Comment What random actually means... (Score 1) 224
TL;DR: The selection process is random enough for its purpose, the type of attack proposed would already require access to the data which could be manipulated anyway, and this story is bunk.
When someone says that something is "random" what they really mean is that, given a finite number of possible valid values "N", that every attempt to predict that value will result in the correct value only 1/N times over an essentially infinite period of time.
Nominally, random numbers are generated through a true random seed that comes from sources such as radioactive decay, cosmic background radiation, ring oscillator or other effectively chaotic process. This is fed into a pseudorandom number generator which is a giant shift register with specified taps to generate what are nominally random numbers.
Are the implementations screwed up? Sure they are. Can they be influenced deterministically? Of course. Can this be done usefully? Not really given the value of the targets involved and the amount of infiltration required to get there. I emphasize this last point because these professors are indicating that someone could influence the random number generator. Well guess what guys? You would need access to the computer running the spreadsheet anyway, which means you could already do whatever you want to rearrange the results. Why would they waste their time influencing the RNG deterministically?
This story is muckraking bunk by people who again don't really want people to understand security as much as they want to stamp a name for themselves. I'd be much more concerned that this is being handled in a spreadsheet rather than in an air-gapped database infrastructure.
Nominally, random numbers are generated through a true random seed that comes from sources such as radioactive decay, cosmic background radiation, ring oscillator or other effectively chaotic process. This is fed into a pseudorandom number generator which is a giant shift register with specified taps to generate what are nominally random numbers.
Are the implementations screwed up? Sure they are. Can they be influenced deterministically? Of course. Can this be done usefully? Not really given the value of the targets involved and the amount of infiltration required to get there. I emphasize this last point because these professors are indicating that someone could influence the random number generator. Well guess what guys? You would need access to the computer running the spreadsheet anyway, which means you could already do whatever you want to rearrange the results. Why would they waste their time influencing the RNG deterministically?
This story is muckraking bunk by people who again don't really want people to understand security as much as they want to stamp a name for themselves. I'd be much more concerned that this is being handled in a spreadsheet rather than in an air-gapped database infrastructure.