of speech; when used colloquially in this manner, it has nothing to do with any kind of attack.

It just means "argue a point on principle when you know you aren't going to affect change".

It's a figure of speech which means to argue on a point of principle without regard to the cost when you know you aren't going to affect change. It absolutely doesn't make sense in the context where there's no attack. Otherwise how does the dying come into play in the analogy?

> Wrongly addressed tickets are hardly even a minor inconvenience.

Now I wonder what you would consider a minor inconvenience. "Oh yeah that time they suspended my licence that was a minor inconvenience for me."

Wrongly addressed tickets are a real hassle. I'd assume that if you don't contest them in time, you have to pay them. And if you don't pay them, they will suspend your licence. (I don't really know. But I assume that's what would happen.)

You can be arrested for driving on a suspended license, and it can be either a misdemeanor or a felony.

>he can challenge the fines in a court of law.

If he sees spending time and effort expunging his record every few weeks as worth the trade-off for the 'extra notoriety', then power to him. I wouldn't do that.

I'd presume - the court decision may force the agency to fix their code.

Court isn't cheap.

You're paying for it with a lawyer or with your own time

> Droogie contacted the DMV who told him to change his plate. He refused because he didn't do anything wrong. While they wiped the fines off his record, unfortunately for him, they didn't fix the problem in the system so once again, Droogie has accrued another $6,000 in tickets that he had nothing to do with. He says he won't be paying those either.

Except he just contacted the DMV. No lawyers necessary.

Really I'm surprised they didn't just add NULL to the list of banned words and ban/refuse to renew the tag which seems eminently within their powers.

Perhaps they did and the renewal system just assumed that banned word was missing and silently skipped it.

Knowing the California DMV, that contact probably took at least two hours.

Number of years ago I was frustrated because they never sent me my renewed card and it turned out they never updated my address even though I did the paperwork. Took it to twitter and tagged @CA_DMV and they responded pretty quickly and took care of it. Got my new card pretty much next day.

... and then the second half of the parent's sentence (which you conveniently ignored) applies: he's paying with his own time.

I dunno about you, but I value my time way too highly to voluntarily use it to spend time on the phone with the DMV every month or three.

Yeah, we're on Hackernews so I assume most people on here make at least 50+ an hour. The CA DMV will cost $200+ at least.

> Court isn't cheap.

> You're paying for it with a lawyer or with your own time

At some point surely you can countersue for harassment?

For the first time or two, maybe. But you'll be paying for it with hours, possibly tens of hours, of your own free time. And the US legal system is a fickle beast; what seems to you like a slam dunk might not actually be so certain.

After the second or third time, the judge will ask, "why didn't you just change your license plate to something else and avoid all this hassle?" And when you answer, "I've grown fond of the plate, and want the DMV to fix its systems", the judge will sigh, and rule against you for wasting his/her time instead of just changing your license plate.

What do you mean "after the second or third time"?

Are you suggesting that if this person were to sue for the repeated harassment and presumably prevail (with some kind of damages attached) that the behavior would persist?

I can image something more fun to do with my free time than sitting in court every few weeks...

He can challenge the fines but still has to pay court costs most likely.

Yeah, pick your battles.

Sure, it would be nice if the systems where patched. But maybe he should just get a job at the DMVs IT department instead :)

In the end I would probably rather pay the fines than fix this bug, it's probably a lot of horrible systems barely held together..

> But maybe he should just get a job at the DMVs IT department instead :)


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact