But the main problem is that he thinks UUIDs are supposed to be random when they're not - their only guarantee is uniqueness. MySQL uses (IIRC) V1 UUIDs, which combine a MAC address with time, while only V4 UUIDs are random.
The MAC address is a worse problem, honestly, than that they're not random. That means your database is leaking information about which host generated the UUID, which would be useful to someone trying to exploit a particular host.
Or if you have an application installed on personal machines, it's leaking identifying information about those machines.
This is true. I wish I could find the article but years ago I remember malicious hackers that were identified by law enforcement because their virus included some windows guids, which at the time included the Mac address.
