Archive 5 min read

NULL & Input Validation

NULL is one of many special characters that has a long history in computing. What are the consequences of using NULL as a value provided via user input. The easy answer should be "nothing" but reality is a lot messier. Joseph Tataro set out to get a nerdy license plate and found out jus

NULL & Input Validation

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Morning everybody. How you doing today? In this episode of the show, we're gonna talk about the shaky underpinnings of a lot of the code out there using a really interesting and funny example. So I stumbled across this Great Wired article, um, that related back to a talk that was given uh last week in Las Vegas by Joseph Totaro explaining the challenges he's had with his vanity license plate in California immediately.

I was intrigued because I'm thinking, how does somebody get a talk in at a major security conference around a license plate? Well, it turns out he had a vanity plate and that vanity plate simply said no genius. Now, he wasn't looking for trouble when he set out on this as you can read from the Wired article.

And I fully recommend that you read it through. Um, but he wasn't looking for trouble. He was simply looking for a great vanity plate. Uh He joked that he was gonna try to get void uh for his partner's car so he could be null and void. Um, you know, and as a nerd, I can totally appreciate, um, the sort of concise genius of having a vanity plate that says no.

But the interesting thing is the story he tells in this talk essentially what ends up happening is that he started to get all of the errors out of the parking ticket database system. So if there is a uh, ticket that's written, that doesn't have a proper license plate assignment, it ends up getting associated to his record.

And at first, this didn't really cause any issues. It's sort of grown over time and that's a really interesting thing because a lot of people don't realize how shaky, a lot of this code is. There's a huge push to get things out the door really, really quickly, um, to make sure that, you know, you're kind of building a minimally viable product and MVP and that you're testing and iterating and all that's really, really great, except for a lot of the time, uh, you build up a significant amount of technical debt.

Now, we've talked about technical debt and how that's really just a whole bunch of security issues waiting to happen. Um, but this, this sort of theme keeps coming back and I really wanted to bring it up because I thought this story was absolutely hilarious that, you know, and unfortunately for, uh, Mr Tata is, you have to deal with this is that he has all these fines that are associated to him and they're like, hey, pay us and he's like, ah, they're not mine.

Um, and he had to work through this stuff. But I think the best part about this story was at the end when a journalist uh Christopher comes through and says, you know, what you deserve it like you were asking for it because Christopher's last name is actually null and he's had to deal with this his whole life.

And he's got these great anecdotes in that. Um you know, some people won't accept uh email from his domain, Uh, American Express is drop him off its books apparently altogether because of the law last name. And this again highlights the weakness in a lot of software. And I think that's the real challenge is that, uh we've accepted as a, as a digital citizenry, we have accepted a certain amount of stuff.

Just crashes, right? Like you're using your ipad and something crashes. You're like, oh, just restart the app and it's good. You're playing a video game and it crashes. You're like, yeah, ok. It happens, you get frustrated, you move on, you don't think of it and you reboot your windows, you know, several times a week, it's not a big deal.

And this is just something that we accept. But the problem is is that each of those is generated from an error somewhere as much as we know that computers are logical and they will execute the same thing over and over and over again. They are infinitely complex or not actually infinitely complex, but ridiculously complex is probably a better way to phrase it and they're programmed by humans and we make mistakes all the time.

An anecdote I did that I use quite often when trying to explain some of the challenges around cybersecurity specifically. Um is a while back. I actually did some digging and tried to figure out how many lines of code could execute um in a normal system trying to ask for a web page and it turns out it's somewhere around 100 million.

Now, how did I get to 100 million? Well, you've got the basic input output system, your bio on your computer that boots up. There is um code in the microprocessor, there's code in the video card, there is code in the uh hard drive, there's code in all of the hardware that then boots up into the software stack, which is ridiculously larger than boots up into the brow into the OS, which is ridiculously larger than boots up into the uh browsers and application layer and all this stuff.

There's just a amount of code around 100 million lines. Now, errors on any number of those and there are a ton of those errors could lead to security issues. Now, this wire story, I just got a good chuckle out of because in the end, it's relatively harmless. But we do know that from uh security vulnerabilities from common mis configurations that there are real world and real significant consequences to these types of mistakes.

Now, in the case of null, that's basic one on one stuff and yet it's still happening time and time again, right? When I see a complicated technical breach, I'm almost, I'm like, wh thanks like I appreciate the fact that this is technically complicated and it would have gotten anybody when we see the basics and the basics happen time and time and time again.

That to me says that something is very, very rotten in the state of technology creation and software development. And then we need to do better. This ties back to my comment. Uh earlier on the last episode, there around abs a being dead, security and privacy needs to be built by design.

The way we do that is by educating, helping people understand how to build better from day one as well as after the fact. But right now, all of our efforts are after the fact, we're trying to catch this stuff after the horse has left the barn, we need to work better.

We, we need to build it and we need to get people to understand that sometimes going slightly slower but generating higher quality technology is better. Um And I think as citizens as consumers, we need to be able to accept that. But as developers, as technologists, we absolutely need to hold to that because we can't keep making these mistakes because while the null case is harmless, what about the ones that aren't let me know what you think.

Hit me up online at Mark NC A uh in the comments down below as always by email me at Mark N dot C A. Uh We'll talk about this and everything else under the sun and on the digital inter webs, see you on the next episode of the show.

Read next