NSA on Supply Chain Security

The NSA (together with CISA) has published a long report on supply-chain security: “Securing the Software Supply Chain: Recommended Practices Guide for Suppliers.“:

Prevention is often seen as the responsibility of the software developer, as they are required to securely develop and deliver code, verify third party components, and harden the build environment. But the supplier also holds a critical responsibility in ensuring the security and integrity of our software. After all, the software vendor is responsible for liaising between the customer and software developer. It is through this relationship that additional security features can be applied via contractual agreements, software releases and updates, notifications and mitigations of vulnerabilities.

Software suppliers will find guidance from NSA and our partners on preparing organizations by defining software security checks, protecting software, producing well-secured software, and responding to vulnerabilities on a continuous basis. Until all stakeholders seek to mitigate concerns specific to their area of responsibility, the software supply chain cycle will be vulnerable and at risk for potential compromise.

They previously published “Securing the Software Supply Chain: Recommended Practices Guide for Developers.” And they plan on publishing one focused on customers.

EDITED TO ADD (11/14): The proposed EU Cyber Resilience Act places obligations on software providers to deliver secure code, and fix bugs in a timely manner.

Posted on November 4, 2022 at 9:16 AM33 Comments


Clive Robinson November 4, 2022 10:00 AM

@ Bruce, ALL,


To little and way to late.

The NSA amoungst others have been exploiting the software supply chain for sevetal decades going back into the 1980’s to my knowledge.

But there is also the hardware supply chain the NSA have had their way less than clean fingers on for atleast a decade now, as we know from the Ed Snowden trove.

The real question is how far down the computing stack we should go…

As @Nick_P and @RobertT used to discuss here getting into a FAB factory process is not exactly the most difficult of things to do…

Larry November 4, 2022 1:28 PM

@ Clive, et al
I’m not smart enough to be an IT guy of any kind,but whenever I see advice from The NSA(or any government agency),I’m suspicious.

Ismar November 4, 2022 8:11 PM

There could be a silver lining to this problem as it could force our governments to invest more into chip manufacturing locally

JonKnowsNothing November 4, 2022 10:00 PM

@Ismar, All

re: chip manufacturing locally

There was a reason why local manufacturing moved to global manufacturing. That may have escaped the notice of several generations in between Then and Now.

Most of those reasons have not changed one iota.

In the USA almost our entire business industry is now run as a SERVICE. We don’t do manufacturing. Not even in farming. (1) There aren’t that many people left who remember how to calculate WIP without some mainframe program to tell them what to put in each input box.

To pick up an entire chip manufacturing plant and Drop It In the Bronx and expect someone in Greater New York to remember how all the steps have to interlock and to do it JIT for delivery to another Drop It In manufacturing plant in Cincinnati, is a big expectation.

It took decades to build what we had and it took half that time to dismantle it all.

The American Bison, aka buffalo, have better expectations for return.


1) Many industrial farms are contract farms: work for hire and paid by sharecrop profits. They sign a contract to raise some farm animal (chicken, pigs, sheep, cattle). The feed and the seed animals are provided by the contract firm. So the farmer gets a contract time-limited supply of feed to feed the chicks that are provided by the genetic labs that grow them. If the feed is good and the chicks don’t die the farmer gets a profit on his service. If the feed goes moldy and the chicks die then the farmer may have to repay the difference.

Clive Robinson November 5, 2022 2:44 AM

@ Larry, ALL,

“whenever I see advice from The NSA(or any government agency),I’m suspicious.”

You have every right to be, the level of “honesty” from Government Agencies has been increasingly called into question since the 1980’s if not earlier.

However when it comes to “technical reports” agencies have issues even they can not hand wave away. As technical information is derived via mathmatics and logic from basic laws of nature, being directly dishonest is problematic for an agency.

So their dishonesty moves from telling falsehoods that can not be easily shown to be so, to not saying anything that can boomerang on them.

Which in the case of technical information that comes directly from the agency, if they say something it will in all probability be technically accurate, but incomplete. Which tends to make life interesting sorting the technical thus verifiable from what is either not said or is not technical.

The NSA in particular has a problem in that it is required to attack all non US communications AND also protect US Goverment and other related agencies and organisations communications.

It’s difficult to do one without harming the other, but they are required to show the budget purse string holders that “they are doing both”. So the result is every so often a partial technical report will be issued.

Thus you have to take it with care, but if it makes a technical statment it will be accurate, though far from complete.

iAPX November 5, 2022 6:28 AM

However when it comes to “technical reports” agencies have issues even they can not hand wave away. As technical information is derived via mathmatics and logic from basic laws of nature, being directly dishonest is problematic for an agency.

I totally agree, I read their hardening papers since a long time, as they are still useful, after an in-depth analysis of what is covered and how, and what is not covered (and why).

I also have to respect NIST recommendations, that are heavily based on NSA choices. It’s unavoidable if you want to sell software and services in the USA.

For example to encrypt data I will use a flavour of AES, but I will encrypt the result with a modern cypher that is NOT a NSA creation.

I don’t trust the sha family either, sha-0 was a backdoor, but with the PBKDF2 framework (and salt reinjection at each step!), I feel at ease to use sha-2 even if I suspect it’s flawed.

iAPX November 5, 2022 7:16 AM


I use at least two pseudo-random generators, generally 3 including a hardware random generator.

I merge their results together, but I also use output of one (preferably the hardware one) to skip same number of outputs from another (giving they are all decoupled), as I don’t trust any of these generators individually, and end-up using an hash on the merged result to hide information another way, outputting one generated byte at a time (no more!).

This is NOT bulletproof, but this make it really complex and incredibly resource-consuming to find the pseudo-random generators internal status, and thus to be able to predict the nexts outputs.

Clive Robinson November 5, 2022 7:39 PM

@ iAPX,

Re : When random might be…

“This is NOT bulletproof, but this make it really complex and incredibly resource-consuming to find the pseudo-random generators internal status, and thus to be able to predict the nexts outputs.”

The problem with RNG’s is,

“What happens at Boot time?”

It’s all very well having a well stired entropy pool, after a large uptime, but the NSA did rather well on breaking PKcert Keys on embedded devices…

Basically way way to many embedded network devices, especially low cost IoT devices, start up with a known entropy pool, and do not update it before they generate the PKcert for it… Thus the reality is maybe 50-100 actual primes go into the certs, thus a fast search to factor is very cheap…

I’ve been developing RNG’s since the late 1970’s, and even now into five decades later I’m still shocked at just how little people developing such ICTsec products know…

It’s not as though it’s a barely discussed subject, our host @Bruce has written not just essays but effectively a book on the subject…

Do you remember Linus Torvalds and his now infamous comment about just using the Intel OnChip Hardware RNG?

I’m glad he realized –with a little prompting– why that was not a good idea…

Anyway, enough reminising from me today…

In the UK Nov 5th is known as “bonfire night” or “Guy Forks Night” when loud fireworks are for some people a must… I however suffer from tinitus due to the use of a 7.62mm rifle amoungst other weapons in a regimental shooting team. Needless to say I’m glad about the legal impediment / prohibition to the use after midnight of fireworks, as they make my ears ring like I’ve had my head stuffed in a church bell… Which makes thinking or sleeping a challenge at best. How peoples pet cats and dogs do not go mad I realy don’t know.

Phillip November 6, 2022 8:13 AM

Helpful of NSA. On the topic of licensing? Yes, scan binaries to ensure no byte is out of place. However, any license organizing principle is to forswear any accountability whatsoever. Honestly, what makes any of this SMOOT? All right: NSA is worried, and believes any improvement is needed from any middling programmer, with talk of every supply chain consideration. Never hit the submit button, I know. Though it could’ve interested the reader with a little discussion surrounding business profit models. Although, never mind, ’cause most any software license is completely worthless. Okay, NSA is never political activist, and one might never answer his or her own question. After all, I am really not NSA-whatever-answer. Everything might be going my way, though how much time need we spin on it?

Ismar November 7, 2022 1:36 AM

@ JonKnowsNothing – true- it is going to be hard, but it is either make locally or be vulnerable to those who make locally

JonKnowsNothing November 7, 2022 7:39 AM


re: either make locally or be vulnerable to those who make locally

Probably the only people who are doing well in the current set of supply chain and manufacturing chain shocks and disruptions are The Preppers. These are the folks who have made long term end-of-society plans.

They are not people like Thiel’s VIP group who couldn’t boil Cowboy Coffee if they wanted too. Folks in Thiel’s group rely totally on servants to prep things and do things for them.

So part of the equation, that has not changed, is the same one from decades ago and still rules Western Economies.

  • Make The Most Money with the Least Investment

So, it doesn’t really matter where the manufacturing plants are located or which groups of people are working in them, the Ultra-Capitalist Economics will demand supply shortages. They need them. They cannot function without them. It’s how they make More from Less.

The other significant issue with localized production is Knowledge. This takes decades to achieve. It’s not so easy to snap your fingers and say

  • Today I will make my own log cabin manufacturing plant although I’ve never seen a tree, and I don’t know how to make an Axe to cut one down. (1)

Consider carefully what that simple process entails.

Sure there are TV programs where people attempt to live Like Old Timers and most fail spectacularly. There are trades and crafts people of all sorts and lots of Cosplay and Historical Re-Creationists who can show you how to load a musket with ball and powder.

When rebuilding entire complicated high tech systems like Chip Manufacturing Plants, without external support or knowledge and solely for local consumption, the challenges are far beyond the problem of how to chop down a tree without an Axe.

  • We Do Not Know How To Do This Anymore.


1) There are existing companies that do provide A-Z log cabins. Plans, materials, build crews. They already have all the Know How.

Winter November 7, 2022 8:13 AM


These are the folks who have made long term end-of-society plans.

End-of-society generally goes by way of war-lords (c.f. Somalia). They will strip the land of any valuables. Lonely preppers in bunkers will simply be dug/smoked out.

A prepper who wants to survive must relocate to a place no one wants to go. So, the choice is to live your life lonely and far from everyone, hoping to survive if the rest of humanity dies out. Or to live you life among your brothers and die with them.

Make The Most Money with the Least Investment

That is called “maximize productivity”. Lower productivity == More poverty, higher productivity == more wealth.

The problem of the USA is not the maximization of profit, but the fact that the majority of Americans are excluded from economic growth. The main reason Americans do not share in economic growth seems to me that Americans think labor unions are BAD because, reasons (Fox News say so, Billionaires say so).

So, it doesn’t really matter where the manufacturing plants are located or which groups of people are working in them

  • Trade == Wealth
  • No Trade == Poverty
  • Autarky == Extreme Poverty (famine style)

That has been the case since humans started to grow crops.
The rise of productivity has increased global wealth. Local production and reduced trade always reduce productivity and wealth.

What we do see now is that the way trade and supply chains have been set up is too fragile. If you source from three continents, you are less efficient than when you source from a single country only. However, your supply chain is much more robust. Robustness costs money, but that money can be well spend. Autarky costs money, but that money has never been spend well.

JonKnowsNothing November 7, 2022 11:16 AM

@Winter, @All

re: Smoking Preppers

There are a bunch of variations on the theme and you’ve selected a far distant end version. Preppers maybe thinking of that but practically they have the following in their bugout locations.

  • Shelter (tents, rv, cabins)
  • Multiple Land Sites wholly owned (shared with family or cooperating groups)
  • Stockpiles of food (3 different stash sites) (1)
  • Water, water systems, water purification
  • Energy sources: solar active, solar passive, battery, heat exchanges, wind power etc
  • Waste system treatment (what goes in, comes out)
  • Ability to plant, grow and harvest a variety of vegetables

There are fair number of hungry and cold people in EU UK and USA would would like even a portion of that.

re: Not Sharing is the American Ideal

Your view points are valid but do not extend to the ingrained nature of the USA population’s views of what’s to be shared or not shared.

