# [Python-ideas] Python's Source of Randomness and the random.py module Redux

Paul Moore p.f.moore at gmail.com
Tue Sep 15 00:39:25 CEST 2015

```(The rest of your emails, I'm going to read fully and digest before
responding. Might take a day or so.)

On 14 September 2015 at 21:36, Donald Stufft <donald at stufft.io> wrote:
> I think maybe a problem here is a difference in how we look at the data. It
> seems that you might focus on the probability of you personally (or the things
> you work on) getting attacked and thus benefiting from these changes, whereas
> I, and I suspect the others like me, think about the probability of *anyone*
> being attacked.

This may be true, in some sense. But I'm not willing to accept that
you are thinking about everyone, but I'm somehow selfishly only
thinking of myself. If that's what you were implying, then frankly
it's a pretty offensive way of disregarding my viewpoint. Knowing you,
I'm sure that's *not* how you meant it - but do you see how easy it is
for the way you word something to make it nearly impossible for me to
see past your wording to get to the actual meaning of what you're
trying to say? I didn't even consciously notice the implication
myself, at first. I simply started writing a pretty argumentative
rebuttal, because I felt that somehow I needed to correct what you
said, but I couldn't quite say why.

Looking at the reality of what I focus on, I'd say it's more like
this. I mistrust arguments that work on the basis that "someone,
somewhere, might do X bad thing, therefore we must all pay cost Y".
The reasons are complex (and I don't know that I fully understand all
of my thought processes here) but some aspects that immediately strike
me are:

* The probability of X isn't really quantified. I may win the lottery,
but I don't quit my job - the probability is low. The probability of X
matters.
* My experience of the probability of X happening varies wildly from
that of whoever's making the point. Who is right? Why must one of us
"win" and be right? Can't it simply be that my data implies that over
the full data set, the actual probability of X is lower than you
thought?
* The people paying cost Y are not the cause of, nor are they impacted
by, X (except in an abstract "we all suffer if bad things happen"
sense). I believe in the general principle of "you pay for what you
use", so to me you're arguing for the wrong people to be made to pay.

Hopefully, those are relatively objective measures. More subjectively,

* It's way too easy to say "if X happens once, we have a problem". If
you take the stance that we have to prevent X from *ever* happening,
you allow yourself the freedom to argue with vague phrases like
"might", while leaving the burden of absolute proofs on me. (In the
context of RNG proposals, this is where arguments like "let's
implement a secure secret library" get dismissed - they still leave
open the possibility of *someone* using an inappropriate RNG, so "they
don't solve the issue" - even if they reduce the chance of that
happening by a certain amount - and neither you nor I can put a figure
on how much, so let's not try).
* There's little evidence that I can see of preventative security
measures having improved things. Maybe this is because it's an "arms
race" situation, and keeping up is all we can hope for. Maybe it's
because it's hard to demonstrate a lack of evidence, so the demand for
evidence is unreasonable. I don't know.
* For many years I ran my PC with no anti-virus software. I never got
a virus. Does that prove anything? Probably not. The anti-virus
software on my work PC is the source of *far* more issues than I have
ever seen caused by a virus. Does *that* prove anything? Again,
probably not. But my experience with at least *that* class of pressure
to implement security is that the cure is worse than the disease.
Where does that leave the burden of proof? Again, I don't know, but my
experience should at least be considered as relevant data.
* Everyone I have ever encountered in a work context (as opposed to in
open-source communities) seems to me to be in a similar situation to
mine. I believe I'm speaking for them, but because it's a
closed-source in house environment, I've got no public data to back my

And totally subjective,

* I'm extremely tired of the relentless pressure of "we need to do X,
because security". While the various examples of X may all have ended
up being essentially of no disadvantage to me, feeling obliged to
read, understand, and comment on the arguments presented every time,
gets pretty wearing.
* I can't think of a single occasion where we *don't* do X. That may
well be confirmation bias, but again subjectively, it feels like
nobody's listening to the objections. I get that the original
proposals get modified, but if never once has the result been "you're
right, the cost is too high, we'll not do X" then that puts
security-related proposals in a pretty unique position.

Finally, in relation to that last point, and one thing I think is a
key difference in our thinking. I do *not* believe that security
proposals (as opposed to security bug fixes) are different from any
other type of proposal. I believe that they should be subject to all
the same criteria for acceptance that anything else is. I suspect that
you don't agree with that stance, and believe that security proposals
should be held to different standards (e.g., a demonstrated
*probability* of benefit is sufficient, rather than evidence of actual
benefit being needed). But please speak for yourself on this - I'm not
trying to put words into your mouth, it's just my impression.

All of which is completely unrelated to either the default RNG for the
Python stdlib, or whether I understand and/or accept the security
arguments presented here (for clarity, I believe I understand them, I
just don't accept them).

Paul
```