Comment On Taking the U out of UUID

lol, I saw almost the same thing at work today

(my workday is already over now - sweet, sweet Europe ;)

Sooo.. the WTF is that they thought a 9 digit User ID was enough? How horrible! Jeez, unless you're Amazon, 9 digits probably will be enough. Maybe the number needs to be parsed by a human at some point.

a/c:

Sooo.. the WTF is that they thought a 9 digit User ID was enough? How horrible! Jeez, unless you're Amazon, 9 digits probably will be enough. Maybe the number needs to be parsed by a human at some point.

no. the wtf is that they're using the first 9 digits of the unique key...which no longer makes it unique.
ex:
849183758193 = uuid1
849183758194 = uuid2
and using the first 9 return the same result, which means its no longer unique.

Hmm, why didn't they just do this:

<cfid uuid = '1'>

After all, they'd have been happier...

a/c:

Sooo.. the WTF is that they thought a 9 digit User ID was enough? How horrible! Jeez, unless you're Amazon, 9 digits probably will be enough. Maybe the number needs to be parsed by a human at some point.

That's what I was thinking - if they think that the logs might be read by a human at some point then it would make sense to add a UID with the date postfixed to it.

Captcha - poindexter - Hey! Are you trying to imply something?

Wow... half a dozen posts and no one has taken any "coldFusion sucks" shots yet. That has to be some kind of record.

me:

Wow... half a dozen posts and no one has taken any "coldFusion sucks" shots yet. That has to be some kind of record.

CF sucks.

Happy now?

Anyone that say Coldfusion sucks must either be Hitler or a Nazi. And thus I Godwin's law.

captcha: sanitarium. I think the voices in my head are telling me something.

Wow... half a dozen posts and no one has taken any "coldFusion sucks" shots yet. That has to be some kind of record.

The real WTF is that they used cold fusion. There, happy now?

And why is this editor so messed up in konqueror?

CAPTCHA: sanitarium

Sadly I can't talk either.

The editor is messed up in Konq because it doesn't load fancy rich text editor and there's no stylesheet to set reasonable width/heights for the textarea. Already notified Alex but it doesn't look like he's very interested in fixing it.

The problem isn't the date. The WTF is the string truncation.

I will join the conversation: CF Sucks :)

Even though I do not know why :)

me:

a/c:

Sooo.. the WTF is that they thought a 9 digit User ID was enough? How horrible! Jeez, unless you're Amazon, 9 digits probably will be enough. Maybe the number needs to be parsed by a human at some point.

no. the wtf is that they're using the first 9 digits of the unique key...which no longer makes it unique.
ex:
849183758193 = uuid1
849183758194 = uuid2
and using the first 9 return the same result, which means its no longer unique.

Actually as I look up the UUID format, the first eight characters (the ninth being a hyphen) are the least significant bits of the timestamp, which is not such a bad way to generate a pseudo-random number.

captcha: gygax. wtf?

Why does everyone feel the need to reiterate their captchas in their comments? Is it not enough to type it once in that little textbox?

To be honest, it drives me a little batty to see these captcha comments sprinkled throughout the discussions. Although whatever, comment how you like.

Fourteenth!

me:

the wtf is that they're using the first 9 digits of the unique key...which no longer makes it unique.
ex:
849183758193 = uuid1
849183758194 = uuid2
and using the first 9 return the same result, which means its no longer unique.

So 1 in a billion isn't good enough for you? Lemme guess, you work for the state lottery commission, marketing department - you can't win if you don't play.

captcha - what's gygax?

KM:

The problem isn't the date. The WTF is the string truncation.

CreateUUID() returns the UUID as a string.

Duston:

Anyone that say Coldfusion sucks must either be Hitler or a Nazi.

Or both.

It doesn't make much sense to have your "UUID" generated from time only. Sooner or later*, it will screw up and be a pain to fix.

*unless you are planning on the company being bankrupt in 6 months


Gary Gygax is well known for creating/working on table top rpgs, including D&D

captcha: waffles, but i'm typing "no".. and it didn't work, fine i'll type waffles

[quote]And why is this editor so messed up in konqueror?[quote]

Konqueror sucks. Happy now?

captcha: burned... Oh how appropriate!

smartyPants:

me:

the wtf is that they're using the first 9 digits of the unique key...which no longer makes it unique.
ex:
849183758193 = uuid1
849183758194 = uuid2
and using the first 9 return the same result, which means its no longer unique.

So 1 in a billion isn't good enough for you? Lemme guess, you work for the state lottery commission, marketing department - you can't win if you don't play.

captcha - what's gygax?

I think you're missing the point. Regardless of how long the substring is, taking a unique number and chopping off some of it could result in collisions much more frequently than the odds would lead you to believe. Try a small experiment - you don't need all that many iterations to see collisions when you truncate like that.

Captcha - riaa - Grrrrrrrrrrrrrrrrrrrrrr..

Third-party shopping cart system he'd been tasked with modifying

I shiver with pain and fear when I hear these kind of stuff.

a/c:

Actually as I look up the UUID format, the first eight characters (the ninth being a hyphen) are the least significant bits of the timestamp, which is not such a bad way to generate a pseudo-random number.

On the contrary. It's about as non-random as you can get -- it's 100% predictable! And of course, appending the date to a timestamp is redundant.

Two customers click "Submit" at the same time. Oops, they get the same customer ID.

http://livedocs.adobe.com/coldfusion/6.1/htmldocs/functi54.htm

Creates a Universally Unique Identifier (UUID)
.
.
The ColdFusion UUID format is as follows:
xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx (8-4-4-16).

So all their UUIDs are now something like:
12345678-02-21-07

So the "Universally Unique Identifier" is the same for anything created that day...if they're only creating one of whatever is represented by IDstring per day I guess that works. (Though I'd tend to guess that IDstring is a user reference, the code doesn't really give us enough to know).

In Soviet Russia, UUID writes U!!!

Chopping off UUIDs kind of defeats the purpose.

Reminds me of those dudes that converted letters to numbers to implement RSA ... resulting in screwed up code that would act funny with non-alpha characters. Somehow they didn't realize that all letters are already numbers (the ASCII code value) which is trivial to get.

Assuming that the CreateUUID function returns a string of the form "550e8400-e29b-41d4-a716-446655440000", taking the first 9 characters will return "550e8400-". There are 8 random hexadecimal characters in there, so the number of possible outcomes for a given day is 16^8 = 4,294,967,296.

If two customers are added on a given day, the
probability of a collision is 1/(16^8).

If a thousand new customers are added on a given day, the
probability of a collision occuring is
1-((1-(1/(16^8)))^499500)
(499500 possible pairs, each with a chance of 1-1/(16^8) of NOT colliding)

That's a chance of less than 1 in 10,000 of creating a collision that day.

Conclusion: while this is a bug, the code is expected to
operate without creating collisions for decades (under the reasonable assumption that 1000 new customers each day is an upper limit).

Ok so I over simplified because I didn't read enough about CreateUUID (I'm not a CF guy).....however the point still stands that for a high activity site 8 characters isn't really enough uniqueness. Esp given we don't know if IDstring is UserID, CartID, LineItemID, etc....

Conclusion: while this is a bug, the code is expected to operate without creating collisions for decades (under the reasonable assumption that 1000 new customers each day is an upper limit).

Where does it say IDstring is a customer?

Because konqueror sucks! Bwaahahahahaha!

Man, you just walked into that one.

a/c:

Actually as I look up the UUID format, the first eight characters (the ninth being a hyphen) are the least significant bits of the timestamp, which is not such a bad way to generate a pseudo-random number.

smartyPants:

So 1 in a billion isn't good enough for you? Lemme guess, you work for the state lottery commission, marketing department - you can't win if you don't play.

The point being missed here is that they want a unique ID, not a random ID. A sequential ID is less likely to have a collision than a random ID, but the first 9 characters in a 10 character sequential ID would collide 90% of the time! This is like creating an MD5 hash, then truncating it to only 9 characters, it makes it significantly less useful.

Zonkers:

Why does everyone feel the need to reiterate their captchas in their comments? Is it not enough to type it once in that little textbox?

Because stupid people will take any available opportunity to be annoying.

Bill:

I think you're missing the point. Regardless of how long the substring is, taking a unique number and chopping off some of it could result in collisions much more frequently than the odds would lead you to believe. Try a small experiment - you don't need all that many iterations to see collisions when you truncate like that.

The first eight characters of the UUID are actually the least significant bits of a 60-bit timestamp in 100ns intervals. The lower 32 bits repeat in a little over 7 minutes or about 200 times a day. (Remember the ID also incorporates the date, so there's no chance of collision on different days.)

Since most system clocks only do millisecond accuracy, you're only actually getting 86400000 different values in one day. The same number will repeat 200 times a day, so that's 200/86400000 or 1/432000 chance of collision.

Like I said, unless you're Amazon, it will probably be fine.

ThisCustomerID

thorin:

Conclusion: while this is a bug, the code is expected to operate without creating collisions for decades (under the reasonable assumption that 1000 new customers each day is an upper limit).

Where does it say IDstring is a customer?

ThisCustomerID

a/c:

Bill:

I think you're missing the point. Regardless of how long the substring is, taking a unique number and chopping off some of it could result in collisions much more frequently than the odds would lead you to believe. Try a small experiment - you don't need all that many iterations to see collisions when you truncate like that.

The first eight characters of the UUID are actually the least significant bits of a 60-bit timestamp in 100ns intervals. The lower 32 bits repeat in a little over 7 minutes or about 200 times a day. (Remember the ID also incorporates the date, so there's no chance of collision on different days.)

Since most system clocks only do millisecond accuracy, you're only actually getting 86400000 different values in one day. The same number will repeat 200 times a day, so that's 200/86400000 or 1/432000 chance of collision.

Like I said, unless you're Amazon, it will probably be fine.

You're still missing the point. Calculate the chances of CreateUUID returning the same thing twice in one day, then compare it to the chances you calculated above, and realize that the developer made extra effort to INCREASE the chances of collision. That is the WTF.

Wim Coenen:

If a thousand new customers are added on a given day, the
probability of a collision occuring is
1-((1-(1/(16^8)))^499500)
(499500 possible pairs, each with a chance of 1-1/(16^8) of NOT colliding)

Your math is wrong. This is the birthday paradox computation. The probability of no collision is (1 - 0/16^8)(1 - 1/16^8)(1 - 2/16^8)...(1 - 999/16^8). Doing this with double precision floating point (which will be off, but I don't feel like pulling out the exact arithmetic package right now) yields p = 0.999883707, or about 1 in 8600. The number of days that must pass before there is a 1 in 2 probability that a collision will have occurred is ceiling(log(1/2) / log(p)) = 5961. If we consider a 1% risk completely unacceptable, the time is ceiling(log(0.99) / log(p)) = 82 days!

Zylon:

Zonkers:

Why does everyone feel the need to reiterate their captchas in their comments? Is it not enough to type it once in that little textbox?

Because stupid people will take any available opportunity to be annoying.

Captcha = atari
yeah, that was an annoying company too.

Zylon:

Zonkers:

Why does everyone feel the need to reiterate their captchas in their comments? Is it not enough to type it once in that little textbox?

Because stupid people will take any available opportunity to be annoying.

Haha, captcha: slashbot! Get it?! Slashbot! Hey wait...

a/c:

Bill:

I think you're missing the point. Regardless of how long the substring is, taking a unique number and chopping off some of it could result in collisions much more frequently than the odds would lead you to believe. Try a small experiment - you don't need all that many iterations to see collisions when you truncate like that.

The first eight characters of the UUID are actually the least significant bits of a 60-bit timestamp in 100ns intervals. The lower 32 bits repeat in a little over 7 minutes or about 200 times a day. (Remember the ID also incorporates the date, so there's no chance of collision on different days.)

Since most system clocks only do millisecond accuracy, you're only actually getting 86400000 different values in one day. The same number will repeat 200 times a day, so that's 200/86400000 or 1/432000 chance of collision.

Like I said, unless you're Amazon, it will probably be fine.

That's faulty logic... If you create an id every 7 minutes (exactly) then your 100% guarenteed to get a collision... No?

The real chances of a collision are 50%. Either you will get one or you won't.

Anonymous:

Wim Coenen:

If a thousand new customers are added on a given day, the
probability of a collision occuring is
1-((1-(1/(16^8)))^499500)
(499500 possible pairs, each with a chance of 1-1/(16^8) of NOT colliding)

Your math is wrong. This is the birthday paradox computation. The probability of no collision is (1 - 0/16^8)(1 - 1/16^8)(1 - 2/16^8)...(1 - 999/16^8). Doing this with double precision floating point (which will be off, but I don't feel like pulling out the exact arithmetic package right now) yields p = 0.999883707, or about 1 in 8600. The number of days that must pass before there is a 1 in 2 probability that a collision will have occurred is ceiling(log(1/2) / log(p)) = 5961. If we consider a 1% risk completely unacceptable, the time is ceiling(log(0.99) / log(p)) = 82 days!

Accounting for the number of possible pairs (as I did) automatically accounts for the birthday paradox effect.

It is actually your math which is wrong. For n new customers, you have a probability factor (1 - n/16^8) in your calculation. For n>16^8, this results in a negative probability :D

Michael:

You're still missing the point. Calculate the chances of CreateUUID returning the same thing twice in one day, then compare it to the chances you calculated above, and realize that the developer made extra effort to INCREASE the chances of collision. That is the WTF.

Avoiding collision is not the only concern. It seems almost certain (from the additional MM-DD-YY tag) that the ID is intended to be human-readable. A 36-character UUID is too much if you have to read it over the phone, etc. The trade-off here seems entirely sensible.