For reference check out the Progressive Party (United States, 1912) (2)

We won’t be ditching the views about God and Poverty that came over on the Mayflower any time soon. Yes, we make incremental changes but as F-PM AU Scotty From Marketing says about such things

  • Poor people are SPOILT for choice

And in the USA, people believe this enough to want to stop CHOICE. They are fine with POOR people if they are out of sight (3).


1) Stalin was efficient at finding stash site but not all of them

2) Progressive Party (United States, 1912)

The Progressive Party was a third party in the United States formed in 1912 by former president Theodore Roosevelt after he lost the presidential nomination of the Republican Party to his former protégé rival, incumbent president William Howard Taft. The new party was known for taking advanced positions on progressive reforms and attracting leading national reformers.

3) RL tl;dr

A wealthy CEO in SV became incensed that a street vendor was selling oranges on the corner, along a street where he could see the vendor as he drove to his Mega$$$ business.

He demanded the street vendor be arrested for spoiling his view as he drove to work and made a huge fuss over at City Hall about it.

Entrepreneurship isn’t allowed for Orange Sellers.

Winter November 7, 2022 12:38 PM


Preppers maybe thinking of that but practically they have the following in their bugout locations.

I think these preppers are prepping for movie threat scenarios. When society collapses, you should think Haiti, Somalia, Eastern Kongo, or Cambodia. Stashes of food are always good. But when an armed militia raids your bunker, they will get you to point them out.

There are fair number of hungry and cold people in EU UK and USA would would like even a portion of that.

Yep, and they would buy the food if they could. The problem is not lack of foresight, but lack of money. Also, it takes quite a lot of money to acquire land to stash food in.

Your view points are valid but do not extend to the ingrained nature of the USA population’s views of what’s to be shared or not shared.

Divide and conquer works like a charm. I have noticed during travels through the USA that Americans all think they can get that “special deal”, but in reality, they all pay through their noses [1].

And in the USA, people believe this enough to want to stop CHOICE. They are fine with POOR people if they are out of sight (3).

How was that riddle [2]?

[1] “With OUR loyalty card you get real bargains”. Without the card, you simply pay double. But with the card, the prices are still high.

[2] ‘https://en.wikipedia.org/wiki/First_they_came_…

First they came for the socialists, and I did not speak out—
Because I was not a socialist.

Then they came for the trade unionists, and I did not speak out—
Because I was not a trade unionist.

Then they came for the Jews, and I did not speak out—
Because I was not a Jew.

Then they came for me—and there was no one left to speak for me.

JonKnowsNothing November 7, 2022 6:30 PM


re: Here are your winnings… I’m shocked to find …

Americans, in gross generalities, believe in Miracles and Deus Ex Machina Magic; that manna will fall from heaven for them.

A good portion are actively working on bringing about the “End of Days” scenarios believing (whole heartily) that only then will they ascend to heaven (whole body).

A lot of these sorts of beliefs drive USA politics.

It’s hard to have a resolution for hunger, housing, discrimination, lack of health care with someone who Fully and Truly Believes that all of the above are Required to bring about their Personal Rapture at the Second Coming.

These groups have been preparing for The Coming since their theological denominations were ejected from UK & Europe and re-established in the USA.

  • Australia got the Prison/Prisoner complex
  • USA got the Divine Inspiration and Prophecy complex


ht tps://en.wikipedia.or g/wiki/Rapture

The rapture is an eschatological position held by some Christians, particularly those of American evangelicalism, consisting of an end-time event when all Christian believers who are alive, along with resurrected believers, will rise “in the clouds, to meet the Lord in the air.”

ht tps://en.wikipedia.or g/wiki/Second_Coming

ht tps://en.wikipedia.or g/wiki/Eschatology

Eschatology (from Ancient Greek ἔσχατος (éskhatos) ‘last’, and -logy) concerns expectations of the end of the present age, human history, or of the world itself. The end of the world or end times is predicted by several world religions (both Abrahamic and non-Abrahamic), which teach that negative world events will reach a climax.

