Slashdot Mirror
Exploiting Network Captures For Truer Randomness
First time accepted submitter ronaldm writes "As a composer who uses computers for anything and everything from engraving to live performance projects, it's periodically of some concern that computers do exactly what they're supposed to do — what they're told. Introducing imperfections into music to make it sound more 'natural' is nothing new: yet it still troubles me that picking up random data from /dev/random to do this is well, cheating. It's not random. It bugs me. So, short of bringing in and using an atomic source, here's a way to embrace natural randomness — and bring your packet captures to life!"
The imperfections in music aren't perfectly random either, so what's the big deal?
which is totally what she said
The vast majority of traffic is either html or email. Very structured data. It's sufficiently random to use for a video game or the like, but it's definitely not random from a cryptography point of view. So you're doing things the hard way with no discernible benefit. Total waste of time.
I still have more fans than freaks. WTF is wrong with you people?
Network captures do not embody "natural randomness". Packets are produced by computers too, not by the entropy of the universe or something. This guy has toked a little too much ganja. They're probably not even as random as a regular pseudorandom number generator. The latter makes some guarantees with regards to what you'll get out and ensures that no basic patterns are present. Network captures don't have these features. Depending on the computer, the network, and so on the incoming packets may be quite deliberate and ordered.
This seems like a fairly lame variant of the environmental entropy gathering which *is* what /dev/random does...
I recall reading that /dev/random will pull from any system modules that are capable of being noisey. Like radios or network equipment.
It would make sense too.
Also, network packets are not a very good source of entropy. Atmospheric noise from a radio is.
Network packets have structured data being sent through them, often in the form of english text.
The lavarnd.org folks have all the source you need and a reference implementation that literally is webcam stuffed in a dark can. When you can get such high quality entropy for less than US $30, it seems like anything else must just be for fun. Some opaque tape over the camera on many laptops should work fine too.
refactor the law, its bloated, confusing and unmaintainable.
/dev/random on most OS'ed these days uses an entropy pool generated from a bunch of different sources - timing of keystrokes, mouse movements, disk seeking - and yes, network information. Then it uses cryptographic hashes on those.
Your implementation basically uses one of those entropy sources, and then doesn't even hash it...
/dev/random is about as random as you'll get. I presume your issue is that the pool is exhausted for the given desire. /dev/urandom is your endless of supply of 'good-enough' random for something like this. If your criticism is that it isn't really 'random', it's no less random than your pcap stream. Besides, given the application 'true' randomness will not be distinguishable from good pseudo-random.
If you wanted to be random and artistic, then maybe point a webcam at a fireplace or something as an entropy source.
XML is like violence. If it doesn't solve the problem, use more.
/dev/random is already gathering environmental entropy from hardware sources and (except if you're running it on a virtual machine), it should produce data with good entropy that's truly random and is not comping from a pseudo RNG algorithm.
Now, of course, if you XOR it with the network data you might increase entropy, but if it happens that /dev/random already uses it, you're not gaining anything, or in fact make things worse.
But, please, if you think that /dev/random isn't providing data that's random enough, suggestions and patches would be welcome. Even if they don't get accepted in the mainline kernel, you can still distribute them.
Another issue: I'd encrypt the data from the network source or XOR it with a pseudo RNG, because otherwise you might be leaking sensitive data through your "random" numbers.
Actually, many people would sell you the answer. And they don't have nobel-prices[sic].
See http://en.wikipedia.org/wiki/Hardware_random_number_generator for an overview of the devices you're looking for.
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
Are you sure about those two statements?
However, you do have a point... while computer theoretical models do exactly what they're told to do, as soon as you introduce a physical implementation, the computer will do whatever its environment tells it to do -- this is not always the same thing as what the computer operator tells it to do.
Similarly, the ocean does exactly as it is told to do... of course, this interaction is so complex, that a mere human being would be unable to untangle all of the instructions given to the ocean by various external influences.
Also, I'd argue that it is highly possible for a multiorganism as large as an ocean to have sentience... maybe it's just hiding this fact from us mere humans because it's smart enough to know that's a good move... maybe it's even smarter than that, and doesn't think us lower lifeforms have anything more to contribute than we would consider carrying on a conversation or discussing ethics with a top quark.
Those using quantum effects cannot be predicted even if you had a device to monitor the complete surroundings.
The Tao of math: The numbers you can count are not the real numbers.
Distinguishing between "false" and "true" randomness is pointless.
Not really, it's done all the time for many different purposes.
Take, for example, how computer scientists define it: roughly, a sequence is random if it can't be compressed, that is, any (program+data) that generates it must be at least as large than the sequence itself. It distinguishes between "random" and "not having enough information to predict it": it doesn't matter if it looks random to YOU; if it could in principle be compressed, it's not random.
That's not pointless hair splitting, it has real consequences for many areas of computer science, some very practical (cryptography, for example).
It's not my theory; maybe you heard about a guy named Kolmogorov that lived in the last century? I bet the great mind of Robert Coveyou studied a lot of his theory :).
But, more seriously, of course a random source will output compressible data sometimes. What happens is this: as you collect more output from a truly random source, the probability of it being compressible goes to zero very fast.
But the point is that it *is* useful to distinguish between "false" and "true" randomness, otherwise it wouldn't be true that "the generation of random numbers is too important to be left to chance".
http://www.random.org/faq/
Q2.1: How can you be sure the numbers are really random?
Oddly enough, it is theoretically impossible to prove that a random number generator is really random.
http://dilbert.com/strips/comic/2001-10-25/
It is dangerous to be right when the government is wrong.
What do i do? if I don't really care if it's random, I use the RPG from the programming language I'm using, or /dev/random. If I really, really care that it's random, I download a chunk of data off random.org, and either use that for the numbers, or use it to seed my RNG. For the most part, anything more than that is overkill.
It does. An a simple "man 4 random" will give you that information. It seems the OP could not even be bothered to do that before posting his clueless BS.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.