Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It is security theater and a marketing stunt. Why not just use a hardware-backed random number generator?

For example this has passed NIST SP800-22 and SP800-90B [1].

As far as I can tell, cloudflares DIY lamps/pendulums are not NIST certified.

[1] https://www.idquantique.com/random-number-generation/product...



I think the term "theatre" implies "is meant to achieve X but fails to", rather than "achieves X in a slightly flamboyant manner".

Like all the COVID-prevention theatre: sitting in restaurants and only masking when you visit the toilet. Hand-washing often whilst in unventilated areas with no masks. That's all "COVID theatre" IMO, as it fails to actually prevent the thing ostensibly being tackled.

My favourite one FWIW was wiping down the seat padding in the gym where nobody was masked - I mean who came up with that??

A creative hardware source of legit randomness is not the same as security theatre, and arguably has some useful educational aspect - it's certainly a talking point!


> wiping down the seat padding in the gym

COVID aside, isn't wiping down gym equipment after use just good sanitary practice? I don't want to slide in on someone else's greasy residue.


An NIST certification is a requirement for being secure? Like an RNG with Dual_EC_DRBG - which you could get a certification for.

Some would claim that CMVP, FIPS 140-3, Common Criteria stickers on a black box (HSM) is security theater.


> Why not just use a hardware-backed random number generator?

They do, don't they? I think the Lavalamps, etc, are just _extra_ entropy. The more entropy you add (even if it's _not_ a certified or perfect random source) only improves the random number generator.


until the fuse for the wall socket blows from having 40 lava lamps plugged in and they all return the same result :D

jk.


> As far as I can tell, cloudflares DIY lamps/pendulums are not NIST certified.

That makes them by definition worse than the OpenSSL version that leaked user keys on request. /s




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: