Questions for you:
- When have you dismissed a simple or “unprofessional” solution to a complex problem because it didn’t seem sophisticated enough, only to later realise it might have worked?
- When have you suggested a simple of “unprofessional” solution to a complex problem but it was rejected because it didn’t seem sophisticated enough, and – to this day – you’re still sure it would have worked?
- What critical systems in your organisation rely on sources of randomness or unpredictability that you’ve never explicitly audited or questioned?
- If someone proposed using a novelty item or consumer product to solve a serious technical challenge in your workplace, would you give it serious consideration or dismiss it out of hand? Why?
Questions for your organisation:
Cryptographic key generation audit: Review how your systems generate encryption keys, session tokens, and security credentials. Many organisations unknowingly use weak pseudo-random number generators that can be predicted. Verify that critical security functions use properly seeded and cryptographically secure random sources.
Password and authentication policy: Eliminate human password creation where possible. Users generate predictable patterns even when trying to be random. Implement generated passwords or passkeys that use sources of true randomness. For systems requiring human-memorable passwords, provide random word combinations rather than letting users invent their own.
Physical security and unpredictability: Introduce genuine randomness into security protocols that currently follow predictable patterns. Random inspection schedules are more effective than regular ones. Variable responses can hamper adversaries from learning a system’s behaviour. Unpredictable audit timing catches problems that regular schedules miss.
Entropy source diversity: Don’t rely on a single source of randomness for critical systems. Like Cloudflare combining lava lamps with other entropy sources, implement “defence in depth” by mixing multiple independent random sources. Hardware random number generators, environmental noise, timing variations, and physical processes each have different failure modes.
Further reading
Cryptography and random number generation
Cryptography Engineering by Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno – comprehensive guide to implementing cryptographic systems correctly, with extensive coverage of why random number generation is the foundation of all security and how most implementations get it wrong.
“Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices” by Heninger et al. – research paper revealing that many internet-connected devices generated predictable encryption keys due to insufficient entropy at boot time, allowing researchers to factor their public keys and decrypt supposedly secure communications.
The Code Book by Simon Singh – accessible history of cryptography from ancient ciphers to modern encryption, explaining how security fundamentally depends on keys that adversaries cannot predict or reproduce.
Randomness in computer systems
“Analysis of the Linux Random Number Generator” by Gutterman, Pinkas, and Reinman – technical examination of how operating systems attempt to gather environmental randomness, revealing the difficulty of collecting sufficient entropy and the consequences when systems fail to do so.
Random Number Generation and Monte Carlo Methods by James E. Gentle – rigorous treatment of random number generation algorithms, distinguishing between pseudo-random sequences (deterministic but statistically random-looking) and true random sources from physical processes.
“Randomness and the Netscape Browser” by Ian Goldberg and David Wagner – classic paper demonstrating how Netscape’s SSL implementation used a weak random number generator, allowing researchers to predict “random” keys and break supposedly secure connections.
Physical sources of randomness
LavaRand– explanation of Cloudflare’s lava lamp wall and why physical randomness sources provide security advantages over purely algorithmic approaches.
“A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications” (NIST Special Publication 800-22) – official testing methodology for evaluating whether number generators produce genuinely random output, used to certify cryptographic systems.
The Drunkard’s Walk by Leonard Mlodinow – explores randomness in various contexts including why computers struggle to generate truly random numbers and why physical processes provide better entropy sources than algorithms.
Interactive exhibit
Got a Lava Lamp? Point this app at it to generate random numbers from the entropy of what your device’s camera sees (it works on anything, not just lava lamps).
About the image
A cheap lava lamp found on the internet.
Photo montage by Matt Ballantine, 2026
Random the Book 