The problem with randomness

Comic Strip

Random number generators: The devil is in the details

How to generate random numbers from spam

I found this the other day, via WPRandom:

Generating random numbers is pretty complicated if you need them for cryptographic algorithms. This software generates them based on spam comments…

It caught my eye as a sort of “spinning spam into RNG gold”, or more likely, PRNG (pseudo-random number generated) gold. Many WordPress blogs, whether self-hosted on or not, effectively use Akismet as a comment spam sieve. As I’ve learned during my time with WordPress, and with spam comments, Akismet will not publish comments that it identifies as probable spam. This provides a possibly crucial aspect of SecurityDump’s application:

no one will be able to see the source of your numbers, unless they hack into your database

All the details are available on the Google project site for WPRandom, Problems and Attack Vectors wiki. I have no idea if SecurityDump worked the bugs out of this yet or not. I found it an amusing idea, though, to squeeze some genuine value from the efforts of spammers.

About these ads
Published in: on October 5, 2012 at 3:51 am  Comments (8)  
Tags: ,

The URI to TrackBack this entry is:

RSS feed for comments on this post.

8 CommentsLeave a comment

  1. Hello Ellie,
    I used to entertain the idea of writing a random number generator program which would base itself on server time (hours/minutes/seconds) to generate the latter. Maybe i will implement it soon enough.

    • Hello Luvnish!
      I appreciate that you stopped by to visit. Have a look at Infodox’s comment, and my reply though. I feel sort of guilty as I don’t want to mislead anyone by this admittedly sort of silly jokey post. Hope all is going well with your e-commerce endeavors!

      • I’ve only just started on that side venture. Hopefully it will flourish :)

  2. Luvnish: if you mean generate random numbers based on the servers time, that is a flawed approach. With most all PRNG’s, the ‘randomness’ is based on a seed value, which itself must be random, or least unpredictable. Time, is inherently predictable, and server time is easily disclosed remotely by things like HTTP headers.
    Once they have your seed, and your algorithm, your random number generator is broken.
    Look at the design behind /dev/random on Unix/Linux for an example of how hard it is to generate a secure RNG.

    As for RNG based on spam, it could produce somewhat reasonable randomness, however could be predictable in the sense that if you are being spammed, someone else is – this means your seeds are being given to someone else. I will have a look at their implementation though, it may well be useful for something interesting!

    • Info_dox is correct. This is a rather awful post on my part. I mostly liked the cartoon. Furthermore, I think my post may have motivated Security Dump to entirely delete his blog by virtue of my linking to it, as he made numerous disclaimers to me regarding his casual intent behind the entire spam into random numbers idea. This “Random numbers in Java” is a better post to read about random numbers, by me. There are many far better posts than anything I’ve written about random numbers to be found elsewhere though!

    • That’s the thing. They have to have your algorithm for it to be easily cracked. What I’ve been thinking about was a program running on the server side. Then, there’s the whole time delay it takes for the packets to travel over the network. Although, yes, it is not very practical for encryption. But I haven’t thought that far. I only thought of a way to generate a seemingly random number on a machine.
      Taking a constantly changing factor, time, seemed like a pretty good idea to me.

  3. Love you blog. So interesting and well designed.

    • How nice of you to say! I am delighted to see you here. It is as though you read my mind, after my sojourn at the home of attorney WAC. And I did indeed track you to VC Central. The internet is delightful! Thank you for visiting.

Comments welcomed! Less enthusiastic about spam.

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 45 other followers

%d bloggers like this: