SlideShare a Scribd company logo

DEF CON 27 - DROOGIE - go null yourself

Felipe Prado
Felipe Prado

DEF CON 27 - DROOGIE - go null yourself

Technology
1 of 38
Download to read offline
Go NULL yourself :or How I Learned to Start Worrying While Getting Fined for Other’s Auto Infractions
Introduction • whoami • I’m called droogie. • I’m a degenerate. • I hack things for IOActive.
Introduction • Why this talk? • Discussions of old “famous” hacker tales • Fake stories, lulz • Victims of computer bugs • Real situations from unexpected data • Are these scenarios realistic in today's tech environment? • Could someone exploit one of these scenarios for profit/lulz?
Observations
5 License Plate Cameras
License Plate Cameras • “SQL Injection” • Inject via query in license plate • Skepticism • Clearly a joke/wouldn’t work • Brings up some good points though
License Plate Cameras • Palantir • Big Data Analytics • Surveillance Network Internal Manual https://www.vice.com/en_us/article/9kx4z8/revealed-this-is-palantirs-top-secret- user-manual-for-cops Different CA privacy laws https://www.eff.org/pages/california-automated-license-plate-reader-policies
8 License Plate Cameras
FOIA • Freedom of Information Act • Provides the public the right to request access to records from any federal agency • There are a nine exemptions which could block you from obtaining data • They will not give you something they don’t already have • Ask for electronic delivery… • $0.10 per page, $1 per CD rom • https://www.foia.gov/
License Plate Cameras • Seattle PD ALPR Database • Contains all captured plate data for Seattle area • OCR/Images/Location Details • Interesting Data/Anomalies • Some sensitive info scrubbed, but not all ;)
11 License Plate Cameras
Mr. NULL • Null surname breaking computer systems • Trouble purchasing plane tickets • Skepticism? • Is this a one-off issue in a specific scenario or a global issue? • Would something like this cause a bug today? • How did this even cause an issue? • NULL != “NULL”, Business logic issues? http://www.bbc.com/future/story/20160325-the-names-that-break-computer-systems
My crime is that of curiosity
My prediction • I believe Mr. Null • Edge cases likely still exist • Data validation is a major issues • Are there systems where we can provide similar data? • Would it trigger a bug? • Interesting outcome? • Profitable outcome?
Vanity License Plates • US allows personalized license plates • Can’t be vulgar, sexual, negative, etc • Can’t misrepresent law enforcement • A-Z, 1-9, some symbols
Let’s register a plate! ‘NULL’ appears to be available • Registration went through fine, no bugs or anything • Surprised, don’t have high expectations regarding DMV site
Uh… profit? • Is it possible to be ‘invisible’ to citations? • What happens when a police officer does a search for my plate ‘NULL’ • would it not return any data? possibly error? • If they file a citation, would it cause an issue? Time will tell...
Unforeseen Consequences
Vehicle Registration Renewal • Time to renew registration • Let's use CA DMV site • Enter last five of VIN • Enter license plate
Got a citation... • Parking ticket • Info documented on the citation • Looked up citation number in the citation processing company • Paid my citation like a sucker… I guess my predictions were wrong…
You’ve got mail! • Grip of envelopes in mailbox… wtf? • Citations… • Wait, they’re addressed to me but they’re not for my car? My prediction was very wrong…
Citation Processing Center • A Private Company • .GOV contracts… they’re appear to be collection • Their site allows for citation look up via Plate / State… Query: Plate: NULL State: California
Citation Processing Center • Contact • Their request: • Mail in all of the citations I received • show copies of my current vehicle registration. • Show a complete history of all of my vehicle registrations • My response: • Uhm, fuck off.
Citation Processing Center Did they have malicious intent? After our discussion…
Any lawyers? • Do I have a legal footing? • They modified the data to make me look guilty • At this point I consider their entire database questionable… • Is this data synced with DMV? PD? • Do I have bench warrants for my arrest? • Will my license get suspended?
Potential for Misconduct • Employees have write access • Disgruntled ex? • Can they be socially engineered to point citations at others? • Convinced citation was “off-by-one” / typo?
Poor Solutions • LAPD • I don’t know • Change your plate • DMV • We don’t deal with citations, only suspensions if requested • Change your plate • CPC • Prove to us without a doubt that these hundreds of citations aren’t yours • Change your plate
Poor Solutions • Surprisingly enough they responded to my tweet… • Somehow reached out to CPC and got them to void out a bunch of citations • This lowered my total amount due, but didn’t actually solve anything
Future Possibilities
CPC - Equivalent Issues • Lack of data entry standards • Other potential entries? • MISSING • NONE • NO TAGS • NO PLATE https://www.latimes.com/archives/la-xpm-1986-06-23-vw-20054-story.html
Seattle PD ALPR Database OCR will read all sorts of things Sides of vehicles, buildings... Road signs…
Seattle PD ALPR Database Some interesting patterns showing up in the database…
Summary / Questions / Similar Story? • Still periodically receive tickets in the mail... • Still have NULL plate… • Total currently due at: $6,262.00… @droogie1xp droogie @ irc.2600.net, freenode, efnet

Recommended

Corp Web Risks and Concerns
Corp Web Risks and ConcernsCorp Web Risks and Concerns
Corp Web Risks and ConcernsPINT Inc
 
TrustCloud : Satisfaction in Sharing Transactions 06092015
TrustCloud : Satisfaction in Sharing Transactions 06092015TrustCloud : Satisfaction in Sharing Transactions 06092015
TrustCloud : Satisfaction in Sharing Transactions 06092015Miles Spencer
 
All That Glitters Is Not Gold: Usability Design for "When Things Go Wrong"
All That Glitters Is Not Gold: Usability Design for "When Things Go Wrong"All That Glitters Is Not Gold: Usability Design for "When Things Go Wrong"
All That Glitters Is Not Gold: Usability Design for "When Things Go Wrong"⌨️ Steven Proctor
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Matt Hathaway
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Alexandre Sieira
 
Peep Laja, CEO, ConversionXL - How to Turn Data into Insights & Customers
Peep Laja, CEO, ConversionXL - How to Turn Data into Insights & CustomersPeep Laja, CEO, ConversionXL - How to Turn Data into Insights & Customers
Peep Laja, CEO, ConversionXL - How to Turn Data into Insights & CustomersTraction Conf
 
Baking Analytics Into Your Digital Projects
Baking Analytics Into Your Digital ProjectsBaking Analytics Into Your Digital Projects
Baking Analytics Into Your Digital ProjectsCharles Meaden
 
Anti-Fraud and eDiscovery using Graph Databases and Graph Visualization - Cor...
Anti-Fraud and eDiscovery using Graph Databases and Graph Visualization - Cor...Anti-Fraud and eDiscovery using Graph Databases and Graph Visualization - Cor...
Anti-Fraud and eDiscovery using Graph Databases and Graph Visualization - Cor...Neo4j
 

Recommended

Corp Web Risks and Concerns
Corp Web Risks and ConcernsCorp Web Risks and Concerns
Corp Web Risks and ConcernsPINT Inc
 
TrustCloud : Satisfaction in Sharing Transactions 06092015
TrustCloud : Satisfaction in Sharing Transactions 06092015TrustCloud : Satisfaction in Sharing Transactions 06092015
TrustCloud : Satisfaction in Sharing Transactions 06092015Miles Spencer
 
All That Glitters Is Not Gold: Usability Design for "When Things Go Wrong"
All That Glitters Is Not Gold: Usability Design for "When Things Go Wrong"All That Glitters Is Not Gold: Usability Design for "When Things Go Wrong"
All That Glitters Is Not Gold: Usability Design for "When Things Go Wrong"⌨️ Steven Proctor
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Matt Hathaway
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Alexandre Sieira
 
