How a ‘NULL’ License Plate Landed One Hacker in Ticket Hell

Credit to Author: Brian Barrett| Date: Wed, 14 Aug 2019 00:51:05 +0000

Joseph Tartaro never meant to cause this much trouble. Especially for himself.

In late 2016, Tartaro decided to get a vanity license plate. A security researcher by trade, he ticked down possibilities that related to his work: SEGFAULT, maybe, or something to do with vulnerabilities. Sifting through his options, he started typing “null pointer,” but caught himself after the first word: NULL. Funny. “The idea was I’d get VOID for my wife’s car, so our driveway would be NULL and VOID,” Tartaro says.

The joke had layers, though. As Tartaro well knew, and as he explained in a recent talk at the Defcon hacker conference, “null” is also a text string that in many programming languages signifies a value that is empty or undefined. To many computers, null is the void.

That setup also has a brutal punch line—one that left Tartaro at one point facing $12,049 of traffic fines wrongly sent his way. He’s still not sure if he’ll be able to renew his auto registration this year without paying someone else's tickets. And thanks to the Kafkaesque loop he’s caught in, it’s not clear if the citations will ever stop coming.

In his Defcon talk, Tartaro played up the idea that he had initially hoped a NULL plate might get him out of tickets—that, once fed into the database of offenders, the violation quite literally would not compute. But he says now that pranks weren’t actually his initial focus. If anything, he was surprised that the California DMV website let him register NULL in the first place.

That first year as a NULL driver was uneventful. But when it came time to renew in 2017, the DMV website no longer accepted NULL as an option. “It broke the website,” Tartaro says. Specifically, the site told him that the license plate and vehicle identification number he had entered, knows as the VIN, were invalid. But Tartaro was still able to use a reference number to renew. He didn’t think much more of it.

He also didn’t think much of the ticket he got in early 2018, for not having the appropriate registration sticker on his license plate. Tartaro suspects someone scraped it off to use on their own car. He thought about fighting it, but the fine was only $35, so he decided to just pay it and move on with his life.

Then came the citations. Dozens of them, deposited in bulk to his mailbox. Parking violations, stand-stop violations, fines of $37, $60, $74, $80, from Fresno to Rancho Cucamonga. “I’ve never been to Fresno,” Tartaro says of the California city.

Nor had Tartaro gone on a statewide, parking-related crime spree. Instead, by paying that $35 ticket, it appears that a database somewhere now associated NULL with his personal information. Which means that any time a traffic cop forgot to fill in the license plate number on a citation, the fine automatically got sent to Joseph Tartaro.

The tickets were for Hondas, Toyotas, Mercedes vehicles. (Tartaro has an Infiniti.) At one point, Tartaro says, he received two tickets written at Cyprus College within hours of each other—for two different vehicles. He would have had to swap the registration during his lunch break. Worse yet, the incoming citations seemed to apply retroactively.

“I have tickets from 2014,” Tartaro adds. “I didn’t have the plate back then.”

The fines were all sent by a private company called the Citation Processing Center, which, well, processes parking citations. But calling them, Tartaro says, proved fruitless. “I reached out to this company, and they’re basically saying that I have to prove without a doubt that these hundreds of tickets aren’t mine. Trying to speak to a manager went nowhere. He’s like, you’ve got to mail all these back to us.”

Tartaro declined, worried about potentially losing the paper record of the misallocated fines. But the next day, he says, he noticed something odd in the public online listing of citations maintained at the Citation Processing Center’s website. He had given them an example of a specific ticket he had gotten that implicated a Honda. Online, that record had been changed to an Infiniti with Taranto’s VIN. Taranto shared a side by side comparison of his paper copy and the apparently altered database version as part of his Defcon talk.

“After I had the phone call, directly after the phone call, those same tickets where I still have the physical printouts in front of me right now that say their make and model were modified,” Tartaro says. A Citation Processing Center employee said that while she was aware of Tartaro’s situation, the company was unable to comment.

Tartaro next turned to the DMV, which he says worked with the Citation Processing Center to void out the bulk of tickets that had errantly come his way. That successfully got the amount owed down to $6,262 as of last weekend, but didn’t solve the core problem. More tickets continued to trickle in. The database still had him pegged.

Even through all this, Tartaro remained mostly unconcerned. The CPC was just a private company; he could keep working with the DMV to void the fines as they came in, which was an annoyance but not a catastrophe. He had successfully registered his car the previous year despite CPC citations piling up. But just days before Defcon, according to Tartaro, he says he received a notice that the California DMV would not let him renew his registration unless he actually paid some of those fines.

“Now that the DMV is enforcing these tickets that are falsified, it changes everything,” he says. “At the moment, I cannot reregister my vehicle without paying the tickets. But I can’t pay the tickets because it admits guilt, and the minute I admit that it opens me up to all the other tickets. I’m basically in a really bad situation.”

The situation has improved somewhat in recent days, at least. Tartaro calculates that tickets assigned to his car still tallied over $6,000 when he last checked on Sunday. When WIRED looked up the NULL plate in the CPC database Tuesday, after asking the company about the charges, it showed only $140 worth of tickets remaining—both from Fresno.

Tartaro doesn’t see this as much of a reprieve. He’s glad the tickets have vanished, but he would still need to pay $140 to reregister his car. And there’s no guarantee that more fines won’t show up along the way.

It’s also hard to know where to turn for resolution. “Mr. Tartaro’s situation appears to stem from policies set by local parking authorities—which the DMV has no control over,” California DMV spokesperson Marty Geenstein said. “From the DMV’s perspective, our system recognizes his personalized plate and shows he is eligible to renew his registration online.” Assuming he pays the fee.

Prank or not, Tartaro was playing with fire by going with NULL in the first place. “He had it coming,” says Christopher Null, a journalist who has written previously for WIRED about the challenges his last name presents. “All you ever get is errors and crashes and headaches.”

If anything, Null says, the problem has gotten worse over the years. “The ‘minimum viable product’ concept has pushed a lot of bad code through that doesn’t go through with the proper level of testing,” Null says, adding that anyone affected is inevitably an edge case, a relatively small problem not worth devoting a lot of resources to fix. Null has himself had to deal with countless annoyances, from American Express dropping his last name altogether, to Bank of America refusing to accept emails from his "nullmedia.com" domain.

Still, Tartaro says he’s determined to keep his problematic license plate, and not just as a point of pride. “I still have tickets associated with me. The moment I change my plate I just know it’s going to be even more convoluted, and more confusing,” he says. “I didn’t feel comfortable changing it until I knew it was actually solved.”

https://www.wired.com/category/security/feed/