Guy in the photo looks like a mix of Austin Powers and Jason Schwartzman

Here’s one, InfluxDB (a time series database) advertises itself Open Source, but that’s only true for their Core platform, and many common features of a DB (high availability, read replicas, etc) are behind the Enterprise offering. Even if you are going to self host, you have to pay and agree to their terms.

I get having to pay for hosting and support, but it seems like they are intentionally neutering the core version to be able to push their paid business model, while benefiting from the testing and contributions from the community on the core model.

Not really sure what you mean by reusing UUIDs but theres nothing bad about using UUIDs in URLs for content you don’t want scrapped by bots. Sites like Google Photos are already are using UUIDs in the URL for the photos, and do not require any authentication to see the image as long as you have the URL. You can try this for yourself and copy the URL of an image and open it in a Private Browsing Window. Every so often someone realizes the actual image URL is public and think they’ve found a serious issue, but the reason why it isn’t is because of the massive key space UUID provides and that it would be infeasible to check every possible URL, even if it’s publicly available.

Even assuming 0 latency on their backend, if you wanted to check each UUIDv4 value again their database during your lifetime, you would need to check 1.686 x 10^27 UUIDv4 per second for 100 years straight. Supercomputers are measured in exaflops, which is 10^18 operations per second, so even distributing the work across many machines, you would need about 1 billion of super computers to be able to have a chance of checking every UUIDv4 value within 100 years.

Thank you for bringing sanity to this thread. At this point, I have to assume that this person is trolling? That or they’ve been vibecoding too long?

a computer powerful enough can guess all possibilities in a matter of minutes, and query them all against the db to discover all files stored within.

Again, it would be computationally infeasible on any reasonable timescale of human existence. It’s no secret what every possible UUID would be, it’s the fact there are 5316911983139663491615228241121378303 of them and trying each one would be futile. They’re actually all on https://everyuuid.com/ to see for yourself.

Just for shits, I encrypted a file with a password being a UUIDv4. Here’s the encrypted file as base64:

YLIR6fL46HfRmueb1tZWiQUFQHYnZOKO9oujOzhvWYpfTtB5RnHtAvMgUgeIsffLC1wz7D17Vp0VT5YIJMb5pA==

Here’s everything you would need to do to decrypt this file with a password:

$ echo "YLIR6fL46HfRmueb1tZWiQUFQHYnZOKO9oujOzhvWYpfTtB5RnHtAvMgUgeIsffLC1wz7D17Vp0VT5YIJMb5pA==" | base64 -d > file.enc

$ openssl enc -aes-128-cbc -d -nosalt -in file.enc
enter AES-128-CBC decryption password:
u/01189998819991197253@infosec.pub can't brute force this

The password to decrypt the file is a UUIDv4. See if you can try every UUID and figure out which one I used as the password.

I’m not familiar with NSA’s Translator, so any info would be appreciated.

I saw your other comment about DES, and it should be noted that DES was with a key length of 56 bits, and that was enforced precisely because the NSA could brute force it. It wasn’t even a secret they could brute force 56 bit encryption, and written into law. Back then, if you wanted to use more than 56 bit encryption in the United States, you had to provide a key escrow system to allow the government to decrypt the content if they needed to. Around the 2000s with the rise of e-commerce, they dropped the export restriction because it was doing more harm than good. No one wanted to use so few bits in the encryption keys, but it was illegal at the time to write software which did.

A UUID’s 122 bits of randomness are exponentially more than the 56 bits DES offered. My original point being, all crypto is inherently brute forceable on an infinite timescale, but key length and implementation decisions are chosen to so that it would be computationally infeasible to brute force.

By this logic, all crypto is bruteforcable, on a long enough timeline.

A 122 bit random number is 5316911983139663491615228241121378303 possible values. Even if it were possible to check 1 trillion records per second, it would take 168598173000000000 years to check all the UUIDs and get the info on all the users. Even if every human on earth signed up for the app (~8 billion people), and you wanted to just find any one valid UUID, the odds of a generating a UUID and that being valid in their DB is basically 0. You can do the math your self following the Birthday Paradox to determine how many times you would need to guess UUIDs before the probability that any one UUID is valid against a population of the whole world is greater than 50%.

Still this seems like a HackerOne problem, they’re acting as the middleman and I assume are taking part of the payout. What are they doing to earn the money they’re taking? The reason to go with HackerOne is to facilitate the interactions with people and pass the reports. It shouldn’t be a Curl maintainers responsibility to spot obvious AI slop. Maybe this is just the tier they’re on with HackerOne, but considering this is HackerOne’s business model, I would imagine that if huge companies are also dealing with this, then HackerOne will loose a lot of clients.

Ninja Edit: Obviously the problem is the people creating AI Slop, but HackerOne should be the ones dealing with it, not OpenSource Maintainers.

In the blog post, Daniel does discuss why that is a heavy handed approach:

People mention charging a fee for the right to submit a security vulnerability (that could be paid back if a proper report). That would probably slow them down significantly sure, but it seems like a rather hostile way for an Open Source project that aims to be as open and available as possible. Not to mention that we don’t have any current infrastructure setup for this – and neither does HackerOne. And managing money is painful.

Not so great with this one

[Bracket City]
July 14, 2025

https://www.theatlantic.com/games/bracket-city/

☠️ hard mode!

Rank: 👮 (Chief of Police)
🎹 Total Keystrokes: 106
🎯 Minimum Required: 82
👀 Peeks: 2
🛟 Answers Revealed: 1

Total Score: 52.4
🟨🟨🟨🟨🟨⬜⬜⬜⬜⬜

That was so funny, I had to pause taking the quiz I was laughing so hard at question 9. The snark in the explanations is fantastic.

Ahhh thanks for this, I would have also messed up and read 9 -> 12 in this situation as well

I’m pretty sure you still had to pay your phone provider who may have charged $0.10/call unless AOL was using 1-800 numbers to dial to?

TIL, I think I was over thinking it and would have gone from 7->9, and gotten all messed up. Thanks!

I refuse to use the Zoom client on my computer and instead use the web client. There might not be 1:1 feature parity, but it’s never been a problem for me with other people.

That’s bs and also reminds me of a joke about two mathematicians at a bar:

[Bracket City]
June 30, 2025

https://www.theatlantic.com/games/bracket-city/

☠️ hard mode!

Rank: 🔮 (Puppet Master)
🎹 Total Keystrokes: 59
🎯 Minimum Required: 59

Total Score: 100.0
🟪🟪🟪🟪🟪🟪🟪🟪🟪🟪

Suicide is a permanent solution to a temporary problem. There are people who can help you if you’re having thoughts of suicide, unless you’re Stephen Miller.

Same thing happens if you uninstall and reinstall the app? What version is the app, is it behind your friends? Are you able to remote stream on the browser