I wonder if this was made by AI or a shit programmer
-
Aside from the fact that a strong enough supercomputer won't exist for decades, you're not limited by the speed of UUID generation. Even if you had an infinitely fast supercomputer, it wouldn't speed up your brute force attempts, since you're limited by the speed of the backend. Wherever Tea stores their images, that server has only a limited capacity for responding to requests, far less than the speed with which you can generate UUIDs. That's a hard cap - you won't try guesses faster than that.
Even assuming 0 latency on their backend, if you wanted to check each UUIDv4 value again their database during your lifetime, you would need to check 1.686 x 10^27 UUIDv4 per second for 100 years straight. Supercomputers are measured in exaflops, which is 10^18 operations per second, so even distributing the work across many machines, you would need about 1 billion of super computers to be able to have a chance of checking every UUIDv4 value within 100 years.
-
No, this was a data leak. The word "hack" has legal implications and shifts the blame away from the company and onto the individual who discovered the leak.
Based on this comment alone, I am 100% sure that you are not a lawyer.
-
I always get irrationally angry when i see python code using os.path instead of pathlib. What is this, the nineties?
And what's with the string addition? Never heard of f-strings or even .format()?
-
Bet you could reuse/keep UUIDs for someone/stuff that gets updated and get that new data even if you "shouldn't".
It could work in theory but in practice there are always a billion things that go wrong IMO.
Not really sure what you mean by reusing UUIDs but theres nothing bad about using UUIDs in URLs for content you don't want scrapped by bots. Sites like Google Photos are already are using UUIDs in the URL for the photos, and do not require any authentication to see the image as long as you have the URL. You can try this for yourself and copy the URL of an image and open it in a Private Browsing Window. Every so often someone realizes the actual image URL is public and think they've found a serious issue, but the reason why it isn't is because of the massive key space UUID provides and that it would be infeasible to check every possible URL, even if it's publicly available.
-
Wow. It actually identified something?
It's good enough for corporate (with multiple other lines of defense).
-
There's nothing wrong with manually breaking a loop.
An infinite loop used to be such a rank code smell back when I was a junior, specifically because I was a noob and made giant loops like 50 lines long and invariably didn't plan the exit condition right, and then my computer would lock up and I would have to hard power cycle.
But yeah, now it's it's a totally acceptable little pattern imho.
-
This post did not contain any content.
What is the Tea hack?
-
Security by obscurity.
this man ssh'd in on a five-digit port
-
No, this was a data leak. The word "hack" has legal implications and shifts the blame away from the company and onto the individual who discovered the leak.
It can be both. The company can be at fault for not keeping something secure while the people who steal the data are at fault for stealing data. Data leaks and hacks are not mutually exclusive.
-
There's nothing wrong with eating a banana with a knife and fork, either.
Except living with the shame.
Well these people probably don't wash their hands so knife fork is the most sanitary way.
-
This post did not contain any content.
At this point I think the women using it got psyopped
-
What is the Tea hack?
An app called Tea
was marketed as a safespace for women and used government issued IDs as a way to verify users.4Chan users leaked all of the IDs onto the larger internet.
-
Hack has at least two definitions in a computing context.
- A nifty trick or shortcut that is useful. "Check out this hack to increase your productivity."
- Accessing something you shouldn't. "They hacked into the database."
A lot of times they sort of get used in conjunction to describe interesting ways to gain access to secure systems, but using it to describe accessing insecure things you shouldn't is still a valid usage of the phrase.
That said I definitely wanna see the company face charges for this, this is insane.
Yeah, if I leave my house door wide open for a few weeks and I get robbed, it's still burglary.
-
An app called Tea
was marketed as a safespace for women and used government issued IDs as a way to verify users.4Chan users leaked all of the IDs onto the larger internet.
Wow what a fuckin shitshow. I have so many follow-up questions
-
Yeah, if I leave my house door wide open for a few weeks and I get robbed, it's still burglary.
Thank you! I feel like I'm taking crazy pills reading people's reactions to this. And if it was a business instead of your house and it was customer data you weren't protecting you should still be in trouble too. It's like people think only one side can be in the wrong in this or that because the data wasn't secured and in the public that gives them free reign to post it everywhere. I wonder how those people would feel if their addresses were leaked. Afterall, if you're a homeowner your name is attached to the property and is publicly accessible.
-
Yeah, if I leave my house door wide open for a few weeks and I get robbed, it's still burglary.
In a legal context there's also the concept of a "reasonable expectation of privacy". The computer abuse and fraud act defines hacking as accessing data or systems you are not authorized to access.
A better analogy is putting your journal in a public library and getting mad when somone reads it.
I'm not saying what these ass holes did was right, I'm saying that the company weakened their legal position by not protecting the data.
-
In a legal context there's also the concept of a "reasonable expectation of privacy". The computer abuse and fraud act defines hacking as accessing data or systems you are not authorized to access.
A better analogy is putting your journal in a public library and getting mad when somone reads it.
I'm not saying what these ass holes did was right, I'm saying that the company weakened their legal position by not protecting the data.
A better analogy is putting your journal in a public library and getting mad when someone reads it.
Good analogy indeed. I'd go one step further and add: it's like promising others you'll keep their diary safe, then putting it in a public library, to then get mad when someone reads it.
-
Yeah, it has no notion of being truthful. But we do, so I was bringing in a human perspective there. We know what it says may be true or false, and it's natural for us to call the former "telling the truth", but as you say we need to be careful not to impute to the LLM any intention to tell the truth, any awareness of telling the truth, or any intention or awareness at all. All it's doing is math that spits out words according to patterns in the training material.
I figured and I know it's shorthand, it's my own frustration that said shorthand has partly enabled the anthropomorphism that it's enjoyed.
Leave the anthropomorphism to pets, plants, and furries, basically. And cars. It's okay to call cars like that. They know what they did.
-
A better analogy is putting your journal in a public library and getting mad when someone reads it.
Good analogy indeed. I'd go one step further and add: it's like promising others you'll keep their diary safe, then putting it in a public library, to then get mad when someone reads it.
Yeah the internet by design is a public space, and we must be responsible and treat it as such when handling sensative data.
Again, it was very wrong for people to take that data and especially to post like that.
The company also has to do their part and produce at least some kind of barrier to the data.
Even using UUIDs and making sure the data wasn't query-able would have been something.
-
Not really sure what you mean by reusing UUIDs but theres nothing bad about using UUIDs in URLs for content you don't want scrapped by bots. Sites like Google Photos are already are using UUIDs in the URL for the photos, and do not require any authentication to see the image as long as you have the URL. You can try this for yourself and copy the URL of an image and open it in a Private Browsing Window. Every so often someone realizes the actual image URL is public and think they've found a serious issue, but the reason why it isn't is because of the massive key space UUID provides and that it would be infeasible to check every possible URL, even if it's publicly available.
You point out the "vulnerability" yourself, sometimes (when it's Google) it works as designed, but a less robust site could have the full access through a UUID for example and then someone shares an image with it, bam they have access to more than they should. The history is littered with bulletproof things like this ending up being used wrongly.
