
The History of Random.org (2009) - unilynx
https://www.random.org/history/
======
cpach
I really hope that people don’t use random.org in prod. Use /dev/urandom
instead.

[https://sockpuppet.org/blog/2014/02/25/safely-generate-
rando...](https://sockpuppet.org/blog/2014/02/25/safely-generate-random-
numbers/)

~~~
folkhack
You wouldn't believe how many "engineers" I've seen open up random.org's
string generator, and fiddle with the settings + copy a string from it only to
drop it into a terminal for a root password/etc.

Point-in-case, I saw 2-3 "DevOps" engineers do it in my last position... over
a screen share..! When you'd bring it up to people they would just roll their
eyes and call you paranoid. =(

~~~
smallbigfish
Devops = not quite a dev + not quite a sys admin.

~~~
ASalazarMX
Devops usually means "it's faster and cheaper because we don't have a
dedicated sysadmin". The union of good developers and good syadmins is narrow
like that of developers and designers.

~~~
clwk
I think you mean 'intersection'.

~~~
ASalazarMX
Totally, unfortunately I'm too late to edit my mistake.

------
turdnagel
Kind of surprised at the lack of information about the current setup, which is
certainly most sophisticated and therefore the most interesting. How did they
manage to distribute the servers? What are they using now as a source of
randomness? Are there still notes on these nodes to keep away?

------
ian0
Really cool to see this here. Mads supervised my undergraduate thesis, I
remember him explaining the random.org setup when I asked about the servers &
radio sitting in the corner of his office. A super friendly and smart guy.

Of note, his office also contained a pretty legendary kendo sword linked up to
sensors (this was early 2000s). Ostensibly to assist with technique, but Im
pretty sure it was for light sabre visualisations...

------
jackfoxy
Australian National University generates a random bit stream by measuring the
quantum fluctuations of the vacuum.
[http://qrng.anu.edu.au/index.php](http://qrng.anu.edu.au/index.php) A few
years ago I created a F# .NET library to consume this stream in varying ways.
[https://jackfoxy.github.io/RandomBits/](https://jackfoxy.github.io/RandomBits/)

~~~
doubleunplussed
The fatal flaw of course is that everyone accessing their stream gets the same
random data, making it substantially less random in the sense of others not
being able to predict it. So do not use for cryptography!

~~~
jackfoxy
I'm not a crypto expert. But I do know this stream is a firehose. Somewhere on
the site is says how much data is generated. I forget. Naively I would think
at least for some applications there would be no way to determine what part of
the stream had been sampled. And the stream connection is over https.

~~~
progval
> there would be no way to determine what part of the stream had been sampled

So the problem become to determine the offset of the stream you looked at,
which is an integer that probably fits in 64 bits.

------
nemo1618
I find it a little concerning that RANDOM.ORG doesn't make it clear that it a
_trusted service_ , and cannot be relied on for secure entropy. The only
mention is this, buried in the FAQ:

>anyone genuinely concerned with security should not trust anyone else
(including RANDOM.ORG) to generate their cryptographic keys.

But the problems go beyond cryptographic keys. If you use RANDOM.ORG to pick
lottery winners, you're trusting that the numbers you get are as truly random
as they claim. In particular, the operators of RANDOM.ORG could trivially
inject deterministic entropy (generated from, e.g., AES-encrypting successive
integers) and this would be completely undetectable, even to statistical
tests.

IMO the site needs a big, scary disclaimer on the front page that describes
what applications it is appropriate for, and which ones should use a more
secure source of entropy.

~~~
dorfsmay
Typo? Did you mean s/that it a/that it is not a/ ?

edit: given stan_rogers' comment bellow and a direct communication with
nemo1618 the typo is just the missing "is". The sentence should read:

"doesn't make it clear that it is a trusted service."

~~~
stan_rogers
No. The idea is that you use their service as opposed to running something on
your own machine, which eliminates you as a nefarious source of hanky-panky.
Think about running their list randomizer to pick one or more names from, say,
a list of raffle entrants. The "trust" isn't that the result is going to be
cryptographically random or anything like that, it's just an external service
you can't monkey with, which avoids accusations of cheating.

------
cpeterso
I keep a silly little script that could, in theory, be used to pull random
entropy from a remote source:

    
    
      strace -CTiv -ttt nice -n 19 curl -LNv $URL 2>&1 | shasum -a 512
    

$URL could be "[https://news.yahoo.com"](https://news.yahoo.com"),
"[https://news.google.com"](https://news.google.com"),
"[https://wikipedia.org/wiki/Special:Random"](https://wikipedia.org/wiki/Special:Random"),
or some other website that returns a large, unique result for each request.
Even if someone was sniffing or logging the HTTP response, they wouldn't know
all the local timing information reported by curl and strace.

~~~
ThePirateofOz
Why visit a website, when you could do it yourself?

    
    
        #!/bin/bash
    
        read -p "How many digits?   " numlen
    
        head /dev/urandom | LC_CTYPE=C tr -dc 'A-Za-z0-9' | fold -w $numlen | head -n 1

------
nintendo1889
all one has to do is to find their microphone and play repeated noises into
it!

[https://i.guim.co.uk/img/static/sys-
images/Film/Pix/pictures...](https://i.guim.co.uk/img/static/sys-
images/Film/Pix/pictures/2009/4/30/1241095118372/John-Cusack-in-Say-
Anythi-002.jpg?width=300&quality=85&auto=format&fit=max&s=81710795e7c24c765ddfbadc3287ec5c)

------
arittr
As awesome as the original post is, for me the best part of this was becoming
aware of Michael Larson and Press Your Luck. Just a great story.

~~~
TazeTSchnitzel
Tragic ending though :(

------
vortico
How does one take a biased noise source source (like atmospheric noise with a
certain spectral density) and convert it to a stream of uncorrelated random
bits? I've never understood this.

~~~
petters
Simpler problem: how do you take a biased coin and convert it into a perfect
source of random bits?

You flip the coin twice. If it comes up differently, you pick the first one.
Otherwise you repeat. That will produce 50/50 random bits, no matter what the
probability of the coin is.

~~~
vortico
This case is easy because the coin toss is independent. Radio noise is a time-
dependent signal.

~~~
mbreese
I always had it in my head that the way to do this with a random noise source
was to do what is done with radiation. Because radiation is emitted randomly,
but time dependent, you can measure the time differences between three (four?)
events. If the time between A-B is greater than the time between B-C, the
random bit is a one otherwise, it’s a zero. I think it works with just three
events, but I’m not sure.

You could do the same with audio noise by looking for peaks above a certain
value and using a similar time function.

I don’t know if that is really how it is done, so I might be misremembering.

------
sleavey
I bet their email servers get a huge amount of spam. I've made up a fair few
addresses for airport WiFi using "[xyz]@random.com".

~~~
unilynx
Well fortunately they’re .org. But next time, consider example.com/net/org.

~~~
cpeterso
Or mailinator.com or one of its many aliases.

------
alpb
Related: Cloudflare offices in SF has a lava lamp wall called LavaRand lava
lamps as a secondary source of randomness for their production servers.

[https://blog.cloudflare.com/randomness-101-lavarand-in-
produ...](https://blog.cloudflare.com/randomness-101-lavarand-in-production/)

[https://blog.cloudflare.com/lavarand-in-production-the-
nitty...](https://blog.cloudflare.com/lavarand-in-production-the-nitty-gritty-
technical-details)

[https://www.fastcompany.com/90137157/the-hardest-working-
off...](https://www.fastcompany.com/90137157/the-hardest-working-office-
design-in-america-encrypts-your-data-with-lava-lamps)