(url fractured)

Clive Robinson November 7, 2022 7:45 PM

@ keiner,

“Any ideas why there should be a maximum entropy hardcoded in the linux kernel”

It’s not “hardcoded” in the kernel. That limit is due to the size of the hash used (Blake) being reported. With a hash you can not get anymore output from it than you put in.

That said if you want to play “silly numbers games” there is nothing to stop you taking multiple draws via the hash algorithm. So get an increased level of what you might think of as “entropy” but the reality is it’s just a form of complexity gained via a “One Way Function”(OWF) that might or might not be “Cryptographicaly Secure”(CS).

It’s a matter of open debate as to if OWFs actually exist, as for CS-OWFs well lets just say history has a habit of showing anything claimed by some proof as being “CS” frequently turns out not to be in a quater of a century or less.

But look at things realistically just how much “True Entropy” do you think a Linux box actially gets over say 24hours?

You might be shocked to find out just how little it realy is.

So the question to ask is not about “entropy” but about how determanistic and guessable it is both in the mechanical and mathmatical senses.

What you are mostly looking for is,

“A ball drawn from a stirred urn”

Where the number of balls is many trillions of trillions times the number of atoms in the universe. With each ball having the same odds of being drawn.

Where that is “insufficient” then you look at drawing more balls, for which you need a further constraint which is an awkward one of,

“Each ball drawn is fully independent of those drawn before or to be drawn in the future”

We can not do this with a hash and entropy pool driven by a low ammount of “True Entropy”. But mostly it does not matter as long as an attacker can not get at the sequence state, the numbers remain unguessable so appear to have “True Entropy”.

People get the wrong idea about entropy pools followed by crypto algorithms. They do not in any way create “True entropy” as many think. All they do is, the pool smears or spreads the tiny amount of True Entropy across all the bits in the pool in a way that is unpredictable and the “state” of the pool at any one time remains hidden by the strength of the crypto algorithm.

I call the use of such crypto algorithms “Magic Pixie Dust Thinking” for a whole heap of valid reasons.

Clive Robinson November 7, 2022 8:39 PM

@ JonKnowsNothing, SpaceLifeForm, Winter, NameWithheld…,

Re : words that twist when I say them.

You say,

“The rapture is an eschatological position”

For some reason I find the initial “e” to be silent thus I say “scatalogical”[1] which just feels more natural when people speculate about their ends / future movments.

I know that Dr Sigmund Freud had strong views on this, but then his observational subjects had a large contingent of mature hysterical women as they were then described… Thus his findings tend to be considered discredited these days along with the views of the subjects of his observations.

[1] https://en.wikipedia.org/wiki/Scatology

Winter November 7, 2022 11:29 PM


A good portion are actively working on bringing about the “End of Days” scenarios believing (whole heartily) that only then will they ascend to heaven (whole body).

In US Eschatological lore, it is the UN of all institutions that will harbor the antichrist.

Also, for The End to happen, Israel must start the final war against the Arabs. That is the reason antisemitic American churches so wholeheartedly support the case of zionism.

Religion is crazy.

keiner November 8, 2022 2:25 AM


Bought, but what does that mean for, let’s say, a 2048 bit openvpn key or a wireguard key generated on a system up for 1 week?

Normally not the crypto is “hacked”, but the system. So I’m on the save side for my VPN from the key-side?

Clive Robinson November 8, 2022 6:02 AM

@ keiner,

Re : is the entropy strong enough.

“let’s say, a 2048 bit openvpn key or a wireguard key generated on a system up for 1 week?”

The “true entropy” is very probably insufficient, but that probably does not matter…

To see why you have to take a sideways view at things as a black-box process where there are two players,

1, The generator.
2, The observer.

The generator can see both the inputs to and the outputs from the black box. The observer can only see the output. The idea of the black box is two fold,

1, To prevent the observer seeing either the black box state or black box inputs.
2, To prevent the generator from being able to correlate inputs to outputs.

It’s the correlation argument which gives rise to the need for “One Way Function”(OWF) crypto algorithms.

So as a very rough rule of thumb you can say the output from the black box the observer sees is atleast as strong as the crypto used.

