It’s not, though. And thinking that it is impossible is why DES, for example, was “translatable” by the NSA for decades. Never assume something is impossible just because it’s difficult.
The scope isn’t if they’re crackable (which, if course, they’re not, since they’re not encrypting anything). The scope is if using UUIDs as filenames in this publicaly accessible db a good way to hide the files. And the answer is: no it is not, because a computer powerful enough can guess all possibilities in a matter of minutes, and query them all against the db to discover all files stored within.
Aside from the fact that a strong enough supercomputer won’t exist for decades, you’re not limited by the speed of UUID generation. Even if you had an infinitely fast supercomputer, it wouldn’t speed up your brute force attempts, since you’re limited by the speed of the backend. Wherever Tea stores their images, that server has only a limited capacity for responding to requests, far less than the speed with which you can generate UUIDs. That’s a hard cap - you won’t try guesses faster than that.
Even assuming 0 latency on their backend, if you wanted to check each UUIDv4 value again their database during your lifetime, you would need to check 1.686 x 10^27 UUIDv4 per second for 100 years straight. Supercomputers are measured in exaflops, which is 10^18 operations per second, so even distributing the work across many machines, you would need about 1 billion of super computers to be able to have a chance of checking every UUIDv4 value within 100 years.
The powerful enough computer doesn’t exist, and will not exist for some time. And even if it exists, it can’t query the web server fast enough to have meaningful effectiveness.
So, for all intents and purposes, it’s impossible. Period.
It’s not, though. And thinking that it is impossible is why DES, for example, was “translatable” by the NSA for decades. Never assume something is impossible just because it’s difficult.
It is. It is practically impossible to guess the file names. You telling otherwise means you don’t have sufficient knowledge on the matter.
@01189998819991197253 @ConstantPain
Security isn’t binary, it’s a spectrum. You apply the level of security that is appropriate for each situation.
Of course it’s *possible* to brute force it, but by the same logic you could brute force jwt tokens, or api keys, or even ssl certs.
It’s literally *impossible* to apply “max security” to everything, so you have to prioritize.
What happened was unconscionable, but insisting uuid are mathematically breakable isn’t helpful, and can make it worse.
UUIDs are essentially random numbers, crypto schemes are not, they’re not comparable.
The scope isn’t if they’re crackable (which, if course, they’re not, since they’re not encrypting anything). The scope is if using UUIDs as filenames in this publicaly accessible db a good way to hide the files. And the answer is: no it is not, because a computer powerful enough can guess all possibilities in a matter of minutes, and query them all against the db to discover all files stored within.
Aside from the fact that a strong enough supercomputer won’t exist for decades, you’re not limited by the speed of UUID generation. Even if you had an infinitely fast supercomputer, it wouldn’t speed up your brute force attempts, since you’re limited by the speed of the backend. Wherever Tea stores their images, that server has only a limited capacity for responding to requests, far less than the speed with which you can generate UUIDs. That’s a hard cap - you won’t try guesses faster than that.
Even assuming 0 latency on their backend, if you wanted to check each UUIDv4 value again their database during your lifetime, you would need to check 1.686 x 10^27 UUIDv4 per second for 100 years straight. Supercomputers are measured in exaflops, which is 10^18 operations per second, so even distributing the work across many machines, you would need about 1 billion of super computers to be able to have a chance of checking every UUIDv4 value within 100 years.
The powerful enough computer doesn’t exist, and will not exist for some time. And even if it exists, it can’t query the web server fast enough to have meaningful effectiveness.
So, for all intents and purposes, it’s impossible. Period.
Thank you for bringing sanity to this thread. At this point, I have to assume that this person is trolling? That or they’ve been vibecoding too long?