1698: Theft Quadrants

Explain xkcd: It's 'cause you're dumb.
Revision as of 12:55, 27 June 2016 by Cmancone (talk | contribs) (Explanation)
Jump to: navigation, search
Theft Quadrants
TinyURL was the most popular link shortener for long enough that it made it into a lot of printed publications. I wonder what year the domain will finally lapse and get picked up by a porn site.
Title text: TinyURL was the most popular link shortener for long enough that it made it into a lot of printed publications. I wonder what year the domain will finally lapse and get picked up by a porn site.


Ambox notice.png This explanation may be incomplete or incorrect: How difficult would it be to steal TinyURL, really? Is it a real problem?
If you can address this issue, please edit the page! Thanks.

This is a "Eisenhower box" comparing how difficult it is to steal a specified thing with the severity of the theft.

It is very hard to steal nuclear launch codes. They are protected by many layers of federal security. That's a good thing, too, since if they were stolen, they could be used to start a nuclear war which would be bad[citation needed].

It is also hard to steal the Crown Jewels, since they are protected by a complex security system. But if they were stolen, it wouldn't be so bad for most people.

It wouldn't be too hard to steal the a Wienermobile (a car shaped like a hot-dog, advertising the Oscar Mayer brand). There have been made several versions of this car, and it would not be more difficult to steal than any other car, although harder to hide though. Randall seems to considers that such a stolen vehicles would not be too bad, although he has previously refereed to a stolen Wienermobile in 935: Missed Connections, which is driven recklessly almost hitting someone. But it is not bad enough to consider it a big problem in a context where it is compared with stolen nuclear codes.

It also wouldn't be hard (or at least, not as hard as stealing nuclear launch codes or the Crown Jewels) to steal the tinyurl.com domain name, but the consequences of that could be significant and is thus listed under very bad. The joke if of course that this is listed as just as bad as the risk of a nuclear war, and of course it is not as significant, but it could swiftly result in damage to a lot of important computers, and ruin references in journals etc.

TinyURL offers a URL shortening service. They provide short URLs that redirect to long ones. This is useful if you want to write down a very long URL as it saves typing and is more accurate. Other companies, including bit.ly,Google and Twitter offer a similar service. TinyURL was, for a while, the most popular of these URL shortening services. If their domain name were stolen, all the redirects from short URLs could be changed to forward traffic to sites hosting, for example, malware. This would have significant effects on a large number of people, because TinyURL is used in many places both online and (as the title text notes) even sometimes offline.

Domain hijacking is relatively common [citation needed]. If a cracker can obtain personal information about the domain owner, they can impersonate them to the domain registrar, and obtain control of the domain, and with that control defraud a large number of people.

A whois search as of June 2016 finds that the tinyurl.com domain is next due for renewal in June 2018. However, rule changes made by ICANN (the organization in charge of domain name registrations) now make it effectively impossible to steal a domain name because the owner allowed its registration to lapse. Current rules for .com registrations now allow for the original owner to renew their domain name after expires during a 0-45 day auto-renew grace period. The exact length of this grace period depends on who the domain is registered with. All registrars are required to give a 30 day redemption grace period during which the domain may be renewed with penalty. As a result, tinyurl.com would have a 30-75 day period after expiration during which the domain is not available for registration by a third party. ICANN rules state that DNS resolution must be stopped during the redemption grace period, which means that there will be a 30 day period during which tinyurl.com will no longer work but the company will have the ability to quickly restore ownership of their domain.


[A chart with an Eisenhower box, consisting of four labeled squares. To the left the rows are labeled and two lines goes to from these labels to a description of what the labels refer to. Below is a similar labeling of the columns also with two lines going from these labels to the description.]

How hard
thing would
be to steal


The Crown

The nuclear
launch codes


The Oscar Mayer

The tinyurl.com
domain name

Not that bad

Very bad

How bad it would be
if someone stole it

comment.png add a comment! ⋅ comment.png add a topic (use sparingly)! ⋅ Icons-mini-action refresh blue.gif refresh comments!


Come to think of it, I haven't accidentally hit a porn site in years. Is Randall even referring to a real problem? Anyone remember whitehouse dot com? And for the record, kids, don't do porn. tbc (talk) 12:27, 24 June 2016 (UTC)

I think the sentences "It is hard to steal nuclear launch codes. And a good thing too since they could be used to start a nuclear war." are weird... to me on the first read it sounded like it is a good thing to steal them...

What is it with Randall and stealing wienermobiles? xkcd 935 15:12, 24 June 2016 (UTC)

I added it to the explanation, thanks! Elipongo (talk) 16:16, 24 June 2016 (UTC)
There's also a wienermobile in xkcd 1110 parked to the right of the Burj. 11:03, 27 June 2016 (UTC)

A somewhat similar thing really happened in one of the URL shortening services in Taiwan. This case is not that the domain is stolen; the problem is that its database storing shortened URL mappings, because of some mis-operation in converting database data, is rolled back and some shortened URLs are "double-booked." According to the announcement of the service, this affects over 234 thousand entries in the database. This leads to PTT, the largest terminal-based bulletin board system in Taiwan, bans shortened URLs from this service. -- 20:21, 24 June 2016 (UTC)

sites can be particularly vulnerable if they do not maintain their web site - what? You can have domain name without ANY web site at all. "lapse" likely refers to owners stopping paying. -- Hkmaly (talk) 11:09, 25 June 2016 (UTC)

(Trying again... the CAPTCHA is glitching out on me.) "It is also hard to steal the Crown Jewels, since they are protected by a complex security system." - The items that are the first linked items are not at the location the second link points to... 16:20, 25 June 2016 (UTC)

In line with the above comments: the whole section on the crown jewels and the wienermobile seem to miss the point and get hung up on very minor details. Stealing the crown jewels would make a few people fabulously rich, a few people significantly poorer (or jailed, or court-martialled, depending), but would hardly affect anyone else in real terms other than making millions of people - all around the world - very upset. Saying that Randall erroneously assumes that there would be little consequence to stealing the wienermobile is just silly: there is nothing erroneous about it since it could never have a material effect on more than a few individuals, and the possibility of someone being injured or killed during the robbery is irrelevant since it applies equally well to the nuclear or crown jewels options. 16:12, 26 June 2016 (UTC)

In regards to stealing tinyurl.com, I don't think it would actually be that easy. In the title text Randall suggests picking up the domain name when it expires. Because some domains were stolen that way in the past, ICANN has changed the rules for the major top-level-domains, including .com. Now, after a domain name expires, the original register has a 45 day auto-renew grace period where they can re-register it without penalty. If they miss that period, they have an additional 30 day grace period where it can be re-registered with a penalty. The domain name stops working when it initially expires so it would be nearly impossible for a company like tinyurl to get to the end of both grace periods without noticing and fixing the problem. These new rules make it effectively impossible for an organization to lose its domain name by failing to renew on a timely basis. Reference

Since Randall only mentioned domain expiration as the way it might be stolen, it is unclear whether or not he was considering a more direct domain name hijacking. I'm less familiar with how easy domain hijacking might be but considering that their entire business depends on their domain name, I can't imagine it would actually be that easy.

Regarding the current explanation (and has been pointed out already), saying that "sites can be particularly vulnerable if they do not maintain their web site" is very wrong. This has nothing to do with maintaining a website, and only has to do with maintaining thei domain name. The website and domain name are two very different things, so this isn't just a matter of nitpicking. However, as I have explained above, the entire concept is no longer correct. There is now a grace period up to 75 days long for .com domains during which registrars are not allowed to sell the domain name to another third party. -- Cmancone (talk) (please sign your comments with ~~~~)

It might be a lot easier than you think to steal the launch codes. For nearly 20 years the USA's launch code was 00000000. 22:51, 27 June 2016 (UTC)

Be honest: if you were to guess the launch codes, would you have guessed that? Phineas81707 (talk) 14:11, 28 June 2016 (UTC)

This is a bit of a style guide comment: can we please leave the Citation Needed Joke out of "nuclear war is bad"? The joke worked in our explanation of 180: Canada because it was related to the comic itself. Here, not so much. 01:43, 30 June 2016 (UTC)

The description seems to assume that “printed publication” means “offline articles”. It also means “scientific article which passed peer-review”, hence a joke as serious scientific paper may be discredited as potentially redirecting to porn websites. Does anyone also share my interpretation? Greatfermat (talk) 16:14, 2 November 2016 (UTC)

https://tinyurl.com/Theft-Quadrants Opalzukor (talk) 15:31, 3 March 2021 (UTC)

Guise! It finally happened! It's getting patched rapidly. https://www.vice.com/en/article/qj8xz3/a-defunct-video-hosting-site-is-flooding-normal-websites-with-hardcore-porn 02:04, 23 July 2021 (UTC)

I'm sceptical about just how bad stealing the launch codes would really be; there's a lot of procedure beyond just having the right codes, and they change them every day anyway so your window is really small. 21:17, 24 July 2021 (UTC)