That is consider it equivalent to say AES256 in CTR mode. When he the observer does not know either the AES key, or the Counter or state value.

The big problem is the generator will know both the starting values of the key and the count, as well as see the inputs to the black box. So can as easily “play along” with a simulation of the black box. Now consider Eve, who knows when the system was started, and can also see the external network inputs to the system the black box is usesd on. She is in effect closer to being the generator than the observer… Which means that it is possible for her to run a search to work out the blackbox internal state close enough to have a much reduced range of blackbox output thus get a much higher degree of predictability. This is an attack senario that works with “embedded systems” where in effect the only source of entropy is visable to Eve network events. Worse provided Eve gets to see blackbox output frequently she effectively has a heartbeat so she can assume blackbox input and track the probable state within a small but searchable range.

So a lot does depend on the effectiveness of “stiring the pool” from the inputs to the blackbox.

So what is the input to the blackbox? Well it’s in part mechanical –from system clock crystall– and part determanistic from the actions of algorithms but it is also in part chaotic due to the way those algorithms can interact (think of the system as being equivalent to a multiple jointed pendulum).

Or to look at it in a more analytical way, assume a spectrum line or plane edge going from determanistic at one end to truely random at the other.

The scale goes from simple determanistic through various grades of complex, likewise into chaotic and then into various grades of random.

Whilst you can view it as a spectrum line for mathmatical / informational objects it is better to view it as a plane for mechanical / physical objects.

That is in every physical object that does work there is inefficiency that by various transducer effects steps down to some form of noise, eventually heat. Some small part of that noise is truely unpredictable for various reasons to do with the physics of measurment and it’s hete that true unpredictability resides.

So there are three questions that arise from this observation,

1, What % is truely unpredictable?
2, How much contamination that is predictable can be removed?
3, Does such contamination actually matter?

Supprisingly to many the answers to the questions are,

1, Almost to small to measure.
2, Not a great deal.
3, Not that much if corelation synchronization can be avoided.

The important point to note is “synchronization”. For a future value to be predictable to an observer they have to be synchronized to past events by past values from the blackbox.

I’ll stop at this point for now, because in the past the subject of synchronization and the resulting search attacks got quite involved.

The simplest advice at this point is,

1, Have lots of blackbox input.
2, Issolate the system with the blackbox on it as much as possible from any observer.

SpaceLifeForm November 8, 2022 9:13 PM

@ keiner, Clive

Re : is the entropy strong enough.

You need to be the Generator AND the Observer. Flip coins, roll dice, use a shaker.

A CPU with a kernel that is Bicycling in it’s idle loop, is not going to generate any entropy because there are no events, no interrupts. It is just wasting energy. You can not trust any CPU to give you good Random.

This is especially why IoT is problematic. But, you also need to think about a depleted entropy pool that could occur while your computer is awake, but you are sleeping.

If you want good Random, roll it yourself.

Clive Robinson November 9, 2022 5:46 AM

@ SpaceLifeForm, keiner

Re : Roll your own random.

“A CPU with a kernel that is Bicycling in it’s idle loop, is not going to generate any entropy because there are no events, no interrupts. It is just wasting energy. You can not trust any CPU to give you good Random.”

As I noted above all “physical events” have some small sometimes exceptionaly small measure of “True Random” attached to them. This includes all physical objects “doing work” even if it’s just a CPU in the OS idle loop work thus inefficiency come into play.

However determanistic mathmatical / informational events do not “do work” in the physical sense, so do not genetate even small amounts of “True Random” but they can do both complexity and chaotic.

The problem is when trying to define things is that mathmatical / informational events do not exist in issolation in a CPU as they cause physical events thus work to be done…

A CPU by it’s self has two sources of True Random you can identify by inspection and test. The first is the “mechanical resonator” that is the quartz crystal of the “XTAL” that drives the CPU “clock cycle”. The second is the indeterminacy of the threshold used in logic gates and the soft errors arising in various ways, it’s called “meta-stability”.