Wim Coenen:

Anonymous:

Wim Coenen:

If a thousand new customers are added on a given day, the
probability of a collision occuring is
1-((1-(1/(16^8)))^499500)
(499500 possible pairs, each with a chance of 1-1/(16^8) of NOT colliding)

Your math is wrong. This is the birthday paradox computation. The probability of no collision is (1 - 0/16^8)(1 - 1/16^8)(1 - 2/16^8)...(1 - 999/16^8). Doing this with double precision floating point (which will be off, but I don't feel like pulling out the exact arithmetic package right now) yields p = 0.999883707, or about 1 in 8600. The number of days that must pass before there is a 1 in 2 probability that a collision will have occurred is ceiling(log(1/2) / log(p)) = 5961. If we consider a 1% risk completely unacceptable, the time is ceiling(log(0.99) / log(p)) = 82 days!

Accounting for the number of possible pairs (as I did) automatically accounts for the birthday paradox effect.

It is actually your math which is wrong. For n new customers, you have a probability factor (1 - n/16^8) in your calculation. For n>16^8, this results in a negative probability :D

This is now officially over my head. I think I'm going to go play in the archives for a little while.

Who cares how likely the chances of a collision are? There's a perfectly acceptable solution where the chance of collision is guaranteed under all circumstances to equal zero.

And I don't buy the "humans might need to parse it" argument. Humans can memorize thousands of digits of pi, so reading 32 numbers should be within the capabilities of the average office worker. Anyway, there's probably something wrong with your process if you require non-techies to interact with user IDs on a regular basis.

etr:

a/c:

Bill:

I think you're missing the point. Regardless of how long the substring is, taking a unique number and chopping off some of it could result in collisions much more frequently than the odds would lead you to believe. Try a small experiment - you don't need all that many iterations to see collisions when you truncate like that.

The first eight characters of the UUID are actually the least significant bits of a 60-bit timestamp in 100ns intervals. The lower 32 bits repeat in a little over 7 minutes or about 200 times a day. (Remember the ID also incorporates the date, so there's no chance of collision on different days.)

Since most system clocks only do millisecond accuracy, you're only actually getting 86400000 different values in one day. The same number will repeat 200 times a day, so that's 200/86400000 or 1/432000 chance of collision.

Like I said, unless you're Amazon, it will probably be fine.

That's faulty logic... If you create an id every 7 minutes (exactly) then your 100% guarenteed to get a collision... No?

The real chances of a collision are 50%. Either you will get one or you won't.

The REAL WTF - Nobody seems to understand the WTF.

OK everybody, let me explain it. The UUID is for the transaction. You take the customerID and that day's date string to make your UUID. This is fine as long as the same user doesn't try to make more than one purchase per day. That's the WTF. Man I thought the people who read this page were supposed to be smart

smartyPants:

me:

the wtf is that they're using the first 9 digits of the unique key...which no longer makes it unique.
ex:
849183758193 = uuid1
849183758194 = uuid2
and using the first 9 return the same result, which means its no longer unique.

So 1 in a billion isn't good enough for you? Lemme guess, you work for the state lottery commission, marketing department - you can't win if you don't play.

captcha - what's gygax?

stupidity + sarcasm - selfConsciousness = gold

etr:

That's faulty logic... If you create an id every 7 minutes (exactly) then your 100% guarenteed to get a collision... No?

It's actually 7 minutes, 9 seconds and some change, but if for some reason you had a process repeating exactly on that interval, yes, you would get collisions. The probability of hitting the same mark also depends on the resolution of the system clock. If you actually had a clock with 100ns resolution, the probability would decrease 10,000-fold.

The REAL WTF - Nobody seems to understand the WTF.

OK everybody, let me explain it. The UUID is for the transaction. You take the customerID and that day's date string to make your UUID. This is fine as long as the same user doesn't try to make more than one purchase per day. That's the WTF. Man I thought the people who read this page were supposed to be smart

The customer ID isn't *used* in the code shown. It is *generated*.

I'd say the real WTF is not using a bad ID, but GETTING a UUID and then THROWING HALF OF IT AWAY.

It's like buying a server with 16gb ram and then taking 8gb out and throwing it in the trash.

is it coincidence that the captcha for this reply is "craaazy"?

coldfusionsucks:

Wow... half a dozen posts and no one has taken any "coldFusion sucks" shots yet. That has to be some kind of record.

The real WTF is that they used cold fusion. There, happy now?

And why is this editor so messed up in konqueror?

CAPTCHA: sanitarium

The WTF is that you can't spell ColdFusion