The following article was on RISKS Digest. Obviously it's not usable for cryptographic randomness, since you can't trust the path to be safe from eavesdroppers (even if you're using SSL/RC4-128, can you trust the far end? or from denial of service attacks (so be careful about wiring it in), but sometimes you just want a good-quality random number to seed things, such as a simulation program, and it might not be a bad thing to hash in to your entropy pool with locally-derived sources. ------------------------------ Date: Mon, 10 Mar 1997 13:10:36 -0800 From: dwing@Cisco.COM (Dan Wing) Subject: Hot and cold running randomness TBTF's 9 Mar 1997 issue carried this item: #..Hot and cold running randomness # # Perhaps for the first time, anyone with an Internet connection can # tap a source of true randomness. The creator of HotBits [16], John # Walker <kelvin@fourmilab.ch>, describes it as # # > an Internet resource that brings genuine random numbers, # > generated by a process fundamentally governed by the inherent # > uncertainty in the quantum mechanical laws of nature, directly # > to your computer... HotBits are generated by timing successive # > pairs of radioactive decays... You order up your serving of # > HotBits by filling out a [Web] request form... the HotBits # > server flashes the random bytes back to you over the Web. # # Walker modified an off-the-shelf radiation detector to interface to # a PC-compatible serial port, and ran a cable three floors down from # his office to a converted 70,000-litre subterranean water cistern # with metre-thick concrete walls, where the detector nestles with a # 60-microcurie Krypton-85 radiation source. # # If you're in the mood for an anti-Microsoft rant of uncommon eloquence, # Walker can supply that too [17]. # # Thanks to Keith Bostic <bostic@bostic.com> for the word on this # delightful service. # # [16] <URL:http://www.fourmilab.ch/hotbits/> # [17] <URL:http://www.fourmilab.ch/hotbits/source/hotbits-c.html> An interesting idea, but hopefully no will use it -- it is too easily spoofed via DNS, and the host itself could be hacked to return the same 'random' number all the time. (Maybe after we have IPsec, SecDNS, _and_ you trust the host we could use services like this on the Internet). Dan Wing dwing@cisco.com ------------------------------ # Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list, please Cc: me on replies. Thanks.)