Peep Laja, CEO, ConversionXL - How to Turn Data into Insights & Customers
Peep Laja, CEO, ConversionXL - How to Turn Data into Insights & CustomersPeep Laja, CEO, ConversionXL - How to Turn Data into Insights & Customers
Peep Laja, CEO, ConversionXL - How to Turn Data into Insights & CustomersTraction Conf
 
Baking Analytics Into Your Digital Projects
Baking Analytics Into Your Digital ProjectsBaking Analytics Into Your Digital Projects
Baking Analytics Into Your Digital ProjectsCharles Meaden
 
Anti-Fraud and eDiscovery using Graph Databases and Graph Visualization - Cor...
Anti-Fraud and eDiscovery using Graph Databases and Graph Visualization - Cor...Anti-Fraud and eDiscovery using Graph Databases and Graph Visualization - Cor...
Anti-Fraud and eDiscovery using Graph Databases and Graph Visualization - Cor...Neo4j
 
Digital Citizenship for Teens
Digital Citizenship for TeensDigital Citizenship for Teens
Digital Citizenship for TeensChris Elgee
 
20 Ways to Shaft your Split Tesring : Conversion Conference
20 Ways to Shaft your Split Tesring : Conversion Conference20 Ways to Shaft your Split Tesring : Conversion Conference
20 Ways to Shaft your Split Tesring : Conversion ConferenceCraig Sullivan
 
Conversion Hotel 2014: Craig Sullivan (UK) keynote
Conversion Hotel 2014: Craig Sullivan (UK) keynoteConversion Hotel 2014: Craig Sullivan (UK) keynote
Conversion Hotel 2014: Craig Sullivan (UK) keynoteWebanalisten .nl
 
TOJI - State Bar of Texas - 2020 Web Design Lecture
TOJI - State Bar of Texas - 2020 Web Design LectureTOJI - State Bar of Texas - 2020 Web Design Lecture
TOJI - State Bar of Texas - 2020 Web Design LectureJoshua Weaver
 
RelayRides UX Observations by Jeff McNeil, New Spin Digital
RelayRides UX Observations by Jeff McNeil, New Spin DigitalRelayRides UX Observations by Jeff McNeil, New Spin Digital
RelayRides UX Observations by Jeff McNeil, New Spin DigitalNew Spin Digital
 
Dox Yourself BSides Orlando
Dox Yourself BSides OrlandoDox Yourself BSides Orlando
Dox Yourself BSides OrlandoSamuel Greenfeld
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
Testing for cognitive bias in ai systems
Testing for cognitive bias in ai systemsTesting for cognitive bias in ai systems
Testing for cognitive bias in ai systemsPeter Varhol
 
SANOG 33: Why is securing the Internet's routing system so hard
SANOG 33: Why is securing the Internet's routing system so hardSANOG 33: Why is securing the Internet's routing system so hard
SANOG 33: Why is securing the Internet's routing system so hardAPNIC
 
Data & Society Taxi Privacy Talk
Data & Society Taxi Privacy TalkData & Society Taxi Privacy Talk
Data & Society Taxi Privacy Talkcwhong
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024Brian Pichman
 
Open source technology
Open source technologyOpen source technology
Open source technologyMitesh Katira
 
Next generation pentest your company cannot buy
Next generation pentest your company cannot buyNext generation pentest your company cannot buy
Next generation pentest your company cannot buyVlad Styran
 
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...UISGCON
 
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter StyleCybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter StyleBrian Pichman
 
E-voting
E-votingE-voting
E-votingBozhidar Bozhanov
 
Meaghan technology report
Meaghan technology reportMeaghan technology report
Meaghan technology reportMarq2014
 
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 201450 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014Chris Nickerson
 
Turning Data into Customers - Conversion Hotel - Peep Laja
Turning Data into Customers - Conversion Hotel - Peep LajaTurning Data into Customers - Conversion Hotel - Peep Laja
Turning Data into Customers - Conversion Hotel - Peep LajaCXL
 
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
 

More Related Content

Similar to DEF CON 27 - DROOGIE - go null yourself

Digital Citizenship for Teens
Digital Citizenship for TeensDigital Citizenship for Teens
Digital Citizenship for TeensChris Elgee
 
20 Ways to Shaft your Split Tesring : Conversion Conference
20 Ways to Shaft your Split Tesring : Conversion Conference20 Ways to Shaft your Split Tesring : Conversion Conference
20 Ways to Shaft your Split Tesring : Conversion ConferenceCraig Sullivan
 
Conversion Hotel 2014: Craig Sullivan (UK) keynote
Conversion Hotel 2014: Craig Sullivan (UK) keynoteConversion Hotel 2014: Craig Sullivan (UK) keynote
Conversion Hotel 2014: Craig Sullivan (UK) keynoteWebanalisten .nl
 
TOJI - State Bar of Texas - 2020 Web Design Lecture
TOJI - State Bar of Texas - 2020 Web Design LectureTOJI - State Bar of Texas - 2020 Web Design Lecture
TOJI - State Bar of Texas - 2020 Web Design LectureJoshua Weaver
 
RelayRides UX Observations by Jeff McNeil, New Spin Digital
RelayRides UX Observations by Jeff McNeil, New Spin DigitalRelayRides UX Observations by Jeff McNeil, New Spin Digital
RelayRides UX Observations by Jeff McNeil, New Spin DigitalNew Spin Digital
 
Dox Yourself BSides Orlando
Dox Yourself BSides OrlandoDox Yourself BSides Orlando
Dox Yourself BSides OrlandoSamuel Greenfeld
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
Testing for cognitive bias in ai systems
Testing for cognitive bias in ai systemsTesting for cognitive bias in ai systems
Testing for cognitive bias in ai systemsPeter Varhol
 
SANOG 33: Why is securing the Internet's routing system so hard
SANOG 33: Why is securing the Internet's routing system so hardSANOG 33: Why is securing the Internet's routing system so hard
SANOG 33: Why is securing the Internet's routing system so hardAPNIC
 
Data & Society Taxi Privacy Talk
Data & Society Taxi Privacy TalkData & Society Taxi Privacy Talk
Data & Society Taxi Privacy Talkcwhong
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024Brian Pichman
 
Open source technology
Open source technologyOpen source technology
Open source technologyMitesh Katira
 
Next generation pentest your company cannot buy
Next generation pentest your company cannot buyNext generation pentest your company cannot buy
Next generation pentest your company cannot buyVlad Styran
 
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...UISGCON
 
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter StyleCybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter StyleBrian Pichman
 
Meaghan technology report
Meaghan technology reportMeaghan technology report
Meaghan technology reportMarq2014
 
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 201450 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014Chris Nickerson
 
Turning Data into Customers - Conversion Hotel - Peep Laja
Turning Data into Customers - Conversion Hotel - Peep LajaTurning Data into Customers - Conversion Hotel - Peep Laja
Turning Data into Customers - Conversion Hotel - Peep LajaCXL
 

Similar to DEF CON 27 - DROOGIE - go null yourself (20)

Digital Citizenship for Teens
Digital Citizenship for TeensDigital Citizenship for Teens
Digital Citizenship for Teens
 
20 Ways to Shaft your Split Tesring : Conversion Conference
20 Ways to Shaft your Split Tesring : Conversion Conference20 Ways to Shaft your Split Tesring : Conversion Conference
20 Ways to Shaft your Split Tesring : Conversion Conference
 
Conversion Hotel 2014: Craig Sullivan (UK) keynote
Conversion Hotel 2014: Craig Sullivan (UK) keynoteConversion Hotel 2014: Craig Sullivan (UK) keynote
Conversion Hotel 2014: Craig Sullivan (UK) keynote
 
