The problem with randomness

How to generate random numbers from spam

dilbert comic strip 2001-10-25

Random number generators: The devil is in the details

I found SecurityDump’s WPRandom the other day:

Generating random numbers is pretty complicated if you need them for cryptographic algorithms. This software generates them based on spam comments…

It caught my eye as a sort of “spinning spam into RNG gold”, or more likely, PRNG (pseudo-random number generated) gold. Many WordPress blogs, whether self-hosted using or not, effectively use Akismet as a comment spam sieve. As I’ve learned during my time with WordPress, and with spam comments, Akismet will not publish comments that it identifies as probable spam. This provides a possibly crucial aspect of SecurityDump’s application:

no one will be able to see the source of your numbers, unless they hack into your database

All the details are available on the Google project site for WPRandom, Problems and Attack Vectors wiki. I have no idea if SecurityDump worked the bugs out of this yet or not. I found it an amusing idea, though, to squeeze some genuine value from the efforts of spammers.

A slightly cynical RNG

Randall Munroe, of xkcd web comic fame, seems to have a less than favorable perception of the internet standards authority, Internet Engineering Task Force (IETF). xkcd 221 predated the recent mess that is HTTP 2.0 by many years, see HTTP/2.0 — The IETF is Phoning It In for lurid details, so I can only imagine what he would say about the IETF now.

xkcd comic 221 rng joke

xkcd 221: RFC 1149.5 specifies 4 as the standard IEEE-vetted random number

For the curious, I wrote a little more about Randall Munroe, xkcd with love and geohashing and even random numbers, in Java.

*The IETF uses RFC (request for comment) memoranda, as do many other organizations, despite what Wikipedia says 😉

Published in: on 5 October 2012 at 3:51 am  Comments (8)  
Tags: , ,

The URI to TrackBack this entry is:

RSS feed for comments on this post.

8 CommentsLeave a comment

  1. Hello Ellie,
    I used to entertain the idea of writing a random number generator program which would base itself on server time (hours/minutes/seconds) to generate the latter. Maybe i will implement it soon enough.

    • Hello Luvnish!
      I appreciate that you stopped by to visit. Have a look at Infodox’s comment, and my reply though. I feel sort of guilty as I don’t want to mislead anyone by this admittedly sort of silly jokey post. Hope all is going well with your e-commerce endeavors!

      • I’ve only just started on that side venture. Hopefully it will flourish 🙂

  2. Luvnish: if you mean generate random numbers based on the servers time, that is a flawed approach. With most all PRNG’s, the ‘randomness’ is based on a seed value, which itself must be random, or least unpredictable. Time, is inherently predictable, and server time is easily disclosed remotely by things like HTTP headers.
    Once they have your seed, and your algorithm, your random number generator is broken.
    Look at the design behind /dev/random on Unix/Linux for an example of how hard it is to generate a secure RNG.

    As for RNG based on spam, it could produce somewhat reasonable randomness, however could be predictable in the sense that if you are being spammed, someone else is – this means your seeds are being given to someone else. I will have a look at their implementation though, it may well be useful for something interesting!

    • Infodox is mostly (or entirely) correct about clock time not being adequate for cryptographically secure PRNGs. I really love Dilbert’s random number demon, and wanted to feature him in a post. Also, I am fascinated by spam detection, so this seemed like a fun way to write a little about both. I think my post may have motivated Security Dump to entirely delete his blog due to my linking and pinging it; he made numerous disclaimers to me regarding his entirely casual, recreational intent with WPrandom. He’s responsible, you see, and doesn’t want to accidentally encourage site or blog owners to anything insecure.

      My prior post about random numbers in Java is better for understanding how random the numbers generated by a number generator truly are, and what is “random enough,” given the anticipated use case.

      EDIT Yay! SecurityDump and his blog have returned. All links in my post are working again.

    • That’s the thing. They have to have your algorithm for it to be easily cracked. What I’ve been thinking about was a program running on the server side. Then, there’s the whole time delay it takes for the packets to travel over the network. Although, yes, it is not very practical for encryption. But I haven’t thought that far. I only thought of a way to generate a seemingly random number on a machine.
      Taking a constantly changing factor, time, seemed like a pretty good idea to me.

  3. Love you blog. So interesting and well designed.

    • How nice of you to say! I am delighted to see you here. It is as though you read my mind, after my sojourn at the home of attorney WAC. And I did indeed track you to VC Central. The internet is delightful! Thank you for visiting.

Comments welcomed! Less enthusiastic about spam.

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: