I wonder if this was made by AI or a shit programmer
-
UUIDs are essentially random numbers, crypto schemes are not, they're not comparable.
The scope isn't if they're crackable (which, if course, they're not, since they're not encrypting anything). The scope is if using UUIDs as filenames in this publicaly accessible db a good way to hide the files. And the answer is: no it is not, because a computer powerful enough can guess all possibilities in a matter of minutes, and query them all against the db to discover all files stored within.
-
You should read into the NSA's Translator. Granted, it's relatively outdated with shifting text algorithms, but for a very long time (about half a century), it was able to bruteforce any key, regardless of length, in under an hour.
I'm not familiar with NSA’s Translator, so any info would be appreciated.
I saw your other comment about DES, and it should be noted that DES was with a key length of 56 bits, and that was enforced precisely because the NSA could brute force it. It wasn't even a secret they could brute force 56 bit encryption, and written into law. Back then, if you wanted to use more than 56 bit encryption in the United States, you had to provide a key escrow system to allow the government to decrypt the content if they needed to. Around the 2000s with the rise of e-commerce, they dropped the export restriction because it was doing more harm than good. No one wanted to use so few bits in the encryption keys, but it was illegal at the time to write software which did.
A UUID's 122 bits of randomness are exponentially more than the 56 bits DES offered. My original point being, all crypto is inherently brute forceable on an infinite timescale, but key length and implementation decisions are chosen to so that it would be computationally infeasible to brute force.
-
I'm not familiar with NSA’s Translator, so any info would be appreciated.
I saw your other comment about DES, and it should be noted that DES was with a key length of 56 bits, and that was enforced precisely because the NSA could brute force it. It wasn't even a secret they could brute force 56 bit encryption, and written into law. Back then, if you wanted to use more than 56 bit encryption in the United States, you had to provide a key escrow system to allow the government to decrypt the content if they needed to. Around the 2000s with the rise of e-commerce, they dropped the export restriction because it was doing more harm than good. No one wanted to use so few bits in the encryption keys, but it was illegal at the time to write software which did.
A UUID's 122 bits of randomness are exponentially more than the 56 bits DES offered. My original point being, all crypto is inherently brute forceable on an infinite timescale, but key length and implementation decisions are chosen to so that it would be computationally infeasible to brute force.
The Translator was the nickname given to, what essentially was, the NSA supercomputer that could solve any (non-shift text) encryption by bruteforcing the key in under an hour (most of the time, in about 15 minutes). I mentioned DES, because it was an encryption so old that nearly everyone has heard about it, and one that I know was used on The Translator. And you're right, DES was capped at 56 bit keys, because they could crack it without The Translator, if needed.
But the scope isn’t if the UUIDs are crackable (which, of course, they’re not, since they’re not encrypting anything). The scope is if using UUIDs as filenames in this publically accessible db a good way to hide the files. And the answer is: no it is not a good way, because a computer powerful enough can guess all possibilities in a matter of minutes, and query them all against the db to discover all files stored within.
-
The scope isn't if they're crackable (which, if course, they're not, since they're not encrypting anything). The scope is if using UUIDs as filenames in this publicaly accessible db a good way to hide the files. And the answer is: no it is not, because a computer powerful enough can guess all possibilities in a matter of minutes, and query them all against the db to discover all files stored within.
The powerful enough computer doesn't exist, and will not exist for some time. And even if it exists, it can't query the web server fast enough to have meaningful effectiveness.
So, for all intents and purposes, it's impossible. Period.
-
It's not, though. And thinking that it is impossible is why DES, for example, was "translatable" by the NSA for decades. Never assume something is impossible just because it's difficult.
It is. It is practically impossible to guess the file names. You telling otherwise means you don't have sufficient knowledge on the matter.
-
I've dodged the bullet for 20 years, now. I guess i had better get cracking
wrote on last edited by [email protected]You've probably already made your Big Dumb Mistake, it just hasn't been triggered yet.
Or, you just weren't there any more when it triggered.
-
I cannot. But the bruteforce is a mathematical guarantee.
And has nothing to do with my proposition.
-
The Translator was the nickname given to, what essentially was, the NSA supercomputer that could solve any (non-shift text) encryption by bruteforcing the key in under an hour (most of the time, in about 15 minutes). I mentioned DES, because it was an encryption so old that nearly everyone has heard about it, and one that I know was used on The Translator. And you're right, DES was capped at 56 bit keys, because they could crack it without The Translator, if needed.
But the scope isn’t if the UUIDs are crackable (which, of course, they’re not, since they’re not encrypting anything). The scope is if using UUIDs as filenames in this publically accessible db a good way to hide the files. And the answer is: no it is not a good way, because a computer powerful enough can guess all possibilities in a matter of minutes, and query them all against the db to discover all files stored within.
a computer powerful enough can guess all possibilities in a matter of minutes, and query them all against the db to discover all files stored within.
Again, it would be computationally infeasible on any reasonable timescale of human existence. It's no secret what every possible UUID would be, it's the fact there are 5316911983139663491615228241121378303 of them and trying each one would be futile. They're actually all on https://everyuuid.com/ to see for yourself.
Just for shits, I encrypted a file with a password being a UUIDv4. Here's the encrypted file as base64:
YLIR6fL46HfRmueb1tZWiQUFQHYnZOKO9oujOzhvWYpfTtB5RnHtAvMgUgeIsffLC1wz7D17Vp0VT5YIJMb5pA==Here's everything you would need to do to decrypt this file with a password:
$ echo "YLIR6fL46HfRmueb1tZWiQUFQHYnZOKO9oujOzhvWYpfTtB5RnHtAvMgUgeIsffLC1wz7D17Vp0VT5YIJMb5pA==" | base64 -d > file.enc $ openssl enc -aes-128-cbc -d -nosalt -in file.enc enter AES-128-CBC decryption password: u/[email protected] can't brute force thisThe password to decrypt the file is a UUIDv4. See if you can try every UUID and figure out which one I used as the password.
-
I can tell you exactly what happened. "Hey Claude, I need to configure and setup a DB with Firebase to store images from our application." and then promptly hit shift+tab and then went to go browse Reddit.
nothing was tested. nothing was verified. They let the AI do its thing they checked in on it after an hour or so. once it was done it was add all, commit -m "done", push origin master. AI doesn't implement security stuff. there was zero security here.
I have found the exact same type of bug shown here probably over a dozen times, most of those long before AI was writing code.
-
The powerful enough computer doesn't exist, and will not exist for some time. And even if it exists, it can't query the web server fast enough to have meaningful effectiveness.
So, for all intents and purposes, it's impossible. Period.
Thank you for bringing sanity to this thread. At this point, I have to assume that this person is trolling? That or they've been vibecoding too long?
-
https://www.infosecinstitute.com/resources/security-awareness/human-error-responsible-data-breaches/
You're right. It's 74%.
https://www.cybersecuritydive.com/news/clorox-380-million-suit-cognizant-cyberattack/753837/
It's way easier to convince someone that you are just a lost user who needs access than it is to try to probe an organization's IT security from the outside.
This is only going to get worse with the ability to replicate other's voices and images. People already consistently fall for text message and email social engineering. Now someone just needs to build a model off a CSO doing interviews for a few hours and then call their phone explaining there has been a breach. Sure, 80% of good tech professionals won't fall for it, but the other 20% that just got hired out of their league and are fearing for their jobs will immediately do what they are told, especially if the breach is elaborate enough to convince them it's an internal security thing.
Yes social engineering can be incredibly effective. I completely agree, but there is a bit of an obsession with it these days and imo it's over indexed, because at the end of the day the type of social engineering detailed in that report typically just provides access.
In some cases, the target is important enough and has enough organizational power that accessing the network as them is sufficient, but that's not often the case. What that means is that in those other cases social engineering (which in that report you cited is often just phishing) is providing, typically, internal network access. An attacker will have to move through the network and exploit software typically to continue their attack. There are many points in this chain that the weakness lies in software or configuration. If effort was placed on making those systems better it would likely see better results than hyper focusing on the social engineering, which is significantly more difficult to stop, especially with all of the things you mentioned on the horizon.
