Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

IP: more on SNIFFING OUT MS SECURITY GLITCH

From: Dave Farber <farber () cis upenn edu>
Date: Wed, 10 Mar 1999 13:10:50 -0500


Shap is a PhD candidate at UPenn as well as an IBM research member djf


To: farber () cis upenn edu
Date: Wed, 10 Mar 1999 12:39:15 -0500


Dave:

Please forward this to IP in the interest of factual reporting:


The GUID article is a good example of a layman getting two ideas confused,
adding 2 to 3, and concluding that the answer is 42.  The ultimate
question, you may remember, was "How much is six times nine?"

A GUID ("Globaly Unique IDentifier", also known in earlier MS software as
UUID or "Universally Unique IDentifier") is a unique name for *objects*,
not *people*.  Objects include files, link libraries, embedded drawings,
etc. etc.  Having a globally unique name for such objects is essential in
any distributed system.  The GUID name is one of the most basic
underpinnings of DCOM (now called COM+), Microsoft's "Distributed Component
Object Model."

In simplest terms, the purpose of the GUID is to let two computers agree on
all the objects they know about.  The purpose was never to track the user,
and I would be very much surprised if it occurred to the COM+ designers at
Microsoft that their scheme might be used for this.

The reason that the ethernet ID appears in so many places has to do with
the way that GUIDs are generated. On systems posessing an ethernet card,
the ethernet link-layer serial number is used as a seed for GUID
generation, and therefore appears in all GUIDs.  On non-networked systems,
I don't know what they use as a seed these days.  Early systems made one up
randomly, which didn't work out well in the field (too many systems
generated the same random number).  They may still do this, or they may now
base the seed on the CD key.

So in summary:

+ These are object IDs, not user IDs.  While GUIDs can be used to track
users, this was not their original purpose.
+ Some form of globally unique object ID is necessary to the correct
function of any distributed system.
+ In the *absence* of globally unique IDs, a great many things will not be
possible in future versions of Windows.

With a little work, GUIDs CAN be used to track the originating computer for
an object.  Since users tend to use a single machine, this rapidly converts
into the identity of the user.  While this may be cause for concern, there
is no conspiracy here.


Jonathan S. Shapiro
IBM T.J. Watson Research Center
Previous By Date Next
Previous By Thread Next

Current thread: