1698: Theft Quadrants

Explain xkcd: It's 'cause you're dumb.
Jump to: navigation, search
Theft Quadrants
TinyURL was the most popular link shortener for long enough that it made it into a lot of printed publications. I wonder what year the domain will finally lapse and get picked up by a porn site.
Title text: TinyURL was the most popular link shortener for long enough that it made it into a lot of printed publications. I wonder what year the domain will finally lapse and get picked up by a porn site.


This is an Eisenhower box comparing how difficult it is to steal a specified object with the severity of the theft.

It is very hard to steal nuclear launch codes. They are protected by many layers of federal security. That's a good thing, too, since if they were stolen, they could be used to start a nuclear war, which would cause untold death and destruction. It is generally not a good idea to give thieves nuclear codes.[citation needed]

It is also hard to steal the Crown Jewels, since they are protected by a complex security system. But if they were stolen, it wouldn't be so bad for most people; the only direct loss would be to its owners, the British royal family, who are well-insured for thefts and only use the Crown Jewels as a display piece for museumgoers. It would also be a loss to the public as a cultural and historical artifact, but would have little practical effect on the world.

It wouldn't be too hard to steal the Wienermobile[citation needed] (a car shaped like a hot-dog, advertising the Oscar Mayer brand). There are several versions of this car, and it would not be more difficult to steal than any other car, although harder to hide. Randall seems to consider that such a stolen vehicle would not be too bad, although he has previously referred to a stolen Wienermobile in 935: Missed Connections, which is driven recklessly, almost hitting someone. But it is not bad enough to consider it a big problem in a context when it is compared with stolen nuclear launch codes.

It also wouldn't be hard (or at least, not as hard as stealing nuclear launch codes or the Crown Jewels) to steal the tinyurl.com domain name, but the consequences of that could be significant and is thus listed under very bad. The joke is of course that this is listed as just as bad as the risk of a nuclear war, and of course it is not as significant, but it could swiftly result in damage to a lot of important computers, and ruin references in journals etc.

TinyURL offers a URL shortening service. They provide short URLs that redirect to long ones. This is useful if you want to write down a very long URL as it saves typing and is more accurate. Other companies, including bit.ly, Google (ultimately fully discontinued March 30, 2019), and Twitter offer a similar service. TinyURL was, for a while, the most popular of these URL shortening services. If their domain name were stolen, all the redirects from short URLs could be changed to forward traffic to sites hosting, for example, malware. This would have significant effects on a large number of people, because TinyURL is used in many places both online and (as the title text notes) even sometimes offline.

In the title text Randall implies that stealing the tinyurl.com domain could happen when it next expires. A whois search as of February 2021 finds that the tinyurl.com domain is next due for renewal in January 2029. However, rule changes made by ICANN (the organization in charge of domain name registrations) now make it effectively impossible to steal a domain name because the owner allowed its registration to lapse. Current rules for .com registrations now allow for the original owner to renew their domain name after it expires during a 0-45 day auto-renew grace period. The exact length of this grace period depends on what company the domain is registered with. All registrars are then required to give a 30 day redemption grace period during which the domain may be renewed with penalty. As a result, tinyurl.com would have a 30-75 day period after expiration during which the domain is not available for registration by a third party. ICANN rules state that DNS resolution must be stopped during the redemption grace period, which means that there will be a 30 day period during which tinyurl.com will no longer work but the company will have the ability to quickly restore ownership of their domain. It is very unlikely that any company that is still in business would not notice that their domain name has expired before the end of the 30 day redemption grace period.

Another way to steal a domain name would be through domain name hijacking. There have been some high profile cases of domain name hijacking, with one of the more notable domains being nike.com in 2000. However, whether or not this is a risk for any particular domain name is difficult to estimate. Additional security mechanisms such as domain name locking and private registrations have been introduced to mitigate the threat of domain name hijacking. Further, domain name hijacking relies on situation-specific attacks such as hacking email accounts, spoofing emails, and social engineering attacks against either the company who owns the domain name or the company who registers the domain name. For security-conscious companies, such attacks can be impossible, or at least an attacker's success may require security failures in more than one area. A summary of domain hijacking examples including an analysis of how they succeeded and what steps could have prevented them can be found here. In short though, there is no way to say for sure how vulnerable any particular domain name might be to hijacking.


[A chart with an Eisenhower box, consisting of four labelled squares. To the left the rows are labelled hard and easy and two lines goes to from these labels to a description of what the labels refer to saying "how hard thing would be to steal". On the bottom the rows are labelled not that bad and very bad and two lines goes to from these labels to a description of what the labels refer to saying "how bad it would be if someone stole it". The top left box is labelled "the Crown Jewels". The top right box is labelled "the nuclear launch codes". The bottom left box is labelled "the Oscar Mayer Wienermobile. The bottom right box is labelled "the tinyurl.com domain name".]

comment.png add a comment! ⋅ comment.png add a topic (use sparingly)! ⋅ Icons-mini-action refresh blue.gif refresh comments!


Come to think of it, I haven't accidentally hit a porn site in years. Is Randall even referring to a real problem? Anyone remember whitehouse dot com? And for the record, kids, don't do porn. tbc (talk) 12:27, 24 June 2016 (UTC)

I think the sentences "It is hard to steal nuclear launch codes. And a good thing too since they could be used to start a nuclear war." are weird... to me on the first read it sounded like it is a good thing to steal them...

What is it with Randall and stealing wienermobiles? xkcd 935 15:12, 24 June 2016 (UTC)

I added it to the explanation, thanks! Elipongo (talk) 16:16, 24 June 2016 (UTC)
There's also a wienermobile in xkcd 1110 parked to the right of the Burj. 11:03, 27 June 2016 (UTC)

A somewhat similar thing really happened in one of the URL shortening services in Taiwan. This case is not that the domain is stolen; the problem is that its database storing shortened URL mappings, because of some mis-operation in converting database data, is rolled back and some shortened URLs are "double-booked." According to the announcement of the service, this affects over 234 thousand entries in the database. This leads to PTT, the largest terminal-based bulletin board system in Taiwan, bans shortened URLs from this service. -- 20:21, 24 June 2016 (UTC)

sites can be particularly vulnerable if they do not maintain their web site - what? You can have domain name without ANY web site at all. "lapse" likely refers to owners stopping paying. -- Hkmaly (talk) 11:09, 25 June 2016 (UTC)

(Trying again... the CAPTCHA is glitching out on me.) "It is also hard to steal the Crown Jewels, since they are protected by a complex security system." - The items that are the first linked items are not at the location the second link points to... 16:20, 25 June 2016 (UTC)

In line with the above comments: the whole section on the crown jewels and the wienermobile seem to miss the point and get hung up on very minor details. Stealing the crown jewels would make a few people fabulously rich, a few people significantly poorer (or jailed, or court-martialled, depending), but would hardly affect anyone else in real terms other than making millions of people - all around the world - very upset. Saying that Randall erroneously assumes that there would be little consequence to stealing the wienermobile is just silly: there is nothing erroneous about it since it could never have a material effect on more than a few individuals, and the possibility of someone being injured or killed during the robbery is irrelevant since it applies equally well to the nuclear or crown jewels options. 16:12, 26 June 2016 (UTC)

In regards to stealing tinyurl.com, I don't think it would actually be that easy. In the title text Randall suggests picking up the domain name when it expires. Because some domains were stolen that way in the past, ICANN has changed the rules for the major top-level-domains, including .com. Now, after a domain name expires, the original register has a 45 day auto-renew grace period where they can re-register it without penalty. If they miss that period, they have an additional 30 day grace period where it can be re-registered with a penalty. The domain name stops working when it initially expires so it would be nearly impossible for a company like tinyurl to get to the end of both grace periods without noticing and fixing the problem. These new rules make it effectively impossible for an organization to lose its domain name by failing to renew on a timely basis. Reference

Since Randall only mentioned domain expiration as the way it might be stolen, it is unclear whether or not he was considering a more direct domain name hijacking. I'm less familiar with how easy domain hijacking might be but considering that their entire business depends on their domain name, I can't imagine it would actually be that easy.

Regarding the current explanation (and has been pointed out already), saying that "sites can be particularly vulnerable if they do not maintain their web site" is very wrong. This has nothing to do with maintaining a website, and only has to do with maintaining thei domain name. The website and domain name are two very different things, so this isn't just a matter of nitpicking. However, as I have explained above, the entire concept is no longer correct. There is now a grace period up to 75 days long for .com domains during which registrars are not allowed to sell the domain name to another third party. -- Cmancone (talk) (please sign your comments with ~~~~)

It might be a lot easier than you think to steal the launch codes. For nearly 20 years the USA's launch code was 00000000. 22:51, 27 June 2016 (UTC)

Be honest: if you were to guess the launch codes, would you have guessed that? Phineas81707 (talk) 14:11, 28 June 2016 (UTC)

This is a bit of a style guide comment: can we please leave the Citation Needed Joke out of "nuclear war is bad"? The joke worked in our explanation of 180: Canada because it was related to the comic itself. Here, not so much. 01:43, 30 June 2016 (UTC)

The description seems to assume that “printed publication” means “offline articles”. It also means “scientific article which passed peer-review”, hence a joke as serious scientific paper may be discredited as potentially redirecting to porn websites. Does anyone also share my interpretation? Greatfermat (talk) 16:14, 2 November 2016 (UTC)

https://tinyurl.com/Theft-Quadrants Opalzukor (talk) 15:31, 3 March 2021 (UTC)

Guise! It finally happened! It's getting patched rapidly. https://www.vice.com/en/article/qj8xz3/a-defunct-video-hosting-site-is-flooding-normal-websites-with-hardcore-porn 02:04, 23 July 2021 (UTC)

I'm sceptical about just how bad stealing the launch codes would really be; there's a lot of procedure beyond just having the right codes, and they change them every day anyway so your window is really small. 21:17, 24 July 2021 (UTC)