My point is then that even if it is a part of 74% of breaches, according to Verizon, it's not necessarily sufficient and is often paired with software level exploits.
And I know this because my company does plenty of red teaming, and we use social engineering but at the end of the day the more interesting result comes from a software exploit or just abusing a weak configuration.
-
I absolutely despise Firebase Firestore (the database technology that was "hacked"). It's like a clarion call for amateur developers, especially low rate/skill contractors who clearly picked it not as part of a considered tech stack, but merely as the simplest and most lax hammer out there. Clearly even DynamoDB with an API gateway is too scary for some professionals. It almost always interfaces directly with clients/the internet without sufficient security rules preventing access to private information (or entire database deletion), and no real forethought as to ongoing maintenance and technical debt.
A Firestore database facing the client directly on any serious project is a code smell in my opinion.
I think it's less about the tech picked and more about developers with no sense of security and a poor understanding of networking. I've seen far too many web applications where the developer needed some sort of database behind it (MySQL, PostGres, MSSQL) and so they stood up either a container or entire VM with a public IP and whatever the networking layer set to allow any IP to hit the database port. The excuse is almost always something like, "we needed the web front end to be able to reach the database, so we gave the database server/container a public IP and allowed access". Which is wonderful, right up until half of the IP addresses in Russia start trying to brute force the database.
-
Yes social engineering can be incredibly effective. I completely agree, but there is a bit of an obsession with it these days and imo it's over indexed, because at the end of the day the type of social engineering detailed in that report typically just provides access.
In some cases, the target is important enough and has enough organizational power that accessing the network as them is sufficient, but that's not often the case. What that means is that in those other cases social engineering (which in that report you cited is often just phishing) is providing, typically, internal network access. An attacker will have to move through the network and exploit software typically to continue their attack. There are many points in this chain that the weakness lies in software or configuration. If effort was placed on making those systems better it would likely see better results than hyper focusing on the social engineering, which is significantly more difficult to stop, especially with all of the things you mentioned on the horizon.
My point is then that even if it is a part of 74% of breaches, according to Verizon, it's not necessarily sufficient and is often paired with software level exploits.
And I know this because my company does plenty of red teaming, and we use social engineering but at the end of the day the more interesting result comes from a software exploit or just abusing a weak configuration.
You are right and what some people miss is that social engineering being the vector to gain foothold doesn't mean that it was sufficient to allow the breach. Almost always you need some other weakness (or a series of them). Except when the weaknesses are so had that you don't need a foothold at all (like this case), or when the social engineering gives you everything (rare, but you might convince you someone to give you access to data etc.).
A whole separate conversation is deserved by how effective (or not) social engineering training is. Quite a few good papers about the topic came out in the last fee years.
-
but it didn't help; it was basically the gasoline
In what way?
-
I think it's less about the tech picked and more about developers with no sense of security and a poor understanding of networking. I've seen far too many web applications where the developer needed some sort of database behind it (MySQL, PostGres, MSSQL) and so they stood up either a container or entire VM with a public IP and whatever the networking layer set to allow any IP to hit the database port. The excuse is almost always something like, "we needed the web front end to be able to reach the database, so we gave the database server/container a public IP and allowed access". Which is wonderful, right up until half of the IP addresses in Russia start trying to brute force the database.
I agree that this is ultimately a problem with developers lacking security knowledge and general understanding, but my issue with Firestore specifically is that it is a powerful tool that, while it can be adopted as part of a carefully considered tech stack, lends itself most naturally towards being a blunt force instrument used by these kinds of developers.
My main criticism of Firestore is that it offers a powerful feature set that is both extremely attractive to amateur or constrained developers while simultaneously doing a poor job of guiding said amateurs towards creating a secure and well designed backend. In particular, the seemingly expected use case of the technology as something directly interfaced with by apps and other clients, as evidenced by the substantial support and feature set for this use case, is the main issue. This no-code no-management client driven interaction model makes it especially attractive to these developers.
This lack of indirection through an API Gateway or service, however, imposes additional design considerations largely delegated to the security rules which can easily be missed by a beginner. For example:
- Many examples of amateurs take an open-by-default approach, only applying access and write restrictions where necessary and miss data that should be restricted
- Some amateurs deploy databases with no access or write restrictions at all
- There is no way to only allow a "view" of a document to a request, instead a separate document and security rules containing the private fields needs to be created. This can be fairly simple to design around but seems to be a bit of a "gotcha", plus if you have similar but non identical sets of data that needs to be accessible by different groups it must be duplicated and manually synchronized.
- Since there is no way to version data models, incompatible changes require complicated workarounds or an increasingly complicated deserialization process on the client side (especially as existing clients continue to write outdated models).
- Schema validation of data written by clients to the database is handled by security rules, which is seemingly unintuitive or missed by many developers because I've seen plenty of projects miss it
- If clients are writing data directly, it can become fairly complex to handle and subsequently maintain their contributions, especially if the aforementioned private data documents are required or the data model changes.
All of these pitfalls can be worked around (although I would still argue for some layer of indirection at least for writes), but at this point I've been contracted to 2 or 3 projects worked on by "professionals" (derogatory) that failed to account for any of these issues and I absolutely sick to death of it. I think a measure of a tools quality is whether it guides a developer towards good practices by design and I have found Firestore to completely fail in that regard. I think it can be used well, and it is perfectly appropriate for small inconsequential (as in data leaks would be inconsequential) single developer projects, but it almost never is.
-
The scope isn't if they're crackable (which, if course, they're not, since they're not encrypting anything). The scope is if using UUIDs as filenames in this publicaly accessible db a good way to hide the files. And the answer is: no it is not, because a computer powerful enough can guess all possibilities in a matter of minutes, and query them all against the db to discover all files stored within.
Aside from the fact that a strong enough supercomputer won't exist for decades, you're not limited by the speed of UUID generation. Even if you had an infinitely fast supercomputer, it wouldn't speed up your brute force attempts, since you're limited by the speed of the backend. Wherever Tea stores their images, that server has only a limited capacity for responding to requests, far less than the speed with which you can generate UUIDs. That's a hard cap - you won't try guesses faster than that.
-
I absolutely despise Firebase Firestore (the database technology that was "hacked"). It's like a clarion call for amateur developers, especially low rate/skill contractors who clearly picked it not as part of a considered tech stack, but merely as the simplest and most lax hammer out there. Clearly even DynamoDB with an API gateway is too scary for some professionals. It almost always interfaces directly with clients/the internet without sufficient security rules preventing access to private information (or entire database deletion), and no real forethought as to ongoing maintenance and technical debt.
A Firestore database facing the client directly on any serious project is a code smell in my opinion.
wrote on last edited by [email protected]It's like people learn how to make a phone app in React Native or whatever, but then come to the shocking and unpleasant realisation that a data-driven service isn't just a shiny user interface - it needs a backend too.
But they don't know anything about backend, and don't want to, because as far as they are concerned all those pesky considerations like data architecture, availability, security, integrity etc are all just unwanted roadblocks on the path to launching their shiny app.
And so, when a service seemingly provides a way to build an app without needing to care about any of those things, of course they take it.
And I get it, I really do. The backend usually is the genuine hard part in any project, because it's the part with all the risk. The part with all the problems. The place where everything can come crashing down or leak all your data if you make bad decisions. That's the bothersome nature of data-driven services.
But that's exactly why the backend is important, and especially the part you can't build anything decent without thinking about.
-
This post did not contain any content.
I always get irrationally angry when i see python code using os.path instead of pathlib. What is this, the nineties?
-
That's not a "senior developer." That's a developer that has just been around for too long.
Secrets shouldn't be in configurations, and developers shouldn't be mucking around in production, nor with production data.
Yeah the whole config thing in that project was an eldritch horror of a legacy, too ingrained in both the services and tooling to be modified without massive rewrites
-
I always get irrationally angry when i see python code using os.path instead of pathlib. What is this, the nineties?
Make a PR
