Only 5.4 hours before you hit a UUID collision. That’s insane
This is how we find out that crypto.randomUUID is not cryptographically secure
Aren’t UUIDs designed to prevent collisions, rather than be cryptographycally secure? Not that it’s doing a great job here :D
Edit: Nvm, that was guid.
GUID and UUID are two names of the same thing. One is Globally Unique and one is Universally Unique. I think they mean not cryptographically secure as in not truly random if it’s generating duplicates.
I was doing cybersecurity for a few years before I moved to gamedev, and I vaguely remember that at least the older versions of GUID were definitely not safe, and could be “easily” guessed.
I had to look it up, in case anyone’s interrested, and from a quick glance to the GUID RFC, it depends on the version used, but if I’m reading it right, 6 bits out of the 128 are used for version identification, and then based on the version it’s some kind of timestamp, either from UTC time or some kind of a name-space (I didn’t really read through the details), and then a clock sequence, which make it a lot more guessable. I wonder how different would the odds be for different versions of the UUID, but I’m too tired to actually understand the spec enough to be able to tell.
However, for GUID version 4, both the timestamp and clock sequence should instead be a randomly generated number, which would give you 122 bits of entropy. It of course depends on the implementation and what kind of random generator was used when generating it, but I’d say it may be good enough for some uses.
The spec also says that you specifically should not use it for auth tokens and the like, so there’s that.
just to be clear since you said both again in different sentences, GUID and UUID are two names for the same thing.
I think that spec predates uuid4, it only mentions the time based/node based variants. 122 bits of auth token should be plenty, right?
the sheer unlikeliness of guessing that large a number, the original post is fake or something else is going on.
Either this is faked for the meme or something is very very wrong.
I’m leaning heavily towards faked for the meme.
If you actually were trying to get collisions, you’d save all previously generated ids and check all of them for a match with the newest one.
Not only would this increase the chance of a collision (not enough that it should matter, but still), but it would more closely approximate a real use case - if you use UUIDs you’re not just in trouble if one specific id is duplicated, it’s usually a problem if any id is not unique.
But the presented snippet is simpler and shorter and is close enough to what a naive test might look like, so it’s well suited to getting the joke across.The only way I could imagine this not being fake is if it was achieved in a noncompliant Js implementation. Which seems highly unlikely given the screenshot looks like the Chrome console.
If it was random once, why shouldn’t it be on the 163rd repetition?
An opportunity to share one of my favourite StackOverflow questions of all time!
It’s well worth reading through the answers and the comments, but here’s a little sampler platter:
This will run for a lot more than hours. Assuming it loops at 1 GHz (which it won’t - it will be a lot slower than that), it will run for 10790283070806014188970 years. Which is about 83 billion times longer than the age of the universe.
damn - so maybe serveral threads generating guids is a better idea?
4 threads on a quad core processor would make it run in 20 billion times the age of the universe - so yeah, that would help a lot.
Perhaps run 20 billion threads and you will end it by the time the universe doubles its age.
What? I can’t set
/proc/sys/kernel/threads-maxto 20 billion‽
Gotta send a bug report to the Linux kernel.
If this is reproducible without chicanery, I’m terrified
is this cryptomining? /s
crypto - as in cryptography, not cryptocurrency - is just the library he’s using to generate the 128-bit random UUID. The snippet is interesting because he matched the original UUID in just over 5 hours. You’d expect to need more than 10^38 guesses to pick the same number again, which, even at 1 guess every microsecond, means something like 10^22 years.
I wanted to downvote you for failing to pick up on the sarcasm, but then you went and did all that math that I was too lazy to do and I ended up upvoting you instead. Damn you!
Sorry, I forgot to add the
/s.But thank you for the calculations, it’s actually interesting :) I was thinking about that myself, but didn’t bother to do the math.
I thought its reminiscent of cryptomining as it also consist of guessing an arbitrary number just for fun.
Internet sarcasm is hard, and lemmy has a very general audience :) I’m always happy when someone gives me an excuse to do the math I was already curious about - it’s often not worth it, for just my own curiosity, but even a sarcastic or disingenuous prompt reminds me that there’s other casually curious people out there.
This is the fucker who put us on the worst timeline! Get their ass!
Let’s hang this little shit!
I know how I’m heating my office this winter
Please tell this is fake. I want to be ignorant about this.
No problem. It’s fake. No need to look deeper.
i was curious how unlikely exactly this would be.
The randomUUID method generates a new version 4 UUID
which is, According to the linked documentation, a 128bit number, with some “significant bits” being changed (no idea what that’s about, lets just say it’s a 128bit number)
the chance of hitting a predfined number would be
1/(2^128) or 1/340282366920938463463374607431768211456
assuming your cpu does one comparison per Step at 4Ghz (4 billion per second) (idk how many steps it needs in reality, it doesn’t matter, more then one tho)
that would take roughly
2.696 x 10^21 years, which is
2 x 10^11 or 200000000000 times the age of the universe
(using the expected value of geometric distribution (1/p), so 1/(1/(2^ 128)) = 2^128 steps)
…so your saying theres a chance.
I was able to reproduce this exactly.
brother you’re using the wrong thing. First of all you are using crypto that’s going to give you some memecoins that are obviously going to collide after 55 hours as what are you even doing not rugpulling the thing day 2?
Second of all, I am pretty sure you should use “RandomUUIDIToldYouSo” module for non-colliding hashes. We all know THAT thing gets its Noise from our parents’ instructions on doing a specific thing that keep changing arbitrarily every time you ask.
