Myths about /dev/urandom (2014)
signa11
86 points
45 comments
May 14, 2026
Related Discussions
Found 5 related stories in 72.7ms across 8,303 title embeddings via pgvector HNSW
- Replace IBM Quantum back end with /dev/urandom pigeons · 97 pts · April 25, 2026 · 60% similar
- Debunking Zswap and Zram Myths javierhonduco · 186 pts · March 24, 2026 · 43% similar
- FreeBSD CVE-2026-4747 Log Suggests Mythos Is a Marketing Trick jgalt212 · 13 pts · April 21, 2026 · 43% similar
- UCI LISP: Random Notes (1975) jruohonen · 20 pts · May 10, 2026 · 42% similar
- Has Mythos just broken the deal that kept the internet safe? jnord · 37 pts · April 10, 2026 · 42% similar
Discussion Highlights (9 comments)
xiphmont
Half the entropy is trying to figure out which pieces of this article's text are supposed to be the silly falsehoods being corrected, and which pieces are just the second or third paragraph of a preceding 'Fact'. Deadpool is easier to follow.
sph
This is a good place as any to ask, last time I didn't get any answer: has there ever been a serious Linux exploit from manipulating/predicting bad PRNG? Apart from the Debian SSH key generation fiasco from years ago, of course. Having a good entropy source makes mathematical sense, and you want something a bit more "random" than a dice roll, but I wonder at which point it becomes security theatre. Of all the possible avenues for exploiting a modern OS might have, I figure kernel PRNG prediction to be very, very far down the list of things to try.
throw0101c
Original discussion from 2014: * https://news.ycombinator.com/item?id=7359992 Also: 2020: https://news.ycombinator.com/item?id=22683627 2018: https://news.ycombinator.com/item?id=17779657 2017: https://news.ycombinator.com/item?id=13332741 2015: https://news.ycombinator.com/item?id=10149019
iamtedd
That was hard to tell where the additional commentary on the fact ended and the next myth started.
iamtedd
Twelve years later, if there's still so much misconception about /dev/(u)random, has the man page been fixed? Edit: can't count.
chaboud
I woke up around 4am, read this, and wondered if I was still in a dream state given the meandering nature of it. Were the man page musings written in response to the (alleged, but... uh... NSA) kleptographic backdoor in Dual_EC_DRBG? It requires multiple successive outputs to compromise and derive internal PRNG state, if memory serves. In that one construction, /dev/random blocking on seeding would have a mild state-hiding advantage over /dev/urandom, I imagine... but, sheesh. Nobody use that generator.
jonhohle
Back in the dinosaur days (around 2005) I was working on a PHP CMS used by a big registrar. Occasionally page loads would block for seconds. It appeared randomly (natch) and was relatively unreproducible. I couldn’t find any good way to debug it and a friend suggested GDB. I had never thought of using such a low level debugger on a scripting language, but what choice did I have? Fired it up, found a blocked process and sure enough it was blocked on reads to /dev/random. I leaned two things that day: the decision to make and keep /dev/random blocking was dumb and GDB (or lldb, or valgrind, etc.) is useful for debugging just about anything.
xenadu02
Cryptographically secure random number generators are equivalent to encryption itself. If you could predict anything about the plain text by analysis of the cipher text the algorithm is compromised/broken and useless. That's the whole point! Saying that /dev/random has "exhausted entropy" is as useful as saying "the fleep didn't florp the gorpobittin!". Completely useless words strung together without any meaning. A CSPRNG is just an algorithm that uses some entropy as a key and feeds back on itself to generate a stream of random bytes. It is a way of expanding a small bit of entropy into a much larger sequence of random values. From that you can derive the underlying objection here: estimating entropy, blocking /dev/random, and all the other noise is equivalent to saying "cryptography doesn't work". It is both wrong and pointless. The only place it matters is at boot when there is no hardware source of randomness _which excludes pretty much all PCs which have hardware generators_. You need a true random key to start the CSPRNG but that's it. If you don't have a hardware unit you use time of arrival of the next network packet. Or the frequency of keystrokes on the keyboard. Now you might ask: why bother seeing the entropy pool at all? The answer is Perfect Forward Secrecy. By mixing in new randomness you are effectively slowly swapping out the key used for the encrypted stream. Thus even if someone is able to compromise something based on guessing the random number sequence your CSPRNG generated their guesses will get more and more wrong as new entropy enters the pool eventually becoming useless. This is a defense-in-depth policy though, not a practical attack mechanism. On linux it is unfortunate that /dev/urandom has the property of silently vending non-random bytes on hardware without an RNG just after boot and that /dev/random was designed to block when the magical fairies say so but of the two failure modes /dev/urandom is the least bad because practically most hardware (even embedded hardware these days) simply can't encounter its failure mode.
krackers
There's a talk by Filippo that explains this nicely https://www.youtube.com/watch?v=0DV8WnqhH2Y