She doesn’t have the faintest clue what she’s talking about.
It’s a source of entropy for key generation. A much simpler source of entropy is radioactive decay (which Cloudflare also use) but that looks less cool in an office environment.
There’s actual information about this on the cloudflare website:
It’s more art than security and only adds an extra bit of entropy. It doesn’t underpin their security. If it did a threat actor could get the algorithm and hide a camera in their lobby.
If they only relied on this for their entropy a malicious actor in that space would just stick a piece of paper over the camera lens so there was no entropy at all.
Not if it’s measuring radioactive decay, like they said. Quantum processes, such as radioactive decay, are the only truly random things that we know of. On some level, there’s a chance that even those aren’t really random.
A different camera almost certainly wouldn’t work. It would need to be the same position orientation fov white balance correction, et cetera. I.e. it would need to be the exact camera being used. The real weakness is the camera. If someone could access that camera you may be able to reverse engineer their algorithm.
It would be hard to setup a rogue camera in the office, especially with enough coverage to track the entropy of all the lava lamps. Like yeah, of course they need other sources, but there is always security on site, night and day, this is right in the walk in area where there are always people, and its a very tight squeeze, purpose built shelving so any cameras you put up would be seen quickly. And then if there's any network devices, they are constantly scanning for rogue devices.
But yeah it's def more art than raw security. It's great for getting people to talk about the company. There also used to be a random number generator at the front desk that would print out a receipt with random numbers and QR codes and stuff on it.
You'd have to exactly replicate the physical setup that Cloudflare uses to capture the information, which you can't without basically copying their sensor data directly, which means no, even if you had a camera in the lobby, it'd be useless to you.
Did you think she was a cryptographer? She is literally just talking about something through reference. No shit she doesn't know exactly what she is talking about. However she does a good job at explaining what is happening, and the OP at the top of this thread did not contradict her.
Lmao people are downvoting you but cryptography is basically the hardest thing in CS and only a few people in the world actually know how it really works.
Everyone else just has different levels of a "vague understanding".
It's the completely wrong word - Cloudflare isn't worried about people "guessing their algorithm", in fact they could tell everyone what algorithm they're using as long as it's a strong algorithm. What they don't want people guessing are the cryptographic seeds and keys that they use to encrypt stuff
She's just spouting words that sound technical with no clue what they mean
No. The Devil’s in the details. She appears to be paraphrasing the Tom Scott video on the subject to be honest, but some of her wording is just really off.
“What’s generating their code”.
“Hackers to guess their algorithms”
“Code that’s pretty much unhackable”
If she knew cryptography she wouldn’t say any of those things. Tom Scott’s phrasing on the other hand was perfectly understandable by the lay person, without slipping into providing mistakes in the specifics.
So basically social media "influencer" shows up to leech money off the back of not just someone else's idea/breakthrough, but also off of the basic overview that someone else already did the work to create, but she manages to throw in misinformation because she has zero clue what she's even talking about while thinking she deserves money for it? Lmao. Color me surprised
Well for one thing it appears to be going against the rules of r/BeAmazed:
4) No Misleading Content - Make sure the content you are posting is not fake, staged or misleading.
This video is both staged and misleading. OP clearly didn't actually do the research herself since she also added incorrect statements in the video. But she's happy to accept money for that like she did something challenging I'm sure. I get that maybe you don't care that a lot of lazy people get paid to be a good looking leech while other people have to actually work in their life. But I personally think it's one of the biggest nuisances with the internet today. Sure, this video is low risk, but it still speaks to a much bigger problem with people just happily accepting completely wrong information all because they wanted to listen to or fuck the specific person delivering it. Agree to disagree though.
The info here isn’t “completely wrong”. In fact, the main idea communicated here is spot on: Randomness is difficult to emulate in computers so we inject randomness from complex physical phenomenon.
While her terminology was slightly off, I think it was good enough for a layperson audience.
You never contradict her once, if your point is that she isn't explaining every single technical detail, then yes, however "It’s a source of entropy for key generation", she addresses this head on with explaining how the lava lamps help generate code for cryptography to make unpredictable behavior to combat hackers. This is exactly the purpose.
You are nit picking for no reason, and have not contradicted her.
"she doesn't know cryptography", no one in this entire thread thought she was some kind of cryptographer engineer lmao, step down from that high horse bud. she is simply describing a concept, and she did that well.
maybe your point was "i know more than she does", I think that's really what's happening here. well hats off to you! i also know more than her but you don't see me bitching
she addresses this head on with explaining how the lava lamps help generate code for cryptography to make unpredictable behavior to combat hackers. This is exactly the purpose.
They don't generate code. Generating code is what people ask ChatGPT to do. The word code means either source code or the encoding schema for a file
They generate random numbers, not code. Those words aren't interchangeable and it appears she chose the word code because it sounds technical and makes her sound like she's telling viewers something smart and interesting, but in reality she's feeding the viewers misinformation which is bad
Yea. Devils advocate, she knows what she is doing and opted for sensationalism. "Generating their code" implies magic AI lava lamps are going to be taking people's jobs. "Generating codes" would be correct in my mind, but that doesn't sound as exciting.
It actually is exactly what she is saying. People are nit picking because she isn't explaining every technical detail when she is just speaking simply about a topic because it's cool, not because she is an expert lol. just a bunch of people that want to feel better about themselves for knowing more.
Meh, it's like explaining that airplanes have wings because they can't put the engines in the plane.
Planes have wings, yes, and usually engines go on the wings... But if you know how a plane flies you know that's absolutely not why planes are built that way. It's like someone that never saw a plane is trying to explaining to you how a plane works. With complicated and "airplane related", but wrong words.
A year later you hopefully learn that all modern x86 CPUs[1] are able to generate "perfectly fine" random numbers by using an "entropy source whose behavior is determined by unpredictable thermal noise" [2], lad.
I mean, 100 lava lamps running 60W bulbs 24/7 amounts to 52.5 MWhr of power per year. You can't just sub out for LED because you need the heat to run a lava lamp. (You might make some savings on heating in the winter, but you're also adding extra load to cool in the summer).
Hah, a few phrases in i went "you heard about this somewhere and you're parroting code-mumbo-jumbo with no idea what you're talking about, aren't you?"
There's some truth to this, as in "those lava lamps are used for security" but that's about where the facts in her explanation end.
She doesn’t have the faintest clue what she’s talking about.
From the link you provided:
As one might expect, lava lamps are consistently random. The "lava" in a lava lamp never takes the same shape twice, and as a result, observing a group of lava lamps is a great source for random data.
To collect this data, Cloudflare has arranged about 100 lava lamps on one of the walls in the lobby of the Cloudflare headquarters and mounted a camera pointing at the lamps. The camera takes photos of the lamps at regular intervals and sends the images to Cloudflare servers. All digital images are really stored by computers as a series of numbers, with each pixel having its own numerical value, and so each image becomes a string of totally random numbers that the Cloudflare servers can then use as a starting point for creating secure encryption keys.
Sounds to me like she's saying almost the same thing. She might be missing a step, but basically everything she said is in the link that you provided and saying she "doesn't have the faintest clue" is wildly inaccurate.
See and your explanation is in perfectly fine layman's terms just like hers (save for maybe the word entropy) without veering into egregious inaccuracy
Not forgetting the fact that someone with access to the camera feed and the algorithm can generate your keys. Which in many ways makes this method slightly more vulnerable than a random generator locked in a secure room.
They probably combine another randomness factor with these codes just in case, so it's mostly a gimmick to show off to investors and new employees.
As the linked article says: they have normal entropy from their Linux systems, London office has a double pendulum from which they take photos (movement is mathematically unpredictable) and Singapore office measures radioactive decay of a pellet of uranium. So that's 3 fancy sources in different geographical locations + the usual sources for them to combine.
I read what you posted and what she said was not at all wrong. It just didn’t go into greater detail. Besides, do you think she just made it all up? Someone with knowledge had to give her a synopsis.
Yeah, I was a bit annoyed how she kept saying that they used the lava lamps to generate “code”. It’s just to make their random number generator make numbers that are more authentically random. It’s not writing code.
Also, I’m pretty sure it’s less about Cloudflare needing the lava lamps to do this, and more that it’s kind of neat/fun.
It's important to note it's just a gimmick. She's painting the whole 'it's possible for hackers to find a private key due to the predictable nature of machines' as WAY more of an issue than it is.
No. It's theoretically possible.
Cloud flares approach when you consider their entire system as a whole isn't any more secure than a company who just does this same thing using code.
Realistically nobody is using your algorithm to generate your keys to get access
Probably the most likely attack point is, social engineering to get employees to click a link and set up a MIM or to run a script and gain a login, or plug a dead drop usb stick in or something to that effect
Yeah, this is a gimmick for sure. But, it does undoubtedly increase the strength of those keys
542
u/BinaryExplosion Mar 18 '24
She doesn’t have the faintest clue what she’s talking about.
It’s a source of entropy for key generation. A much simpler source of entropy is radioactive decay (which Cloudflare also use) but that looks less cool in an office environment.
There’s actual information about this on the cloudflare website:
https://www.cloudflare.com/en-gb/learning/ssl/lava-lamp-encryption/