[Python-ideas] Should our default random number generator be secure?

Mon Sep 14 10:30:47 CEST 2015

Tim Peters writes:

 > > "doing crypto" (== security) is like "speaking prose": a lot of folks
 > > doing it don't realize that's what they're doing -- and they don't
 > > care, either.
 > 
 > I don't know that it's true, though.  Crypto wonks are like lawyers
 > that way, always worrying about the worst possible case "in
 > theory".

Well, my worst possible case "in theory" was that a documented MTA
parameter would simply not be implemented and not error when I
configured it to a non-default value -- but that's how yours truly
ended up running an open relay (Smail 3.1.100 I think it was, and I
got it from Debian so it wasn't like I was using alpha code).  That's
what taught me to do functional tests. :-)

So yes, I do think there are a lot of folks out there working with
software without realizing that there are any risks involved.  Life
being life, I'd bet on some of them being programmers working with RNG.

 > In my personal life, I've had to tell lawyers "enough already - I'm
 > not paying another N thousand dollars to insert another page about
 > what happens in case of nuclear war".

But see, that's my main point.  Analogies to *anybody's* personal life
are irrelevant when we're talking about a bug that could be fixed
*once* and save *millions* of users from being exploited.  If the
wonks are right, it's a big deal, big enough to balance the low
probability of them being right. ;-)

 > The best social engineering is for a bot to rummage through your
 > email address book and send copies of itself to people you know,
 > appearing to be a thoroughly legitimate email from you.  Add a
 > teaser to invite the recipient to click on the attachment, and
 > response rate can be terrific.

Sure, but that's not what happened at AOL and Yahoo! AFAIK (of course
they're pretty cagey about details).  It seems that a single leak or a
small number of leaks at each company exposed millions of address
books.  (I hasten to add that I doubt the Mersenne Twister had
anything to do with the leaks.)

 > What I question is whether this has anything _plausible_ to do with
 > Python's PRNG.

Me too.  People who claim some expertise think so, though.

 > Would the user _really_ be better off using .urandom()?  I don't know.
 > Since a crypto wonk will rarely recommend doing anything _other_ than
 > using urandom() directly, I bet they'd discourage using .choice() at
 > all,

That's not unfair, but if they did, I'd go find myself another crypto
wonk.  But who cares about me?  What matters is that Guido would, too.

 > Judging [the random module] by standards that didn't become trendy
 > until much later is only fair now ;-)

You're not the only one who, when offered a choice between fair and
fun, chooses the latter. ;-)

 > We can even give it a name shorter than "random" to encourage its
 > use.  That's all most users really care about anyway ;-)

That's beyond "unfair"!