UUIDs are only unique if you generate them...
We had an internal discussion recently and the upshot of the discussion was that it turns out that some distributed component on the web appears to have used the UUID of a sample COM component.
Sigh.
I wonder sometimes why people do this. It's not like it's hard to run uuidgen and then copy the relevent GUIDs to your RGS file (and/or IDL file, or however it is you're defining and registering your class).
I guess the developers of the distributed component figured that they didn't have to follow the rules because everyone else was going to follow them.
And, no, I don't know what component it was, or why they decided to copy the sample.
So here's a good rule of thumb. When you're designing a COM component, you should probably use UUIDGEN (or UuidCreate()) to generate unique (and separate) GUIDS for the Interface ID, Class ID, and Library ID and App ID.
Comments
- Anonymous
July 21, 2005
Because they don't know the meaning of the GUIDS. They just copy paste the example code and then forget about that. - Anonymous
July 21, 2005
Textbox cargo cult programming: http://blogs.msdn.com/EricLippert/archive/2004/03/01/82168.aspx - Anonymous
July 21, 2005
Or use <a href="http://www.codeproject.com/macro/guidgennet.asp">GUIDGen.NET </a> - Anonymous
July 21, 2005
I reused a MS GUID 2 weeks ago. It's name for the time being is MustChangeGUID.reg as I didn't have anyway of generating a new one without rooting around for VS CD. And that reminds me VS is now reinstalled so I'm off to make a new one.
It was adding a menu entry to the IE tools menu. One requires a GUID (for no good reason I can see - there is no code attached). First I thought any string will do. Well test didn't substitute for a meaningless number. So I chose a IE4 powertoy GUID.
Only a moron would have thought up GUIDs in the first place. I understand the problem it solves but meaningless numbers are meaningless numbers. They are too long for humans to work with, remember, or anything. Didn't someone invent an assembler to solve a meaningless number problem, eg Int 21 instead of 52513. - Anonymous
July 21, 2005
Actually GUIDs were a part of DCE, which was designed by a bunch of mainframe people years ago.
GUIDs have three qualities that make them useful:
1) They're fixed size (which is good for lots of networking protocols)
2) They're unique.
3) They're easily generated.
Strings don't have any of the above qualities (they can have quality #2, but if so, it loses quality #3) - Anonymous
July 21, 2005
> 2) They're unique
I thought that was only true on machines with a NIC (since it uses the MAC address as part of the generation process, and the MAC address is going to be unique) but if you don't have a NIC, there's no way to ensure with 100% certainty that the number's going to be unique...
Then again, how many machines are there these days without a network card? - Anonymous
July 21, 2005
I can totally see how this happened. Code was copied, pasted, forgotten about, rediscovered. You can't tell by looking at the code if the GUID has been used before or replaced*. It's often a hassle to replace a GUID, since it's in 2 or 3 different places (idl, reg) in multiple formats (so you can't do a naive search and replace) and you get mysterious errors if you don't fix them all (or no errors until you try on a clean machine).
* How would that be for a "What's wrong with this code" installment? The GUID comes from MSDN code sample X. - Anonymous
July 21, 2005
Hah!
Unique MAC addresses in network cards.
Right.
Our programs have installation IDs generated from (a) the numerical lowest network card MAC address, if any are present, or (b) randomly.
We get two sorts of problems all the time:
- installation IDs that were generated randomly because no suitable MAC was available
- conflicting installation IDs at multiple customers' sites because the MAC wasn't unique
I just wish privacy fanatics hadn't killed the Pentium ID feature, this kind of problem would be much easier to solve if we had that. Unfortunately, as it is, I don't know of a single reliable way to uniquely identify a user's PC. - Anonymous
July 21, 2005
The comment has been removed - Anonymous
July 21, 2005
Denis, UuidCreateSequential can be used to create a UUID that's tied to the user's machine.
There's a HUGE caveat though. By using UuidCreateSequential, you potentially leak anonymous identifiable information about the user. You need to ensure that your privacy policy allows for this.
UuidCreate should be "good enough" - the chances of a 128 bit cryptographically secure random number colliding is relatively small. - Anonymous
July 21, 2005
Yes it's a good idea for people to read the rules and use GUIDgen, just as it's a good idea for people to read the rules and write valid C (or C++). Let's hope that one reminder will be enough for some of them.
On the other hand, yes there are still a lot of PCs without built-in LAN cards. PCMCIA-Ethernet and USB-Ethernet adapters are still strong sellers. - Anonymous
July 21, 2005
Hmm, you know I have done a lot of experimenting with guids, trying to generate the same one even multiple ways.
