this post was submitted on 26 Jul 2025
893 points (99.0% liked)

Programmer Humor

27048 readers
1150 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] ConstantPain@lemmy.world 19 points 3 months ago (30 children)

Disabling index and making the names UUID would make the directory inviolable even if the address was publicly available.

[–] wizardbeard@lemmy.dbzer0.com 12 points 3 months ago (2 children)

Sounds like a good case for brute forcing the filenames. Just do the proper thing and don't leave your cloud storage publicly accessible.

[–] FooBarrington@lemmy.world 20 points 3 months ago (1 children)

While proper security is better, you're not gonna brute force UUIDs.

[–] 01189998819991197253@infosec.pub -4 points 3 months ago (2 children)

As long as you're not rate limited, you absolutely could.

[–] FooBarrington@lemmy.world 13 points 3 months ago (1 children)

A UUID v4 has 122 bits of randomness. Do you know how long that would take to brute-force, especially with network limitations?

[–] 01189998819991197253@infosec.pub -5 points 3 months ago (2 children)

It taking a long time doesn't make it an impossibility. The fact that it has a limit of 122 bits, in and of itself, makes the possibility of a bruteforce a mathematical guarantee.

[–] bamboo@lemmy.blahaj.zone 19 points 3 months ago (1 children)

By this logic, all crypto is bruteforcable, on a long enough timeline.

A 122 bit random number is 5316911983139663491615228241121378303 possible values. Even if it were possible to check 1 trillion records per second, it would take 168598173000000000 years to check all the UUIDs and get the info on all the users. Even if every human on earth signed up for the app (~8 billion people), and you wanted to just find any one valid UUID, the odds of a generating a UUID and that being valid in their DB is basically 0. You can do the math your self following the Birthday Paradox to determine how many times you would need to guess UUIDs before the probability that any one UUID is valid against a population of the whole world is greater than 50%.

[–] 01189998819991197253@infosec.pub -4 points 3 months ago (1 children)

You should read into the NSA's Translator. Granted, it's relatively outdated with shifting text algorithms, but for a very long time (about half a century), it was able to bruteforce any key, regardless of length, in under an hour.

[–] bamboo@lemmy.blahaj.zone 10 points 3 months ago (1 children)

I'm not familiar with NSA’s Translator, so any info would be appreciated.

I saw your other comment about DES, and it should be noted that DES was with a key length of 56 bits, and that was enforced precisely because the NSA could brute force it. It wasn't even a secret they could brute force 56 bit encryption, and written into law. Back then, if you wanted to use more than 56 bit encryption in the United States, you had to provide a key escrow system to allow the government to decrypt the content if they needed to. Around the 2000s with the rise of e-commerce, they dropped the export restriction because it was doing more harm than good. No one wanted to use so few bits in the encryption keys, but it was illegal at the time to write software which did.

A UUID's 122 bits of randomness are exponentially more than the 56 bits DES offered. My original point being, all crypto is inherently brute forceable on an infinite timescale, but key length and implementation decisions are chosen to so that it would be computationally infeasible to brute force.

[–] 01189998819991197253@infosec.pub -2 points 3 months ago (1 children)

The Translator was the nickname given to, what essentially was, the NSA supercomputer that could solve any (non-shift text) encryption by bruteforcing the key in under an hour (most of the time, in about 15 minutes). I mentioned DES, because it was an encryption so old that nearly everyone has heard about it, and one that I know was used on The Translator. And you're right, DES was capped at 56 bit keys, because they could crack it without The Translator, if needed.

But the scope isn’t if the UUIDs are crackable (which, of course, they’re not, since they’re not encrypting anything). The scope is if using UUIDs as filenames in this publically accessible db a good way to hide the files. And the answer is: no it is not a good way, because a computer powerful enough can guess all possibilities in a matter of minutes, and query them all against the db to discover all files stored within.

[–] bamboo@lemmy.blahaj.zone 5 points 3 months ago

a computer powerful enough can guess all possibilities in a matter of minutes, and query them all against the db to discover all files stored within.

Again, it would be computationally infeasible on any reasonable timescale of human existence. It's no secret what every possible UUID would be, it's the fact there are 5316911983139663491615228241121378303 of them and trying each one would be futile. They're actually all on https://everyuuid.com/ to see for yourself.

Just for shits, I encrypted a file with a password being a UUIDv4. Here's the encrypted file as base64:

YLIR6fL46HfRmueb1tZWiQUFQHYnZOKO9oujOzhvWYpfTtB5RnHtAvMgUgeIsffLC1wz7D17Vp0VT5YIJMb5pA==

Here's everything you would need to do to decrypt this file with a password:

$ echo "YLIR6fL46HfRmueb1tZWiQUFQHYnZOKO9oujOzhvWYpfTtB5RnHtAvMgUgeIsffLC1wz7D17Vp0VT5YIJMb5pA==" | base64 -d > file.enc

$ openssl enc -aes-128-cbc -d -nosalt -in file.enc
enter AES-128-CBC decryption password:
u/01189998819991197253@infosec.pub can't brute force this

The password to decrypt the file is a UUIDv4. See if you can try every UUID and figure out which one I used as the password.

[–] ConstantPain@lemmy.world 9 points 3 months ago (1 children)

For all practical purposes, it's impossible.

[–] 01189998819991197253@infosec.pub -5 points 3 months ago (3 children)

It's not, though. And thinking that it is impossible is why DES, for example, was "translatable" by the NSA for decades. Never assume something is impossible just because it's difficult.

[–] ConstantPain@lemmy.world 8 points 3 months ago

It is. It is practically impossible to guess the file names. You telling otherwise means you don't have sufficient knowledge on the matter.

[–] grendel84@tiny.tilde.website 7 points 3 months ago

@01189998819991197253 @ConstantPain

Security isn't binary, it's a spectrum. You apply the level of security that is appropriate for each situation.

Of course it's *possible* to brute force it, but by the same logic you could brute force jwt tokens, or api keys, or even ssl certs.

It's literally *impossible* to apply "max security" to everything, so you have to prioritize.

What happened was unconscionable, but insisting uuid are mathematically breakable isn't helpful, and can make it worse.

[–] The_Decryptor@aussie.zone 6 points 3 months ago (1 children)

UUIDs are essentially random numbers, crypto schemes are not, they're not comparable.

[–] 01189998819991197253@infosec.pub -4 points 3 months ago (2 children)

The scope isn't if they're crackable (which, if course, they're not, since they're not encrypting anything). The scope is if using UUIDs as filenames in this publicaly accessible db a good way to hide the files. And the answer is: no it is not, because a computer powerful enough can guess all possibilities in a matter of minutes, and query them all against the db to discover all files stored within.

[–] ConstantPain@lemmy.world 13 points 3 months ago (1 children)

The powerful enough computer doesn't exist, and will not exist for some time. And even if it exists, it can't query the web server fast enough to have meaningful effectiveness.

So, for all intents and purposes, it's impossible. Period.

[–] bamboo@lemmy.blahaj.zone 7 points 3 months ago

Thank you for bringing sanity to this thread. At this point, I have to assume that this person is trolling? That or they've been vibecoding too long?

[–] FooBarrington@lemmy.world 4 points 3 months ago (1 children)

Aside from the fact that a strong enough supercomputer won't exist for decades, you're not limited by the speed of UUID generation. Even if you had an infinitely fast supercomputer, it wouldn't speed up your brute force attempts, since you're limited by the speed of the backend. Wherever Tea stores their images, that server has only a limited capacity for responding to requests, far less than the speed with which you can generate UUIDs. That's a hard cap - you won't try guesses faster than that.

[–] bamboo@lemmy.blahaj.zone 2 points 3 months ago

Even assuming 0 latency on their backend, if you wanted to check each UUIDv4 value again their database during your lifetime, you would need to check 1.686 x 10^27 UUIDv4 per second for 100 years straight. Supercomputers are measured in exaflops, which is 10^18 operations per second, so even distributing the work across many machines, you would need about 1 billion of super computers to be able to have a chance of checking every UUIDv4 value within 100 years.

[–] ConstantPain@lemmy.world 3 points 3 months ago (1 children)
[–] 01189998819991197253@infosec.pub -3 points 3 months ago (1 children)

I cannot. But the bruteforce is a mathematical guarantee.

[–] ConstantPain@lemmy.world 3 points 3 months ago

And has nothing to do with my proposition.

[–] ConstantPain@lemmy.world 4 points 3 months ago

Can't be done.

load more comments (27 replies)