Comment by deathanatos
4 days ago
> According to a staff engineer at a major tech company:
> “The sub claim changes in about 0.04% of logins from Log in with Google.
I've had a staff SWE also claim to me that they generated colliding UUIDv4s, and a separate staff SWE who worked in GIS claim that circles only exist in map projections and they're always distorted, and that you cannot have a circle IRL, nor project it onto a projection.
Neither's attention to quality, or rather, lack thereof, could cash those outlandish claims.
There is a simple explanation here: Your staff SWE is wrong. `sub` is the claim you're looking for.
Extraordinary claims require at least a trifling of proof. Or, what can be asserted without evidence can also be dismissed without evidence.
And this alleges to be a security blog. As a writer with that target audience, you should know this is going to be the objection to the thesis that your reader will have, and you attempt to just handwave it away…?
> I've had a staff SWE also claim to me that they generated colliding UUIDv4s, and a separate staff SWE who worked in GIS claim that circles only exist in map projections and they're always distorted, and that you cannot have a circle IRL, nor project it onto a projection.
The claim about circles I don't know. It depends on what exist means, and I don't know what it means to have a circle in real life, and likely don't care. I can only draw a rough approximation of a circle, and that's been fine for me.
Generating a colliding UUIDv4 seems pretty simple though; if you have a broken enough random generator setup and manage to run it without seeding, especially if it was in the times where it was pretty easy to run a virtual machine with totally broken random (virtio-random was developed for a reason), and spawned a bunch of virtual machines in very similar conditions. You can no true scotsman your way out of this by declaring that a broken system, but from inspection, I don't know how you can determine if a given UUIDv4 was generated with proper or broken random techniques. See also Debian Security Advisory 1571-1 [1], and similar issues where random values that were intended to be secure turn out to be predictable. It's a plausible claim. But that doesn't mean a claim by a 'staff engineer' is default plausible. It's just an appeal to authority of a title that doesn't mean a lot.
[1] https://lists.debian.org/debian-security-announce/2008/msg00...
> I've had a staff SWE also claim to me that they generated colliding UUIDv4s,
UUIDv4 is random. Could be a bad PRNG, or just very very very bad luck.
> and a separate staff SWE who worked in GIS claim that circles only exist in map projections and they're always distorted, and that you cannot have a circle IRL, nor project it onto a projection.
It is insanely difficult to project circles. Most of time we just pretend it never exist.
> or just very very very bad luck.
You're underestimating the odds. The odds aren't "bad luck", the odds are "statistical impossibility". Literally any other explanation holds with orders of magnitude higher certainty.
> It is insanely difficult to project circles. Most of time we just pretend it never exist.
Open Google maps, find the equator. That's a circle, rendered on a projection. (But far from the only example possible.)
(And lest I get more objections, a perfectly spherical earth was also an assumption of this assertion that circles don't exist. My coworker attempted to draw/show a circle onto an actual sphere we fortuitously had handy, and no dice.)
(Note the other way exists too: a projection can have a circle rendered on it, though it wouldn't be a circle on an actual sphere.)
> There is a simple explanation here: Your staff SWE is wrong. `sub` is the claim you're looking for.
Or perhaps it's actually happening 0.4% of the time. Maybe a few companies have some weird process that results in them routinely deleting accounts and creating new ones on the same email address.