Ok so I was really bored one day. Idle Programmers hands do weird things. Anyway I was playing generating GUIDs in SQL server, in .net and through some old VB Code that taps into UuidCreate
Anyway all of them were inserting the guids they generated into the SQL server and the SQL server was using a unique ID to hold the guids it was inserting and the unique ID was also a guid. I am not sure the algorithms MS uses to generate the guids but something is based on time because I would get a lot of guids generated with like the first 12 characters would be the same then like every second the first 12 would change. This was in .net SQL server there was no real pattern to the guid and the VB one I don't remember. Anyway not one of all these GUID I generated were the same. So how the heck does it happen that people get the same GUID. I am not saying it can't happen but the chances of getting the same guid I think are greater than winning the lottery, now the example above is blatant that someone copied the guid from the sample. However, it seems that I have been hearing more and more lately about guid collisions. Kent Sharky even found this weird experience. http://blogs.msdn.com/ksharkey/archive/2004/10/28/249164.aspx
I guess maybe is there talk of changing the GUID? Making it bigger or different? It seems more and more it is getting used everywhere. The chances of guids not being unique are getting slimmer and slimmer. I know there are GUIDs in com just look at how many dlls are on your machine. There are guids in hardware and drivers, guids are used in databases. Active directory sheesh each object in there may use 2 or more guids plus something called a SID, never understood a SID, but I know it is also a unique identifier to each object. Is it possible that the world may be running out of GUIDs just like IP addresses? hence the reason for IPv6. I know there are 16 bit guids, and I know there are 32 bit guids, are there now 64 bit guids? At one time we thought the world would never run out of IP addresses. Could ever find ourselves in a world where the guid runs out. - Anonymous
July 21, 2005
128 bits represents about 6.8x10^38 unique numbers.
For reference, there are about 8.8x10^49 atoms in the earth.
It's not likely that the UUID space is going to be going away anytime soon.
Paul Leach wrote up an I-D with the format of a UUID several years ago, I'm not totally sure why it wasn't submitted as an informational RFC, but...:
http://www.opengroup.org/dce/info/draft-leach-uuids-guids-01.txt - Anonymous
July 21, 2005
The comment has been removed - Anonymous
July 22, 2005
Denis wrote:
Our programs have installation IDs generated from (a) the numerical lowest network card MAC address ...
We get two sorts of problems all the time:
...
- conflicting installation IDs at multiple customers' sites because the MAC wasn't unique
It is not uncommon for PCs to have "pretend" network interfaces for things like VPNs, modems, the loopback adaptor and so on. To avoid confusing higher software layers these pretend devices can have a MAC address, and it's often the same address on every PC (which shouldn't matter, because it's not actually used for anything). If you're grabbing a MAC address for uniqueness you need to ensure it's from a real network interface card. - Anonymous
July 22, 2005
The comment has been removed - Anonymous
July 22, 2005
Carlos:
"If you're grabbing a MAC address for uniqueness you need to ensure it's from a real network interface card."
We're doing that, but apparently there are more non-real NICs than we know of... - Anonymous
July 22, 2005
Shipping in Q4 2005: DRM for GUIDs.
Copy a GUID, go to jail.
;) - Anonymous
July 22, 2005
"I just wish privacy fanatics hadn't killed the Pentium ID feature, this kind of problem would be much easier to solve if we had that. Unfortunately, as it is, I don't know of a single reliable way to uniquely identify a user's PC."
The Pentium ID was not a globally unique number. Sadly, a lot of privacy advocates never realized this. - Anonymous
July 22, 2005
Given that it is too hard for people to generate GUIDs, I think it is beyond all possible hope that people use real MAC addresses. I for one didn't even know this was a problem. sigh
I don't know who's fault it is, but gosh darn it, STOP!!!!
:) - Anonymous
July 22, 2005
MAC addresses are SUPPOSED to be unique. You have to purchase a block of MAC addresses from IEEE.
However, a lot of second-rate network card mfgrs will just randomly create addresses for their cards without buying a block. Another common thing is to re-use addresses once you have used up your block (rather than buying a new block). Sad but true.
I've also seen some poorly-designed network cards that had trouble reading the MAC address EEPROM, so they would occasionally change their MAC on a reboot. - Anonymous
July 23, 2005
The comment has been removed - Anonymous
July 23, 2005
There are some malwares implemented as browser helper objects that use the same UUID as in this article from MSDN (BHO 101):
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebgen/html/bho.asp
A google search on "1E1B2879-88FF-11D2-8D96-D7ACAC95951F" returns thousands of hits.
Plain stupidity or spoofing for profit? - Anonymous
July 24, 2005
Larry,
this blog entry forms the basis for a section in the OWASP Guide 2.0 :) This blog entry is linked in the cryptography section and the topic itself is a level B entry.
Hopefully this will help prevent this issue in the future.
Andrew van der Stock
OWASP Guide Lead - Anonymous
July 24, 2005
With respect to MAC addresses, I've worked with ethernet chips where every single chip had the same MAC. Caused havoc until we figured out what was going on. - Anonymous
July 24, 2005
Thursday, July 21, 2005 10:55 PM by Jeff Parker
> So how the heck does it happen that people
> get the same GUID. I am not saying it can't
> happen but the chances of getting the same
> guid I think are greater than winning the
> lottery,
That's absolutely right. Even though you can't predict who will win the lottery or how long it will take (in a version where there's no guarantee of a winner but the jackpot grows), but nonetheless someone will eventually win it.
A better analogy of course is a famous puzzle regarding birthdays. What are the odds that a random collection of n people will include at least two with the same birth month and date. If you want a 100% guarantee then you need 367 people. But even with just 23 people you have a 50% chance. - Anonymous
July 26, 2005
The comment has been removed - Anonymous
April 21, 2008
PingBack from http://famouspeoplesbirthdayblog.info/larry-ostermans-weblog-uuids-are-only-unique-if-you-generate-them/