TOJI - State Bar of Texas - 2020 Web Design Lecture
TOJI - State Bar of Texas - 2020 Web Design LectureTOJI - State Bar of Texas - 2020 Web Design Lecture
TOJI - State Bar of Texas - 2020 Web Design Lecture
 
RelayRides UX Observations by Jeff McNeil, New Spin Digital
RelayRides UX Observations by Jeff McNeil, New Spin DigitalRelayRides UX Observations by Jeff McNeil, New Spin Digital
RelayRides UX Observations by Jeff McNeil, New Spin Digital
 
Dox Yourself BSides Orlando
Dox Yourself BSides OrlandoDox Yourself BSides Orlando
Dox Yourself BSides Orlando
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
 
Testing for cognitive bias in ai systems
Testing for cognitive bias in ai systemsTesting for cognitive bias in ai systems
Testing for cognitive bias in ai systems
 
SANOG 33: Why is securing the Internet's routing system so hard
SANOG 33: Why is securing the Internet's routing system so hardSANOG 33: Why is securing the Internet's routing system so hard
SANOG 33: Why is securing the Internet's routing system so hard
 
Data & Society Taxi Privacy Talk
Data & Society Taxi Privacy TalkData & Society Taxi Privacy Talk
Data & Society Taxi Privacy Talk
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024
 
Open source technology
Open source technologyOpen source technology
Open source technology
 
Next generation pentest your company cannot buy
Next generation pentest your company cannot buyNext generation pentest your company cannot buy
Next generation pentest your company cannot buy
 
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
Владимир Стыран - Пентест следующего поколения, который ваша компания не може...
 
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter StyleCybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
 
E-voting
E-votingE-voting
E-voting
 
Meaghan technology report
Meaghan technology reportMeaghan technology report
Meaghan technology report
 
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 201450 Shades of RED: Stories from the “Playroom” from CONFidence 2014
50 Shades of RED: Stories from the “Playroom” from CONFidence 2014
 
Turning Data into Customers - Conversion Hotel - Peep Laja
Turning Data into Customers - Conversion Hotel - Peep LajaTurning Data into Customers - Conversion Hotel - Peep Laja
Turning Data into Customers - Conversion Hotel - Peep Laja
 

More from Felipe Prado

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsFelipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionFelipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101Felipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentFelipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareFelipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...Felipe Prado
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationFelipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceFelipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksFelipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityFelipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsFelipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...Felipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksFelipe Prado
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncFelipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
 

More from Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Recently uploaded

Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 

Recently uploaded (20)

Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 

DEF CON 27 - DROOGIE - go null yourself

  • 1. Go NULL yourself :or How I Learned to Start Worrying While Getting Fined for Other’s Auto Infractions
  • 2. Introduction • whoami • I’m called droogie. • I’m a degenerate. • I hack things for IOActive.
  • 3. Introduction • Why this talk? • Discussions of old “famous” hacker tales • Fake stories, lulz • Victims of computer bugs • Real situations from unexpected data • Are these scenarios realistic in today's tech environment? • Could someone exploit one of these scenarios for profit/lulz?
  • 6. License Plate Cameras • “SQL Injection” • Inject via query in license plate • Skepticism • Clearly a joke/wouldn’t work • Brings up some good points though
  • 7. License Plate Cameras • Palantir • Big Data Analytics • Surveillance Network Internal Manual https://www.vice.com/en_us/article/9kx4z8/revealed-this-is-palantirs-top-secret- user-manual-for-cops Different CA privacy laws https://www.eff.org/pages/california-automated-license-plate-reader-policies
  • 9. FOIA • Freedom of Information Act • Provides the public the right to request access to records from any federal agency • There are a nine exemptions which could block you from obtaining data • They will not give you something they don’t already have • Ask for electronic delivery… • $0.10 per page, $1 per CD rom • https://www.foia.gov/
  • 10. License Plate Cameras • Seattle PD ALPR Database • Contains all captured plate data for Seattle area • OCR/Images/Location Details • Interesting Data/Anomalies • Some sensitive info scrubbed, but not all ;)
  • 12. Mr. NULL • Null surname breaking computer systems • Trouble purchasing plane tickets • Skepticism? • Is this a one-off issue in a specific scenario or a global issue? • Would something like this cause a bug today? • How did this even cause an issue? • NULL != “NULL”, Business logic issues? http://www.bbc.com/future/story/20160325-the-names-that-break-computer-systems
  • 13. My crime is that of curiosity
  • 14. My prediction • I believe Mr. Null • Edge cases likely still exist • Data validation is a major issues • Are there systems where we can provide similar data? • Would it trigger a bug? • Interesting outcome? • Profitable outcome?
  • 15. Vanity License Plates • US allows personalized license plates • Can’t be vulgar, sexual, negative, etc • Can’t misrepresent law enforcement • A-Z, 1-9, some symbols
  • 16. Let’s register a plate! ‘NULL’ appears to be available • Registration went through fine, no bugs or anything • Surprised, don’t have high expectations regarding DMV site
  • 17.
  • 18. Uh… profit? • Is it possible to be ‘invisible’ to citations? • What happens when a police officer does a search for my plate ‘NULL’ • would it not return any data? possibly error? • If they file a citation, would it cause an issue? Time will tell...
  • 20. Vehicle Registration Renewal • Time to renew registration • Let's use CA DMV site • Enter last five of VIN • Enter license plate
  • 21.
  • 22. Got a citation... • Parking ticket • Info documented on the citation • Looked up citation number in the citation processing company • Paid my citation like a sucker… I guess my predictions were wrong…
  • 23. You’ve got mail! • Grip of envelopes in mailbox… wtf? • Citations… • Wait, they’re addressed to me but they’re not for my car? My prediction was very wrong…
  • 24. Citation Processing Center • A Private Company • .GOV contracts… they’re appear to be collection • Their site allows for citation look up via Plate / State… Query: Plate: NULL State: California
  • 25.
  • 26. Citation Processing Center • Contact • Their request: • Mail in all of the citations I received • show copies of my current vehicle registration. • Show a complete history of all of my vehicle registrations • My response: • Uhm, fuck off.
  • 27. Citation Processing Center Did they have malicious intent? After our discussion…
  • 28.
  • 29. Any lawyers? • Do I have a legal footing? • They modified the data to make me look guilty • At this point I consider their entire database questionable… • Is this data synced with DMV? PD? • Do I have bench warrants for my arrest? • Will my license get suspended?
  • 30. Potential for Misconduct • Employees have write access • Disgruntled ex? • Can they be socially engineered to point citations at others? • Convinced citation was “off-by-one” / typo?
  • 31. Poor Solutions • LAPD • I don’t know • Change your plate • DMV • We don’t deal with citations, only suspensions if requested • Change your plate • CPC • Prove to us without a doubt that these hundreds of citations aren’t yours • Change your plate
  • 32.
  • 33. Poor Solutions • Surprisingly enough they responded to my tweet… • Somehow reached out to CPC and got them to void out a bunch of citations • This lowered my total amount due, but didn’t actually solve anything
  • 35. CPC - Equivalent Issues • Lack of data entry standards • Other potential entries? • MISSING • NONE • NO TAGS • NO PLATE https://www.latimes.com/archives/la-xpm-1986-06-23-vw-20054-story.html
  • 36. Seattle PD ALPR Database OCR will read all sorts of things Sides of vehicles, buildings... Road signs…
  • 37. Seattle PD ALPR Database Some interesting patterns showing up in the database…
  • 38. Summary / Questions / Similar Story? • Still periodically receive tickets in the mail... • Still have NULL plate… • Total currently due at: $6,262.00… @droogie1xp droogie @ irc.2600.net, freenode, efnet