Why #Randomness Isn’t Quite As Random As You Think ⚓ https://tedium.co/2022/01/28/insights-about-randomness/ ䷉ #tedium | more in http://schestowitz.com/2022/01/28/#latest
#randomness
For those who would like to find out whether or not they should trust this password generator: https://pastebin.com/qyuqLeLk
It uses an not-quite-secure python standard RNG, and calls random.randint on it at least 1554 times (only looked at the first loop, there is more). In doing so, it gets at least 38035 bits of entropy out of random.randint. Too bad Python's RNG only has a state size of 19937 bits.
Problem, math?
Yes, you read this right: even when generating just ONE password, random bits used in the generation correlate with each other. A rookie mistake.
Solution would be, of course, using random.SystemRandom to fix this flaw once and for all. I suggested this to the author before, but they wouldn't listen and make this one trivial change, and instead just made the random number generation more complicated.
Also, there are some sources of bias in the algorithm, but last time I checked they only lower password entropy by a few bits.
#security #cryptography #randomness #fail
reshare from @I Like Da Web
https://greyhatlaboratories.com/download-vb6-random-password-generator-beta-grey-hat-labs.html #password #security #ghl
HFT, Sequence Fuzzing, Randomness, and Repeatability
High frequency trading has popped up again on Hacker News with a couple of stories, "Is the U.S. stock market rigged? (cbsnews.com)[1] " and "U.S. stock markets are rigged, says author Michael Lewis (reuters.com)[2] ". As I've mentioned previously, HFT is something that troubles me, both on its own merits and on the statements of others (Warren Buffett, Mark Lewis, and others have criticized it strongly).
One solution that's occasionally mentioned is for either discrete-step trade processing, or randomly assigning lags to orders, with the fuzzing interval being such that HFT operators couldn't be assured of a timeslice within their range of advantage -- prehaps 1-10 seconds (this for a practice which relies on sub-milisecond timings).
And so I suggest a possible replayable yet gaming-resistant fuzzing mechanism.
More at the dreddit
2 Comments