The effects of meta-stability in logic gates can be increased, which is where “On Chip TRNG’s” come from usually via two or more “Ring oscillators”

The history behind on chip TRNG’s is such that it has more “rabbit holes” than all the warens in “Watership Down”.

One of the particular on chip rabbit holes I’ve always cautioned about is “Magic Pixie Dust Thinking” of using crypto algorithms to hide just how small the true random is. Intel pioneered this “hide the junk” behaviour back when they were using “thermal noise” (4KTBR) from an on chip resistor as their random source… So I’ve cautioned against Intel from almost day one and continue to do so.

It would appear from this fairly recent (2019) paper I was wise to do so,


But as I’ve also indicated the topic is as twisty and more complex than all those rabbit holes especially on the engineering side of things.

After more than four decades of being involved with the design of RNGs often at the sharp end, the one thing I realy do know with certainty, is that I know a lot less about the subject than I would like to know, and in this I am far from alone, hence we see occasional papers pop up on the subject of Hardware RNGs.

On some of my more thoughtful days I consider that “random is a gift” from the intangible information universe, down to the tangible physical universe in which we corporeal beings are condemned to live. That is it could simply be the issue of transitioning information from a continuous universe to a discrete universe that will be for ever more fundementally granular.

EvilKiru November 10, 2022 4:57 PM

@SpaceLifeForm, @keiner: > If you want good Random, roll it yourself.

Doesn’t most DIY random end up being utter garbage?

JonKnowsNothing November 10, 2022 5:43 PM

@EvilKiru, @SpaceLifeForm, @keiner:


If you want good Random, roll it yourself.

Doesn’t most DIY random end up being utter garbage?

Not if it’s multi-sided, rolls and is not loaded.

It’s when you try to mimic that process in code or hardware you get NoRand()

SpaceLifeForm November 10, 2022 11:18 PM

@ EvilKiru, keiner, JonKnowsNothing, Clive, Winter, ALL

re: Doesn’t most DIY random end up being utter garbage?

You may have been thinking about DIY CryptoGraphy, which is strongly recommended against unless you really understand what you are doing. It is a nebulous forest that many have never returned from.

I would also recommend that you stay away from DIY CryptoCurrency.

The consensus here is that CryptoRandom is snake oil.

Do you see how the word Crypto is overloaded?

Winter November 11, 2022 12:26 AM

@ EvilKiru, keiner, JonKnowsNothing, Clive, ALL

re: Doesn’t most DIY random end up being utter garbage?

Depends. If you roll dice or toss coins, the randomness will not be perfect but all in all quite good. Shuffling cards is already more tricky.

Using “physics”, Geiger counters, shot and thermal noise, or raindrop souns, etc, you need some electronics like AD converters, amplifiers, and filters that could remove randomness. Done wrong, these input electronics can silently remove most or all randomness. Add to this post processing to spread the randomness, eg, compression and hashes, you could end up with very random looking numbers that might be almost completely deterministic.

The problem lies in the fact that it is next to impossible to determine whether a number sequence is random or deterministic. You have to certify every step from the hopefully random source to the end product.

I do not think their are many people in the world who can do that for the whole chain. DIY random numbers are almost certain to fail at some point along the way.

Clive Robinson November 11, 2022 2:53 AM

@ ALL,

Re : Is DIY random generation garbage?

Short answer “Yes and No”.

As @SpaceLifeForm has pointed out “crypto” is an overloaded word…

But nowhere as badly as “random”.

So you have to ask the question,

“What am I trying to achieve?”

Then and only when you actually understand the full implications can you make the good/bad decision.

For instance is a close in photo of a spilled out “box of matches” random?

Both No and Yes.

Is it an “unguessable bag of bits” well that depends… on how you extract the bits, and how you “post process” them.

Take the photo turn it to black and white and a simple uncompressed format and crop out the “matches” from the plain back ground then pull out the bits. You are likely to get between 1/4 and 3/4 of the bits ones and only have predictability in higher order patterns.

Take two entirely unrelated match pile photos and run them sequentially through a suitable cryptographic algorithm (CS-Hash) and the chances are good you will have a “bag of bits” suitable to use as an AES key, but not for an RSA cert prime search.

Knowing why the above is correct will get you one edge on the good/bad problem understanding. But… could also lead you down a rabbit hole, right into the mouth of a ferret[1]…

Good sources of “True Randomness” are actually quite hard to find, and are “physical” devices. With even the best of them all have bias, and predictability in their outputs that needs to be dealt with[3]. And as they say,

“That’s not the half of it by a long way”.

[1] Ferret is a term once used by Allied WWII PoW’s in the likes of Colditz[2] for the German “intelligence operatives” used amoungst other things to stop escape attempts by finding tunnels and escape equipment. It is less than humorously derived from two things. Firstly the expression “To ferret out” bassed on the thoroughness actuall ferrets search for rabbits in warrens, secondly the unmerciful way ferrets drag baby rabbits out into the light, and then kill them (nature in all it’s violent tooth and claw).

[2] I actually knew a Colditz PoW who was “my boss” for a year or so. He cycled all across Europe in “cricket whites” and was turned in by a Quisling whilst trying to find a boat to get him across the North Sea. One of his little quirks was that he had kept many of the “Condemed to Death” notices he had been given and had them framed on his office walls. He spoke supprisingly warmly about the regular millitary personnel of the PoW camps he had been in, his view being most were just doing a guarding job without any malice. His view on others such as the non military but uniformed which included those who directed the ferrets was not as forgiving.

[3] The oft quoted source of “True Randomness” is a radioactive source, but that is a bit of a limited point of view. Whilst it is true we have no way of predicting how individual radioactive atoms will decay, we do know that for any given type of atom in bulk they have a “half life” that is good to many decimal places. The half life curve is a simple 1/n curve where n decreses at a rate of qc/S where “q” is the quantity of atoms, “c” is a constant for the atom and S is a second. That is if you have a thoisand atoms each decay takes the number down so the number of decays left likewise goes down. If q or c is large then the number of decays per second is quite predictable and goes down almost linearly over short periods of time (see Newton’s infitesimals as to why that is). This is both an advantage and a disadvantage depending on how and what you measure. But the measurment process via a GM tube or similar generates electrical noise, that appears on both signal and supply lines, and without care gets out of the generator via many inadvertant side channels. Worse the decreasing count pulses when integrated / low pass filtered provide a decreasing bias voltage in the analog circuitry which too can without care effect the generator output. But other gotchers that exist “down the chain” are the likes of “de-biasers”. If you take two output bits from a generator and XOR them you get a von Newman de-bias circuit. Whilst it will remove “value bias” and give equal zero/one probilities it does not remove “time bias” and infact makes it worse. Likewise the circuit produces pulses of current thus electrical noise. Both the time and noise will appear at the output if care is not taken, and they noise pulses especially can be synchronous down the chain.

MarkH November 11, 2022 11:47 PM


Probably you already know, but there’s a new book about Colditz (subtitled “Prisoners of the Castle”) which has gotten good reviews — apparently, it is a meaningful addition to all the other books about Colditz.

When I first learned about the history of POWs there, I was especially intrigued by this account (from memory, prone to error):

A group of Polish POWs were to be transferred from Colditz to different camp. Some British officers made arrangements to take the place of some of the Poles, expecting that the new camp would be easier to escape from.

Colditz guards quickly realized that something was amiss, ordered the British officers out of the queue, and rounded up Polish officers to “fill the gap.” So far, simple enough.

MarkH November 11, 2022 11:48 PM


Here’s what made my head spin: when the British officers were ordered out of the queue, some of men who left were Poles; when the missing Polish officers were brought to the queue to put things “in order,” the prisoners had again mixed things up, and some of this second batch of “Poles” included British officers.

For me, it was an introduction to the convoluted world of “security thinking.”

SpaceLifeForm November 12, 2022 12:47 AM

@ MarkH, Clive

re: Colditz guards

The prisoners had stacked the deck, and then did a Random Shuffle, and the guards had no idea what was going on because the prisoners had not been verified with a Twitter approved Blue Check Mark.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.