SoylentNews is people
SoylentNews
Like some kind of space-age Bingo hall caller, a cloud-based API that publicly streams random numbers arrives today, and is being touted by Cloudflare.
The web-distribution giant is enlisting the help of four other organizations and a handful of researchers to create what it calls the League of Entropy, a project aimed at creating and maintaining tools that output random numbers.
The project combines Cloudflare's own LavaRand lava-lamp-based random number generator with EPFL's URand, UChilie's random number generator, Kudelski Security's ChaChaRand, and Protocol Labs' InterplanetaryRand. The combined systems will funnel their random data into an endpoint called Drand, and every 60 seconds it will output a 512-bit value to the world, so that anyone can fetch the digits and use for their random numbers.
[...] "This global network of servers generating randomness ensures that even if a few servers are offline, the beacon continues to produce new numbers by using the remaining online servers."
This is where it should be noted that the public system will not be recommended in any way, shape, or form for use with cryptographic or security-sensitive tools or applications, for obvious reasons. Those who want a stream of private numbers can link up with Drand or the individual beacons directly rather than stream from the public API.
[...] Rather, Cloudflare sees the public strings being used for things like election auditing or scientific research where officials will want true random numbers that can be verified as untouched from the source. You can find more details of this over on the Cloudflare website by the time you read this.
Obligatory xkcd and Donald Knuth's exposition on the challenges of trying to create random numbers.
(Score: 2) by urza9814 on Monday June 17 2019, @08:19PM
Assuming everything is implemented correctly. But that assumption is typically where security fails.
How many coders do you trust to actually understand that and implement it properly, vs how many code monkeys will either use this as a sole primary or fallback source, or as a way to get more entropy by simply appending the data instead of xor-ing it, or some other manner of stupidity?
Also be aware that the note in TFS about not using this for cryptography comes from the article, not the "League of Entropy" itself. If you look on the cloudflare site, they explicitly advertise it as a high quality entropy source for cryptographic applications, and claim it's more secure than any of the alternatives. So how may code monkies are going to pick the single "best, most secure" number generator and be done with it? After all, combining multiple sources is what LoE does already, so why reinvent the wheel in your own code? (Heck, at least half these guys will be sitting there going "Hey, that's a great idea! Glad they're doing it for me!") How easy would it be to compromise those systems by keeping a log of the LoE entropy readings? At 512 bits every 60 seconds, you'd need around a hundred gigs per year to store the whole thing. A friggin' highschool student could put that together.